10-26-2007 10:14 AM - edited 02-21-2020 03:20 PM
I need to allow users from our VPN subnet access to a webserver on our DMZ.
Both the inbound ACL's are correct, but I am unsure of what the translation would be.
Our VPN subnet is 172.16.140.0/24 and our DMZ is 172.16.110.0/24
Any help would be appreciated. BTW, this is an ASA5510
Solved! Go to Solution.
10-26-2007 10:47 AM
access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0
nat (DMZ) access-list No-Nat-DMZ
You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.
10-26-2007 10:19 AM
Posting the config would help, but you probably just need nat exemption for the dmz.
access-list nonat_dmz permit ip any 172.16.140.0 255.255.255.0
nat (dmz) 0 access-list nonat_dmz
Please rate helpful posts.
10-26-2007 10:43 AM
10-26-2007 10:47 AM
access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0
nat (DMZ) access-list No-Nat-DMZ
You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.
10-26-2007 11:05 AM
thanks. that worked. Also, could you explain what the NAT exemption does in this instance?
Thanks again.
10-26-2007 11:10 AM
It identifies the traffic which should be exempt from nat, or not nat'd. This allows the traffic to be part of the vpn.
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide