cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1290
Views
0
Helpful
1
Replies

IPSec VPN connection from a DMZ interface ASA 5510

Alan Herriman
Level 1
Level 1

Hello All,

I have an interesting situation, in which, I thought I would ask if anyone has run into. I currently have an ASA 5510 setup with Dual homed ISP's and a remote access IPsec VPN setup to terminate at either interface. The first interface is named Outside and the second is simply called Outside-2. When outside the company(such as at home), the VPN client will connect on the Outside-2 interface and work normally. The problem is while testing on our DMZ, the VPN Client will not connect on the Outside-2 interface. It will try that interface fail to connect and then connect to the backup Outside interface.

This isn't a huge concern because it still connects, but if we were ever to get rid of one of those connections, it would be nice to reliably test from our DMZ.

Thanks in advance,

Alan

1 Reply 1

Alan Herriman
Level 1
Level 1

I actually solved this problem by my self, but I'll post my findings in case anyone else runs into this wierd senario. I'll use a diagram because of the complicated nature of the problem:

What was happening is from connected to the "DMZ" of sorts(not a traditional DMZ). Clients were on able to establish a IPSec VPN connection to the primary address which was through ISP2. This is because the return address was seen as a locally connected subnet through the second interface on the ASA going to ISP1. This prevented it from being able to route traffic back in the same direction. Causing the remote access VPN not to connect. This DMZ is special in the fact that it has a public IP address and the network between ISP1 and the ASA are in a /28 network. To fix this problem an ensure that clients on the DMZ network would connect to the VPn through the primary address(through ISP1) and the backup address(through ISP2). A static route containing only the ip address of the DMZ external address(route ISP2 x.x.x.x 255.255.255.255 x.x.x.x) where x.x.x.x is the IP address of the external address on DMZ and the second set is the next hop going out the ISP2 network. This corrected the issue ensuring traffic returned that same way it was recieved.