DMZ Internet Access on ASA 5505 with Easy VPN NEM

Andreas Norman · ‎03-06-2017

If you have an ASA 5505 security appliance (version 7.2 (3) and higher) configured as an Easy VPN Client in Network Extension Mode with multiple interfaces configured, the security appliance builds a tunnel for locally encrypted traffic only from the interface with the highest security level.

The guide doesn't specify what happens with traffic from the interface with a mid-security level (DMZ). Sure, the DMZ traffic is exempted from the tunnel, but then what? Is it implicitly dropped? If that's the case, is there a way around that? How would you configure that? (Split tunneling on the Easy VPN server is not an option.)

What I'm trying to achieve is this:

Inside <--> Outside <--> Tunnel only (works fine)

DMZ <--> Outside <--> Internet (doesn't work)

MANI .P · ‎03-06-2017

can you share the running config ?

Andreas Norman · ‎03-06-2017

Not really since I've randomly tried every thinkable solution until I rebooted and began from a clean slate, but...

The Easy VPN tunnel works (NEM mode)
When the Easy VPN client was turned off on the ASA, devices on the DMZ network got their addresses NAT'ed and were able to reach the Internet
When the Easy VPN client was turned on, DMZ no longer had Internet access

Configuration pretty much like this:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 dhcp client route distance 2
 ip address dhcp setroute
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
object network dmz
 nat (dmz,outside) dynamic interface