Easy VPN with DMZ issue

edisonbbs · ‎08-07-2011

Hi All,

I have a ASA5510 (EasyVPN server); and a ASA5505 (Easy VPN extension mode).

On ASA5505, I had "internal interface" with 10.10.110.254/255.255.255.128; and "DMZ" 10.10.110.1/255.255.255.128

The ASA5510 had internal ip range with 192.168.159.254/21

So far, the easy VPN is up and running. It is works fine. However, I found two issues:

1. DMZ zone can not connect with ASA5510 (192.168.159.254/21)

I can see the routing table of ASA5510, there is only one like 10.10.110.128/25, to outside easy VPN.

there is no routing for 10.10.110.0/25. I tried to add a static route. route outside 10.10.110.0 255.255.255.128 10.10.110.254

It is still does not work.

It seems that easy VPN can only tunnel internal interface. Really?

2. DMZ can not communicate with internal zone.

I tried to configure NAT exemption; however, it said that I can not enable NAT exemption when I am on easy VPN mode.

Anyone have idea? What is the best solution for this case?

Many thanks

praprama · ‎08-24-2011

Hi,

Take a look at this link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ezvpn505.html#wp1025408

It says only the highest security level interface would work and could be the behavior you are seeing. You can try switching to client mode and see if it helps out (please note that in client mode, only networks behind ASA 5505 can talk to AsA 5510 and not vice versa).

About DMZ to inside access, can you run the following command and post the output here:

packet-tracer input DMZ icmp 10.10.110.10 8 0 10.10.110.250 detailed

Regards

Prapanch