Accessing websites when VPN'd in to our network

Posted on 2012-09-20
Last Modified: 2012-09-30
Hi all,
We have 2 Cisco ASA 5510's with internet connections running in to each, for each their own purpose. One connection is our primary internet connection for our building (and the majority of our VPN users connect to this ASA) and the other just runs for our web servers, that are running in a DMZ on that ASA and nothing else so as we don't have any slowdown issues related to any other connections.

Our users VPN in to "Internet ASA" and gain access to our internal networks and can see what they need to see but...(and here's the problem) they can not access the web sites that are running through the other Website ASA, when VPN'd. If I do pings or traces to that DMZ subnet, the traffic redirects back out the internet and dies in our providers network. This DMZ network is accessible from inside our network (so users aren't requesting for traffic out through our internet ASA and over to our Website ASA).

I've done some work in the past with CiscoTAC and what I've been told is it's due to security on the interfaces. Basically, when you're coming in through the "outside" interface of the internet ASA (VPN'd connection), in to the inside network and trying to access the DMZ interface of the Website ASA, it is denied because of the security settings of the interfaces.

Is this really the case or would someone have an idea of a work around. I can post configs if it would help but wanted to keep it general for now if someone has an idea on how to best set this up.

Thanks for any help,
Question by:discmakers
    LVL 8

    Expert Comment

    you should be able to get it working
    check the logfiles on the incoming VPN firewall
    is the incoming firewall able to reach teh web servers in the dmz?
    verify the VPN access rules
    LVL 12

    Expert Comment

    Setup NAT rules so that the public IPs for your websites map to the dmz ip addresses. That way you dont need to go out to the public internet.

    Author Comment

    @Ryan80, are you suggesting this in the Internet ASA or the Website ASA?
    LVL 12

    Expert Comment

    The NAT translation would be on the ASA that the VPN uses. This is assuming that internal users can access the websites by the DMZ ip addresses.

    Accepted Solution

    Turns out just adding the public IP and URL you want access to in to your "hosts" file will get you to the destination as the traffic routes back out to the 'net and the sites you want. Not very elegant but we have maybe 10-15 users that I have to touch so it's not too terrible.

    Talking with CiscoTAC techs, this isn't exactly possible to get working due to security levels set on each interface and traffic translating through, from the outside int of the Internet ASA (and it's security levels) in through the DMZ on the Website ASA (and it's own security levels).

    Hosts files are the only (and quick) fixup I can find and it does work.

    Thanks for your help.

    Author Closing Comment

    Only known fix I could find

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now