Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
5
Replies

ASA5506-x VPN with DMZ interface

awcrane
Level 1
Level 1

‎08-13-2020 08:33 AM

Is it not possible to have a DMZ interface when using Easy VPN?

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎08-13-2020 09:03 AM

Hi,

Yes, no reason why not on older software versions. However Easy VPN is EOL and no longer supported.

https://www.cisco.com/c/en/us/obsolete/security/cisco-easy-vpn.html

 

HTH

0 Helpful

awcrane
Level 1
Level 1
In response to Rob Ingram

‎08-13-2020 09:22 AM

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)

Brand new unit Easy VPN is still there and works fine.

I've been using it for years but this is there first time I've had a requirement for a DMZ interface also.

 

packet-tracer input DMZ tcp 192.168.206.101 12345 209.244.0.3 53

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network OBJ-NAT-DMZ
nat (DMZ,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.206.101/12345 to x.x.x.x/12345

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

0 Helpful

Rob Ingram
VIP
VIP
In response to awcrane

‎08-13-2020 09:58 AM

It might be a brand new unit but it's runnning ASA 9.8, version 9.14 is the latest....it's still un-supported by Cisco, just making you aware.

Ok, so your outbound traffic from the DMZ is natted behind the outside IP address. What is the destination 209.244.0.3? Is that outside your network or actually inside?
0 Helpful

awcrane
Level 1
Level 1
In response to Rob Ingram

‎08-13-2020 10:01 AM

DNS server outside
0 Helpful

awcrane
Level 1
Level 1
In response to Rob Ingram

‎08-13-2020 10:04 AM

It looks like the vpn rules are blocking it but that traffic is natted from the DMZ to the outside so the vpn should leave it alone?
0 Helpful
Customers Also Viewed These Support Documents