01-28-2013 06:03 AM
Hi
I have a dmz interface on a ASA 5520 that is used for wireless internet and i would like the users to be able to vpn in however they can not because they are coming back through the same outside interface. Do i have to nat the VPN ip pool or just use some form of hairpin routing or nat. I am using 8.2.
Thanks
01-28-2013 09:59 AM
Do you mind posting the relevant configuration (routes, interfaces, split tunnel ACL and source/dest networks)?
You will likely need to NAT the ipool on the appropriate interfaces, but without more information can't provide a suitable answer.
James
01-28-2013 10:16 AM
If i understand you correctly, the only nat you'll need is nat 0 for traffic going from your inside (or DMZ) subnet to vpn-pool on the outside. But as James said, you're not quite clear.
01-28-2013 12:04 PM
if you mean hairpinning remote access VPN so that remote users communicate with each other, then you need :
- adding the IP pool to split-tunnel acl, in case you use split-tunnel.
- exempt the pool addresses from natting .
- applying "same-security-traffic permit intra-interface"
----------
Mashal
01-28-2013 01:44 PM
if you are talking about allowing the user to vpn back into you main network as thought they are outside then one way i have done this is to enable vpn on the dmz interface and have them go to a dns name that resolves to the 2 different ip's depending on if they are using the internal dns or the external dns? this all depends on if you have the dmz clients using your internal dns server ?
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide