Hi Jouni,

Thank you for your answer. Is there any official cisco article about this limitation? I didn't find any.

The problem is that the subnet connected to the "internet" interface is routable within a certain region, and not worldwide. The subnet connected to the "dmz" interface is routable worldwide and commuters leaving that region will be able to establish VPN connection only to the "dmz" interface.

Hi,

It might be just my head working slow at the moment but I am not sure I got the actual scenario/setup.

If I understood you correctly you have users that are currently connecting to the interface "internet" for VPN connections. When they leave a certain region they will only be able to reach the ASA through the "dmz" interface?

In the case of SSL or IPsec VPN Client you do have the possibility to enable the VPN connections on both interfaces at the same time.

Though I still get the picture that the user would still be connecting through the interface "internet" but is not able to route the packets to the connected network of interface "internet" for some reason (I am not quite sure what that would be)

Here is link to a document explaining the limitation I mentioned. I could not find it referenced in newer version of the same document but to my understanding this still applies

 Note For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network. 

Source:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html

- Jouni

Yes Jouni, you understood me correctly, that users will be able to connect only to the "dmz" through "internet". I enabled the VPN connections on both interfaces and got the limitation, which I created the discussion about.

Thank you for the reference. "Far-end interface" is a good term. It helped me to extend my search results in the subject, and it seems, that indeed it is impossible to make any connection to a far-end interface on ASAs.

That sounds like the same issue I have. I have a router on each of the ASA ports 0/0 LAN (inside) 0/1 WAN (Outside) 0/2 DMZ (Cisco-2821) 0/3 VOIP (Cisco-3745).

Am I to understand that I cannot route traffic for clients behind the 2821 (DMZ) to clients behind the LAN (Inside) interface?

Wow, why would that not allow traffic between interfaces?

Hi,

The above limitation we are talking about simply prevents a host from behind an interface from connecting directly to another interface on the ASA. It doesnt block any traffic between the actual networks behind different interfaces. Only traffic to the ASA itself.

So consider your LAN and WAN ports. Users behind LAN will not be able to connect to the ASA by using its WAN port IP address. This however does not mean that users behind LAN could not access networks behind the WAN interface. They just cant connect to the ASA interface itself. They would have to be located behind WAN to connect to WAN interface. Now they can connect to the LAN interface as they are behind that interface.

So having traffic go through the ASA between different networks is no problem as long as Routing, NAT and ACLs are fine on all the devices. (NAT and ACL might not be present on each device naturally)

- Jouni

I hate to hijack someone elses post, but could you take a look at my post and tell me what I am doing wrong. I have followed the suggestions of the person trying to help, but I still cannot get from my networks behind my 2821 or 3745 to the 2811.

Here is the link. I even have a diagram up and all the configs are zipped up in the first post.

https://supportforums.cisco.com/message/4143926#4143926

I just don't see what I am missing. I added this statement:

same-security-traffic permit inter-interface

I also added his access-lists he suggested. No go

JouniForss wrote:
Hi,
The above limitation we are talking about simply prevents a host from behind an interface from connecting directly to another interface on the ASA. It doesnt block any traffic between the actual networks behind different interfaces. Only traffic to the ASA itself.
So consider your LAN and WAN ports. Users behind LAN will not be able to connect to the ASA by using its WAN port IP address. This however does not mean that users behind LAN could not access networks behind the WAN interface. They just cant connect to the ASA interface itself. They would have to be located behind WAN to connect to WAN interface. Now they can connect to the LAN interface as they are behind that interface.
So having traffic go through the ASA between different networks is no problem as long as Routing, NAT and ACLs are fine on all the devices. (NAT and ACL might not be present on each device naturally)
- Jouni