Showing results for 
Search instead for 
Did you mean: 

ASA VPN inbound for DMZ interface



I have one Cisco ASA 5520 which has 3 interfaces.

1- Interface gigabitEthernet0/0 (Name: outside, security-level 0)

2- Interface gigabitEthernet0/1 (Name: inside, security-level 100)

3- Interface gigabitEthernet0/2 (Name: vpnbranch, security-level 50)

The outside interface of the ASA is connected to Internet router which is using public IP, and inside interface is private. My local host now can access Internet normally.

The question is how to configure ASA for the DMZ(vpnbranch interface) to allow inbound vpn traffic as this interface will connect to our branch offices by vpn connection and how to allow branch's host to access Internet via the ASA 5520 and my local server farm.

Note: Branch office is using Pix506E and the connection between the branch to headoffice doesn't have Internet access, meaning just only bridge connection.

Any solution would be highly appreciated.



3 Replies 3

Frequent Contributor
Frequent Contributor

Access Control lists typically consist of multiple access control entries (ACE) organized internally by the Security Appliance in a linked list. ACEs describe a set of traffic such as that from a host or network and list an action to apply to that traffic, generally permit or deny. When a packet is subjected to access list control, the Cisco Security Appliance searches this linked list of ACEs in order to find one that matches the packet. The first ACE that matches the security appliance is the one that is applied to the packet. Once the match is found, the action in that ACE (permit or deny) is applied to the packet.

Only one access list is permitted per interface, per direction. This means that you can only have one access list that applies to traffic inbound on an interface and one access list that applies to traffic outbound on an interface. Access lists that are not applied to interfaces, such as NAT ACLs, are unlimited.

Kamal Malhotra
Cisco Employee
Cisco Employee


Its going to be a standard lan to lan tunnel config except the crypto map would be bound with the DMZ interface instead of the outside interface.


Please rate if it helps,



Hello All,

Thanks so much for help. I am planing to migrate this vpn end of this week. Any problem, i will get back to you again.


Best Regards,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: