Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4380
Views
0
Helpful
0
Comments

The VPN Client cannot communicate with DMZ hosts through the PIX/ASA

TCC_2
Level 10
Level 10

on ‎06-22-2009 05:01 PM

Core issue

The VPN Client can communicate to inside hosts but not to hosts on the Demilitarized Zone (DMZ). Network Address Translation (NAT) needs to be disabled on the DMZ interface.

Resolution

Add nonat config for the DMZ interface. For example, assume this configuration:


ip address inside 10.1.1.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0
ip local pool vpn_pool 192.168.1.1-192.168.1.254
access-list split_tunnel permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list split_tunnel

Enter these commands:

  • access-list split_tunnel permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

  • nat (dmz) 0 access-list split_tunnel

To configure and apply Split tunnel on PIX/ASA version 7.x refer to Split-Tunnel Configuration example

For more information on configuring the PIX Firewall for VPN Client connectivity, refer to Configuring VPN Client Remote Access .

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents