Re: Problem: Accessing DMZ trough VPN

Christian Balzereit · ‎09-26-2013

Hey all,

I got the following problem:

With the current configuration my PVN clients cannot access the DMZ (inside network is working).

When I add the following nat rule: nat (inside,outside) source static any any destination static VPN_pool VPN_pool

it works, but now the server in the DMZ cannot access server in the internal network.

What can I do?

Thanks in advance.

Jouni Forss · ‎09-26-2013

Hi,

I would suggest specifying the actual source networks behind "inside" and "dmz" interface in the NAT configuration instead of using "any"

If you actuall have a "dmz" interface then you naturally have to make a NAT configuration for it too for the connections from VPN Clients to work.

Lets say we have network 10.0.0.0/24 on the "inside" and network 192.168.0.0/24 on the "dmz"

Then the VPN related NAT configuration might look something like this

object network INSIDE

subnet 10.0.0.0 255.255.255.0

object network DMZ

subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source static INSIDE INSIDE destination static VPN_pool VPN_pool

nat (dmz,outside) source static DMZ DMZ destination static VPN_pool VPN_pool

Its naturally also possible that some other NAT configuration is causing problems here.

But presuming other configurations on the firewall are correct then the above NAT configurations should be the correct ones for VPN access.

- Jouni

Christian Balzereit · ‎09-26-2013

Hey Jouni,

still have the same problem.

Enclosed my NAT configuration:

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

nat (DMZ,outside) source static DMZ DMZ destination static VPN-POOL VPN-POOL

nat (DMZ,outside) static x.x.x.x

some more statics

nat (inside,outside) dynamic OUTSIDE_Addresses