Anyconnect / Can't reach DMZ

Brian M · ‎07-21-2009

I have Anyconnect configured and working on an ASA that also houses the DMZ.

I can reach the entire network from behind the Anyconnect except for the DMZ. Is there something additional that needs to be configured?

I checked to make sure I wasn't NATing the traffic and there are no ACL's blocking me and the DMZ is in my tunneled routes (I can ping the DMZ interface on the ASA); it just won't send traffic.

Thanks!!

Roman Rodichev · ‎07-21-2009

are you sure it's not natting?

do you have:

nat (dmz) 0 access-list ACL

and ACL should permit source DMZ_SUBNET destination VPN_POOL_SUBNET

can you post:

sh run nat

sh run access-group

sh run access-list

*** don't post outside_int_inbound ACL :)

Brian M · ‎07-22-2009

Thank you for the reply...yep it was indeed a NAT issue.

I went to post the config you asked for and when I did a sho run nat I saw I had:

nat (Inside) 0 access-list NONAT

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

I made the correct entries in the NONAT acl but I didn't have a nat (DMZ) 0 statement. Once I added that I was able to get to the DMZ.

Thanks again, your request actually led me to the correct solution.