Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1868
Views
0
Helpful
3
Replies

VPN and DMZ

Go to solution
Zayar Win
Level 1
Level 1

‎01-04-2016 09:38 AM

Dear ,

             I would like to get access to DMZ from remote branches via VPN Tunnel in ASA. Please see the diagram and Give me your comment.

Thanks in advance.

Labels:
Preview file
62 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-04-2016 10:58 AM

If the tunnels from R1 to the other routers are working then I believe that these are the things that you need to do:

- be sure that each of the remote routers has a route to the subnet of the DMZ that points through the tunnel.

- be sure that R1 has a route to the subnet of the DMZ.

- configure on the ASA security policy that permits traffic from all the networks from the routers to access the DMZ.

- configure on the ASA routes for all the networks from the routers.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Zayar Win

‎01-04-2016 12:33 PM

To allow ping you need to inspect it. The syntax might vary a little depending on your ASA but it should look something like this

policy-map global_policy
 class inspection_default

 inspect icmp

The default behavior of ASA is to permit access from higher level interface (like 100) to lower level interface (like 50).  So if all routers are accessing the ASA using the inside interface then they should be allowed access.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-04-2016 10:58 AM

If the tunnels from R1 to the other routers are working then I believe that these are the things that you need to do:

- be sure that each of the remote routers has a route to the subnet of the DMZ that points through the tunnel.

- be sure that R1 has a route to the subnet of the DMZ.

- configure on the ASA security policy that permits traffic from all the networks from the routers to access the DMZ.

- configure on the ASA routes for all the networks from the routers.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Zayar Win
Level 1
Level 1
In response to Richard Burts

‎01-04-2016 12:07 PM

Dear Mr. Rick,

        Thanks for your help. I am almost done with this scenario with your help. I am testing in GNS3 Lab and after that I will apply this scenario in my real network .

I have a question,

1. Is ASA Default allow to DMZ from Internal (i.e from security level High to Low )

[Inside:100 =>DMZ 50 ] ?

Because In my lab I didn't create any permit access-list meanwhile inside network can access telnet , www , etc , to DMZ but ping is not allowed.

2. All remote routers can access to DMZ as same as R1. but ping is not allowed. I think that all remote is connected to internal network router , so they can access without any permit access-list.

3. Other Ports are default allow security high => Low , But Ping is not allow, How can I open ping/icmp ? ( internal to DMZ ) please give me a access-list command.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Zayar Win

‎01-04-2016 12:33 PM

To allow ping you need to inspect it. The syntax might vary a little depending on your ASA but it should look something like this

policy-map global_policy
 class inspection_default

 inspect icmp

The default behavior of ASA is to permit access from higher level interface (like 100) to lower level interface (like 50).  So if all routers are accessing the ASA using the inside interface then they should be allowed access.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents