discmakers
asked on
Accessing websites when VPN'd in to our network
Hi all,
We have 2 Cisco ASA 5510's with internet connections running in to each, for each their own purpose. One connection is our primary internet connection for our building (and the majority of our VPN users connect to this ASA) and the other just runs for our web servers, that are running in a DMZ on that ASA and nothing else so as we don't have any slowdown issues related to any other connections.
Our users VPN in to "Internet ASA" and gain access to our internal networks and can see what they need to see but...(and here's the problem) they can not access the web sites that are running through the other Website ASA, when VPN'd. If I do pings or traces to that DMZ subnet, the traffic redirects back out the internet and dies in our providers network. This DMZ network is accessible from inside our network (so users aren't requesting for traffic out through our internet ASA and over to our Website ASA).
I've done some work in the past with CiscoTAC and what I've been told is it's due to security on the interfaces. Basically, when you're coming in through the "outside" interface of the internet ASA (VPN'd connection), in to the inside network and trying to access the DMZ interface of the Website ASA, it is denied because of the security settings of the interfaces.
Is this really the case or would someone have an idea of a work around. I can post configs if it would help but wanted to keep it general for now if someone has an idea on how to best set this up.
Thanks for any help,
Brett
We have 2 Cisco ASA 5510's with internet connections running in to each, for each their own purpose. One connection is our primary internet connection for our building (and the majority of our VPN users connect to this ASA) and the other just runs for our web servers, that are running in a DMZ on that ASA and nothing else so as we don't have any slowdown issues related to any other connections.
Our users VPN in to "Internet ASA" and gain access to our internal networks and can see what they need to see but...(and here's the problem) they can not access the web sites that are running through the other Website ASA, when VPN'd. If I do pings or traces to that DMZ subnet, the traffic redirects back out the internet and dies in our providers network. This DMZ network is accessible from inside our network (so users aren't requesting for traffic out through our internet ASA and over to our Website ASA).
I've done some work in the past with CiscoTAC and what I've been told is it's due to security on the interfaces. Basically, when you're coming in through the "outside" interface of the internet ASA (VPN'd connection), in to the inside network and trying to access the DMZ interface of the Website ASA, it is denied because of the security settings of the interfaces.
Is this really the case or would someone have an idea of a work around. I can post configs if it would help but wanted to keep it general for now if someone has an idea on how to best set this up.
Thanks for any help,
Brett
Setup NAT rules so that the public IPs for your websites map to the dmz ip addresses. That way you dont need to go out to the public internet.
ASKER
@Ryan80, are you suggesting this in the Internet ASA or the Website ASA?
The NAT translation would be on the ASA that the VPN uses. This is assuming that internal users can access the websites by the DMZ ip addresses.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Only known fix I could find
check the logfiles on the incoming VPN firewall
is the incoming firewall able to reach teh web servers in the dmz?
verify the VPN access rules