02-10-2011 09:44 AM - edited 03-11-2019 12:48 PM
We've just upgraded from a PIX running 6.3.x code to an ASA running 8.2.x code. I've taken most of the config and adapted it over to the new appliance quite well, I only have one issue, but I am a little stuck.
In PIX 6.3, NAT seemed a little more relaxed. I had both static and dynamic xlates that functioned. For instance, I was able to access DMZ servers from inside via both the assigned static and its real IP address through dynamic NAT. With the ASA this seems to have been tweaked a bit, as the order of NAT commands to matching address doesn't allow this.
Now, to the point, I've worked most of this out with the exception of IPSec client VPN access to the DMZ. VPN traffic CAN access the DMZ servers via their real addresses, but not the NAT'd the rest of the clients use.
Internal ----------ASA------------external
10.1.3.x |
|
DMZ
192.168.1.x
VPN is assigned 10.1.215.x. VPN can access 10.1.3.x hosts, but not 10.1.3.x translates to hosts in 192.168.1.x. VPN can directly access 192.168.1.x.
One of the static's for a web server looks like this:
static (dmz,inside) 10.1.3.100 192.168.1.45 netmask 255.255.255.255 dns
What am I missing?
02-10-2011 10:20 AM
can you elaborate a little more on your explanation. You need to be able to pass traffic from the VPN clients to the DMZ?
02-11-2011 06:31 AM
I apologize for not being clear. VPN access to the DMZ works only using the servers real IP's. VPN users accessing servers in the DMZ are using internal DNS which returns the inside/translated address for the DMZ resources. Setting the static with the dns option doesn't work, as the ASA never sees the dns inquiry to fix it. VPN users are assigned addresses from a pool, not sinside DHCP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide