Cisco ASA Remote Access VPN to DMZ


I have a 5520 with 3 physical interfaces - outside, inside, dmz.

The dmz interface has been sub-ed out into 3 other interfaces.

Everything else is working fine,

I would like to know how to configure a remote access vpn to one of the sub-dmz segments from a windows 7 laptop.

LVL 21
Who is Participating?
Ernie BeekConnect With a Mentor ExpertCommented:
Did you have a look at the (ASDM) logs to see if something shows up there what might give you a clue?
Ernie BeekExpertCommented:
SImply put, you just configure it like you would using the physical interface. Only now you use the subinterface instead of the real interface.
netcmhAuthor Commented:
a step by step would be apprecaited.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Ernie BeekExpertCommented:
Ok, let's see:

ip local pool VPN-pool mask
object network NETWORK_OBJ_192.168.100.0_28
username ra-user password rauserpass privilege 0
username ra-user attributes
 vpn-group-policy RA-VPN
group-policy RA-VPN internal
group-policy RA-VPN attributes
 vpn-tunnel-protocol ikev1
 dns-server value
 default-domain value default.domain.invalid
tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
 default-group-policy RA-VPN
 address-pool  VPN-pool
tunnel-group RA-VPN ipsec-attributes
 ikev1 pre-shared-key mypresharedkey
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
nat (inside,outside) 3 source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.168.100.0_28 NETWORK_OBJ_192.168.100.0_28 no-proxy-arp route-lookup

Of course you'll need to make some changes to fit this to your own situation. ip pool for RA clients
username ra-user password rauserpass privilege 0: using a local user for authentication
ikev1 pre-shared-key mypresharedkey: preshared key for RA-PVPN group
nat (inside,outside) etc. : NAT exempt for VPN traffic (replace the interface names with the names of your interfaces, I used default names here).

This is the setup for an RA VPN using the cisco secure VPN client. I created this one for a 9.x ASA. Commands may vary a bit depending on what version your ASA is.

You can also use the wizard in the ASDM to create a similar setup.
netcmhAuthor Commented:
Sorry, but can you give me the steps in 8.2? Thanks
Ernie BeekExpertCommented:
That should be something like:

access-list splitvpn standard permit
access-list nonat extended permit ip
ip local pool VPNPool mask
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey

Of course you have to make some adjustements to reflect your own setup.

I got this from the site of my esteemed expert colleague PeteLong:
Have a look at it, lots of nice examples to be found there.
netcmhAuthor Commented:
So, the question is how do I get a remote access vpn session inititated from the outside to only talk with the DMZ segment, and not the inside?

Ernie BeekExpertCommented:
Ah, we crossed each other.

You'll need to replace the interface names, so dmz instead of inside.
netcmhAuthor Commented:
I tried that, and it still will not allow the external laptop to connect to the DMZ server. The Cisco VPN client does get connected, but beyond that it does not allow the connection through.
Ernie BeekExpertCommented:
Could you show us a sanitized copy of your config as it is now?
netcmhAuthor Commented:
ip local pool EXT_Pool_Split mask

access-list EXT_Remote_Split standard permit host
access-list EXT_DMZINT_2_NoNAT extended permit ip host

nat (DMZINT_2) 0 access-list EXT_DMZINT_2_NoNAT

group-policy EXT_Remote_Policy internal
group-policy EXT_Remote_Policy attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value EXT_Remote_Split

tunnel-group EXT_Tunnel_Remote_Split type remote-access
tunnel-group EXT_Tunnel_Remote_Split general-attributes
  default-group-policy EXT_Remote_Policy
  address-pool EXT_Pool_Split
  tunnel-group EXT_Tunnel_Remote_Split ipsec-attributes
  pre-shared-key *********

username remoteuser password ********* priv 1

crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map IPSec_Map 500 ipsec-isakmp dynamic dynmap
crypto map IPSec_Map interface outside

crypto isakmp policy 40
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 3600
Ernie BeekExpertCommented:
Hehehe, that's a bit too sanitized :)

If possible I would like to see a more complete config.
netcmhAuthor Commented:
Since it's huge, I can't sanitize it enough. What are you looking for, I can get those pieces out comparatively faster.
netcmhAuthor Commented:
Ernie BeekExpertCommented:
Different timezone?
Time for dinner and putting my son to bed ;)

I'll try to check later this evening.
netcmhAuthor Commented:
So, I'm attaching an oversimplified picture of my setup. Hoping that someone can give me the entire commands to get this to work.

I have a L3 switch, which has routing configuration for the various segments. I have an ASA 5520 with 8.2 IOS. I have a DMZ segment which has been subinterfaced into 5 different segments and none of them should be able to talk to each other. And, I have the company LAN on the inside.

I was able to, with the config pasted above, get the Cisco VPN client connected. But, I still can't get the VPN-ed in client to talk with the DMZ server.

netcmhAuthor Commented:
Got it figured out. Had a route missing on the switch back to the VPN IP pool.

Thank for your help. I'll grant you points for helping, but this was the solution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.