cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
716
Views
0
Helpful
2
Replies

Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

ROBBY HARRELL
Level 1
Level 1

I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 

Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  

I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

2 Replies 2

Have you also exempted the DMZ-to-VPN-trafic from NAT? That is also needed.

 

P.S. This is more a Security/Firewall topic. You should move it to the right category.

Raja Periyasamy
Level 1
Level 1

Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 

Share the configuration if you want help with the NAT exemption part.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: