07-21-2009 04:56 PM
I have Anyconnect configured and working on an ASA that also houses the DMZ.
I can reach the entire network from behind the Anyconnect except for the DMZ. Is there something additional that needs to be configured?
I checked to make sure I wasn't NATing the traffic and there are no ACL's blocking me and the DMZ is in my tunneled routes (I can ping the DMZ interface on the ASA); it just won't send traffic.
Thanks!!
07-21-2009 09:22 PM
are you sure it's not natting?
do you have:
nat (dmz) 0 access-list ACL
and ACL should permit source DMZ_SUBNET destination VPN_POOL_SUBNET
can you post:
sh run nat
sh run access-group
sh run access-list
*** don't post outside_int_inbound ACL :)
07-22-2009 07:38 AM
Thank you for the reply...yep it was indeed a NAT issue.
I went to post the config you asked for and when I did a sho run nat I saw I had:
nat (Inside) 0 access-list NONAT
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
I made the correct entries in the NONAT acl but I didn't have a nat (DMZ) 0 statement. Once I added that I was able to get to the DMZ.
Thanks again, your request actually led me to the correct solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide