03-06-2017 02:51 AM
If you have an ASA 5505 security appliance (version 7.2 (3) and higher) configured as an Easy VPN Client in Network Extension Mode with multiple interfaces configured, the security appliance builds a tunnel for locally encrypted traffic only from the interface with the highest security level.
The guide doesn't specify what happens with traffic from the interface with a mid-security level (DMZ). Sure, the DMZ traffic is exempted from the tunnel, but then what? Is it implicitly dropped? If that's the case, is there a way around that? How would you configure that? (Split tunneling on the Easy VPN server is not an option.)
What I'm trying to achieve is this:
Inside <--> Outside <--> Tunnel only (works fine)
DMZ <--> Outside <--> Internet (doesn't work)
03-06-2017 03:52 AM
can you share the running config ?
03-06-2017 04:19 AM
Not really since I've randomly tried every thinkable solution until I rebooted and began from a clean slate, but...
Configuration pretty much like this:
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
dhcp client route distance 2
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
object network dmz
nat (dmz,outside) dynamic interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide