bypass connected route

ippolito · ‎04-26-2013

Hi, any help on this would be much appreciated. I have an ASA 5505 with interfaces inside, outisde, dmz. I have a site-to-site vpn tunnel set up to another site for my dmz clients. The tunnel is working just fine.

However, my dmz clients need to connect to an IP address on the inside network. They should *not* be able to connect directly to the inside network; they should be tunneled down the vpn first, then come back in through the outside interface. Possible to do on the ASA?

Thanks,

Mike

Jouni Forss · ‎04-26-2013

Hi,

To be honest it seems very complicated.

Maybe would be good to know why you wouldnt even want to configure something like this?

Maybe a bit clearer description what you are trying to achieve.

- Jouni

ippolito · ‎04-26-2013

Because we want all traffic from the dmz to go through an IPS first before it hits the inside clients.

thanks

Mike

Jouni Forss · ‎04-26-2013

Hi,

It would seem to me that this would require much more than configurations on a single ASA to be achievable.

If we were talking about a purely Cisco Router environment I would imagine this type of operation might be more easily achieved.

Sadly ASA doesnt provide much options to same type of virtualization like the Cisco Routers. Naturally there is an option to change an ASA to Multiple Context mode but this would be a major change (and maybe impossible depending on the network setup) to the network and would limit the ASA functionality somewhat.

Otherwise I would imagine you would be up for some serious playing around with NAT to achieve this setup. But to be honest I have not had to implement such a setup at any point.

- Jouni

ippolito · ‎04-30-2013

I was afraid of that. Thanks for the reply.

Mike