cisco asa 5505 vpn tunnel *from* dmz *to* inside
Posted on 2011-02-13
Before getting into the what's and why's of this config, is it possible to have VPN tunnel originate from the dmz interface to a destination on the INSIDE interface?
I set the security level on dmz to 100 and enabled same-security inter/intra. I enabled the isakmp policy on the inside interface, and have a route from the inside interface to the router to which the vpn should connect.
It seems that the traffic from the dmz is not considered interesting enough for the tunnel, as I get no crypto isakmp/ipsec debug info when I ping from the dmz host to the remote host.
Interestingly enough, if I ping from the remote host (see below), it will build a tunnel from the remote router to the ASA - the ping fails though (probably because the return traffic is not getting back into the tunnel on the ASA for the response).
I *can* ping from the ASA to the outside interface (192.168.100.10) on the remote router, so I know I can get traffic to/from a subnet that is different from the subnet on the inside interface.
route 192.168.100.0/24 via 192.168.1.201 (another router on the inside)
crypto peer 192.168.100.10
dmz host: 172.16.1.10 (server)
serial1: 192.168.100.9/30 (p2p t1)
dmz host: 172.16.4.10 (server)