Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1480
Views
7
Helpful
3
Replies

ASA VPN inbound for DMZ interface

Phoungsakdavin
Level 1
Level 1

‎04-11-2007 02:30 AM

Hello,

I have one Cisco ASA 5520 which has 3 interfaces.

1- Interface gigabitEthernet0/0 (Name: outside, security-level 0)

2- Interface gigabitEthernet0/1 (Name: inside, security-level 100)

3- Interface gigabitEthernet0/2 (Name: vpnbranch, security-level 50)

The outside interface of the ASA is connected to Internet router which is using public IP, and inside interface is private. My local host now can access Internet normally.

The question is how to configure ASA for the DMZ(vpnbranch interface) to allow inbound vpn traffic as this interface will connect to our branch offices by vpn connection and how to allow branch's host to access Internet via the ASA 5520 and my local server farm.

Note: Branch office is using Pix506E and the connection between the branch to headoffice doesn't have Internet access, meaning just only bridge connection.

Any solution would be highly appreciated.

Regards,

Vin

Labels:
0 Helpful
3 Replies 3

drolemc
Level 6
Level 6

‎04-17-2007 06:06 AM

Access Control lists typically consist of multiple access control entries (ACE) organized internally by the Security Appliance in a linked list. ACEs describe a set of traffic such as that from a host or network and list an action to apply to that traffic, generally permit or deny. When a packet is subjected to access list control, the Cisco Security Appliance searches this linked list of ACEs in order to find one that matches the packet. The first ACE that matches the security appliance is the one that is applied to the packet. Once the match is found, the action in that ACE (permit or deny) is applied to the packet.

Only one access list is permitted per interface, per direction. This means that you can only have one access list that applies to traffic inbound on an interface and one access list that applies to traffic outbound on an interface. Access lists that are not applied to interfaces, such as NAT ACLs, are unlimited.

Kamal Malhotra
Cisco Employee
Cisco Employee

‎04-17-2007 07:07 AM

Hi,

Its going to be a standard lan to lan tunnel config except the crypto map would be bound with the DMZ interface instead of the outside interface.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

HTH,

Please rate if it helps,

Regards,

Kamal

Phoungsakdavin
Level 1
Level 1
In response to Kamal Malhotra

‎04-17-2007 11:55 PM

Hello All,

Thanks so much for help. I am planing to migrate this vpn end of this week. Any problem, i will get back to you again.

Thanks.

Best Regards,

Vin

0 Helpful
Customers Also Viewed These Support Documents