cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
77
Views
0
Helpful
2
Replies
Beginner

DMZ Internet Access on ASA 5505 with Easy VPN NEM

According to this guide:

If you have an ASA 5505 security appliance (version 7.2 (3) and higher) configured as an Easy VPN Client in Network Extension Mode with multiple interfaces configured, the security appliance builds a tunnel for locally encrypted traffic only from the interface with the highest security level.

The guide doesn't specify what happens with traffic from the interface with a mid-security level (DMZ). Sure, the DMZ traffic is exempted from the tunnel, but then what? Is it implicitly dropped? If that's the case, is there a way around that? How would you configure that? (Split tunneling on the Easy VPN server is not an option.)

What I'm trying to achieve is this:

Inside <--> Outside <--> Tunnel only (works fine)

DMZ <--> Outside <--> Internet (doesn't work)

Everyone's tags (1)
2 REPLIES 2
Highlighted
Beginner

can you share the running

can you share the running config ?

Beginner

Not really since I've

Not really since I've randomly tried every thinkable solution until I rebooted and began from a clean slate, but...

  1. The Easy VPN tunnel works (NEM mode)
  2. When the Easy VPN client was turned off on the ASA, devices on the DMZ network got their addresses NAT'ed and were able to reach the Internet
  3. When the Easy VPN client was turned on, DMZ no longer had Internet access

Configuration pretty much like this:

interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
dhcp client route distance 2
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
object network dmz
 nat (dmz,outside) dynamic interface