I have a dmz interface on a ASA 5520 that is used for wireless internet and i would like the users to be able to vpn in however they can not because they are coming back through the same outside interface. Do i have to nat the VPN ip pool or just use some form of hairpin routing or nat. I am using 8.2.
Do you mind posting the relevant configuration (routes, interfaces, split tunnel ACL and source/dest networks)?
You will likely need to NAT the ipool on the appropriate interfaces, but without more information can't provide a suitable answer.
If i understand you correctly, the only nat you'll need is nat 0 for traffic going from your inside (or DMZ) subnet to vpn-pool on the outside. But as James said, you're not quite clear.
if you mean hairpinning remote access VPN so that remote users communicate with each other, then you need :
- adding the IP pool to split-tunnel acl, in case you use split-tunnel.
- exempt the pool addresses from natting .
- applying "same-security-traffic permit intra-interface"
if you are talking about allowing the user to vpn back into you main network as thought they are outside then one way i have done this is to enable vpn on the dmz interface and have them go to a dns name that resolves to the 2 different ip's depending on if they are using the internal dns or the external dns? this all depends on if you have the dmz clients using your internal dns server ?