ASA NAT/VPN access to DMZ 8.2.x

rgnelson · ‎02-10-2011

We've just upgraded from a PIX running 6.3.x code to an ASA running 8.2.x code. I've taken most of the config and adapted it over to the new appliance quite well, I only have one issue, but I am a little stuck.

In PIX 6.3, NAT seemed a little more relaxed. I had both static and dynamic xlates that functioned. For instance, I was able to access DMZ servers from inside via both the assigned static and its real IP address through dynamic NAT. With the ASA this seems to have been tweaked a bit, as the order of NAT commands to matching address doesn't allow this.

Now, to the point, I've worked most of this out with the exception of IPSec client VPN access to the DMZ. VPN traffic CAN access the DMZ servers via their real addresses, but not the NAT'd the rest of the clients use.

Internal ----------ASA------------external

10.1.3.x |

|

DMZ

192.168.1.x

VPN is assigned 10.1.215.x. VPN can access 10.1.3.x hosts, but not 10.1.3.x translates to hosts in 192.168.1.x. VPN can directly access 192.168.1.x.

One of the static's for a web server looks like this:

static (dmz,inside) 10.1.3.100 192.168.1.45 netmask 255.255.255.255 dns

What am I missing?

PAUL GILBERT ARIAS · ‎02-10-2011

can you elaborate a little more on your explanation. You need to be able to pass traffic from the VPN clients to the DMZ?

rgnelson · ‎02-11-2011

I apologize for not being clear. VPN access to the DMZ works only using the servers real IP's. VPN users accessing servers in the DMZ are using internal DNS which returns the inside/translated address for the DMZ resources. Setting the static with the dns option doesn't work, as the ASA never sees the dns inquiry to fix it. VPN users are assigned addresses from a pool, not sinside DHCP.