cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1780
Views
0
Helpful
3
Replies

NAT entry to allow Anyconnect users access to DMZ servers

gregbeifuss
Level 1
Level 1

I'm trying to set up Anyconnect so that users can also view the internet sites that my organization hosts (ie. our corporate website). I run an ASA 5510 with 8.2.1.  VPN users are assigned 192.168.200.x addresses, DMZ addresses are 192.168.2.x

I have NAT entries in place that allow VPN users to access internal resources and other internet sites, but I'm having a terrible time getting them access to our internet sites. I've read a number of posts in these forums with no success.

I feel like I'm missing a single NAT entry but don't know what I've missed. Any help would be appreciated.

Greg

3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

Looking at your config, I would have thought that DMZ resources are working, but internal ones are not. You need to NAT0 both networks. You have one for the DMZ, but not for the inside.

Have: nat (dmz) 0 access-list no_nat_vpn

Don't Have: nat (inside) 0 access-list no_nat_vpn

When you try and access a DMZ resource, is there anything in the logs? Specifically an entry like "no translation group found".

I've attached the config guide for AnyConnect.

I should probably clarify my network setup. We run our dmz with back to back firewalls, per the image. There is no internal interface on the ASA in question, only DMZ and external.
My issue is that AnyConnect VPN users who authenticate to the edge ASA can access DMZ resources (by DMZ IP) and Internal resources per the attached diagram. However, they cannot access our webservers in the DMZ by their public IPs (ie. www.mycompany.com).

I'll take a look at the logs to see if there's anything of use/interest.

Are your intranet sites hosted on the DMZ servers that have static NAT entires in your config? If so, you might try implementing DNS doctoring on the static NATs by adding 'dns' to the end of the NAT entry. You'll have to remove the static NATs and re-add them with 'dns' tacked on, then clear the xlate. If you're using domain names to resolve the IPs for your intranet sites the ASA will rewrite the DNS response with the internal 192.168 IP instead of the public IP. Ought to work if you're able to access the DMZ servers (and sites) with their private IPs.

You may also try adding an access list rule permitting the 192.168.200.0/24 network to hit the public IPs of your DMZ servers as a test as well.

Good luck!

James

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: