Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
4
Replies

VPN client not able to reach DMZ

tad.190804
Level 1
Level 1

‎03-02-2011 06:41 AM

Hi Gents,

We have a cisco vpn client which connects to the ASA, and I can access
all the internal network.I have two issues.

1. I am able to ping and access all the LAN servers, but I am not able to access any of my WAN
sites. The WAN sites are connected to a WAN-DMZ to the same ASA Firewall.

The no-nat acl is below.
access-list acl-nonat extended permit ip any 10.1.1.0 255.255.255.0

2. I have a proxy server in the LAN. I am able to ping the proxy server once the VPN is connected.
But i am not able to browse the internet using that proxy ip in the explorer.

Also, just for my inquisitiveness. When the VPN connects, I get an IP 10.1.1.10

and it mentions the gateway as 10.1.1.1. Where is this 10.1.1.1 defined !! I have not defined it any where.
Which interface does this VPN client use to communicate. Outside or Inside ??

Please advise.

Rgds,

Tauseef

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-02-2011 07:02 AM

Hi,

1. Is the nonat ACL applied to the DMZ interface?

2. Are you manually setting the proxy IP in the browser of the VPN client?
Maybe the proxy connection is working, but there' no u-turn configured on the ASA to allow internet access
through the VPN tunnel?

Are you using split-tunneling or tunneling all traffic?

The VPN client terminates the tunnel on the outside interface of the ASA and can go through the ASA to communicate
to other interfaces (inside or DMZ) or can be reroute back the outside to the Internet.

Federico.

0 Helpful

tj.mitchell
Level 4
Level 4
In response to Federico Coto Fajardo

‎03-02-2011 07:17 AM

You should change the VPN pool to a separate pool not assigned to the internal network.

Then for the other question:

you need to create a nonat for the DMZ interface with all the networks that need to access the VPN from behind the DMZ interface. Similar to the nonat on the inside interface.

0 Helpful

tad.190804
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-02-2011 07:23 AM

Hi Federico,

I guess you are right ont he NO-NAT ACL to the dmz interface. Not Applied. Will apply, Should work. Thanks for a heads on for this one.

VPN tunneling all traffic. Proxy is manually mentioned. Should I mention the intra-interface traffic to be allowed or something ?

The only thing is the user IP is 10.1.1.1 and the proxy ip is 10.240.254.1.

The whole LAN subnet is 10.0.0.0/8. Should the VPN be of a different IP schema for this to work ?

Rgds,

Tauseef

0 Helpful

tj.mitchell
Level 4
Level 4
In response to tad.190804

‎03-02-2011 07:29 AM

I usually set remote VPN connections up with their own IP Subnet space. This way I don't

extended the local LAN to the VPN with broadcasts and extra ARP traffic and such.

I have also had interesting issues with using the same subnet for the VPN users and the internal networking space. Not saying it won't work, but just not what I would recommend.

0 Helpful
Customers Also Viewed These Support Documents