• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

Accessing websites when VPN'd in to our network

Hi all,
We have 2 Cisco ASA 5510's with internet connections running in to each, for each their own purpose. One connection is our primary internet connection for our building (and the majority of our VPN users connect to this ASA) and the other just runs for our web servers, that are running in a DMZ on that ASA and nothing else so as we don't have any slowdown issues related to any other connections.

Our users VPN in to "Internet ASA" and gain access to our internal networks and can see what they need to see but...(and here's the problem) they can not access the web sites that are running through the other Website ASA, when VPN'd. If I do pings or traces to that DMZ subnet, the traffic redirects back out the internet and dies in our providers network. This DMZ network is accessible from inside our network (so users aren't requesting for traffic out through our internet ASA and over to our Website ASA).

I've done some work in the past with CiscoTAC and what I've been told is it's due to security on the interfaces. Basically, when you're coming in through the "outside" interface of the internet ASA (VPN'd connection), in to the inside network and trying to access the DMZ interface of the Website ASA, it is denied because of the security settings of the interfaces.

Is this really the case or would someone have an idea of a work around. I can post configs if it would help but wanted to keep it general for now if someone has an idea on how to best set this up.

Thanks for any help,
Brett
0
discmakers
Asked:
discmakers
  • 3
  • 2
1 Solution
 
X-treemCommented:
you should be able to get it working
check the logfiles on the incoming VPN firewall
is the incoming firewall able to reach teh web servers in the dmz?
verify the VPN access rules
0
 
ryan80Commented:
Setup NAT rules so that the public IPs for your websites map to the dmz ip addresses. That way you dont need to go out to the public internet.
0
 
discmakersAuthor Commented:
@Ryan80, are you suggesting this in the Internet ASA or the Website ASA?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
ryan80Commented:
The NAT translation would be on the ASA that the VPN uses. This is assuming that internal users can access the websites by the DMZ ip addresses.
0
 
discmakersAuthor Commented:
Turns out just adding the public IP and URL you want access to in to your "hosts" file will get you to the destination as the traffic routes back out to the 'net and the sites you want. Not very elegant but we have maybe 10-15 users that I have to touch so it's not too terrible.

Talking with CiscoTAC techs, this isn't exactly possible to get working due to security levels set on each interface and traffic translating through, from the outside int of the Internet ASA (and it's security levels) in through the DMZ on the Website ASA (and it's own security levels).

Hosts files are the only (and quick) fixup I can find and it does work.

Thanks for your help.
0
 
discmakersAuthor Commented:
Only known fix I could find
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now