Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 438
  • Last Modified:

Accessing websites when VPN'd in to our network

Hi all,
We have 2 Cisco ASA 5510's with internet connections running in to each, for each their own purpose. One connection is our primary internet connection for our building (and the majority of our VPN users connect to this ASA) and the other just runs for our web servers, that are running in a DMZ on that ASA and nothing else so as we don't have any slowdown issues related to any other connections.

Our users VPN in to "Internet ASA" and gain access to our internal networks and can see what they need to see but...(and here's the problem) they can not access the web sites that are running through the other Website ASA, when VPN'd. If I do pings or traces to that DMZ subnet, the traffic redirects back out the internet and dies in our providers network. This DMZ network is accessible from inside our network (so users aren't requesting for traffic out through our internet ASA and over to our Website ASA).

I've done some work in the past with CiscoTAC and what I've been told is it's due to security on the interfaces. Basically, when you're coming in through the "outside" interface of the internet ASA (VPN'd connection), in to the inside network and trying to access the DMZ interface of the Website ASA, it is denied because of the security settings of the interfaces.

Is this really the case or would someone have an idea of a work around. I can post configs if it would help but wanted to keep it general for now if someone has an idea on how to best set this up.

Thanks for any help,
Brett
0
discmakers
Asked:
discmakers
  • 3
  • 2
1 Solution
 
X-treemCommented:
you should be able to get it working
check the logfiles on the incoming VPN firewall
is the incoming firewall able to reach teh web servers in the dmz?
verify the VPN access rules
0
 
ryan80Commented:
Setup NAT rules so that the public IPs for your websites map to the dmz ip addresses. That way you dont need to go out to the public internet.
0
 
discmakersAuthor Commented:
@Ryan80, are you suggesting this in the Internet ASA or the Website ASA?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
ryan80Commented:
The NAT translation would be on the ASA that the VPN uses. This is assuming that internal users can access the websites by the DMZ ip addresses.
0
 
discmakersAuthor Commented:
Turns out just adding the public IP and URL you want access to in to your "hosts" file will get you to the destination as the traffic routes back out to the 'net and the sites you want. Not very elegant but we have maybe 10-15 users that I have to touch so it's not too terrible.

Talking with CiscoTAC techs, this isn't exactly possible to get working due to security levels set on each interface and traffic translating through, from the outside int of the Internet ASA (and it's security levels) in through the DMZ on the Website ASA (and it's own security levels).

Hosts files are the only (and quick) fixup I can find and it does work.

Thanks for your help.
0
 
discmakersAuthor Commented:
Only known fix I could find
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now