[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

VPN Client Traffic to DMZ Interface

Posted on 2014-02-15
5
Medium Priority
?
780 Views
Last Modified: 2014-02-16
Need to Plan for the following:

VPN Client Traffic Currently can reach the Inside Networks of an ASA. Inside Users are also able to access Resources on a DMZ Interface. For VPN Users there is NAT Exemption to reach inside resources. For Internal users, there is PAT on the DMZ interface to reach the DMZ subnets. Need to configure the VPN Client Users to be able to reach the DMZ Subnets. NAT configuration is below. ASA is 5505 version 8.2:

nat (inside) 0 access-list inside_nat0_outbound (just specifies Inside to VPN)
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
global (DMZ) 1 interface

Inside Subnet - 10.70.1.0/24
VPN Subnet - 10.70.10.0/24
DMZ Interface - 192.168.244.1/30
DMZ Remote subnet to Reach - 10.60.1.0/24

Topology is - ASA  (inside) - Internal Switch via one VLAN (301) - Users
         ASA (DMZ) - DMZ Switch via 192.168.244.0/30 (VLAN192) subnet - DMZ Remote subnet

Is there a way to terminate VPN client traffic on the ASA outside and then to somehow reroute and PAT it the same way as the inside users traffic?
0
Comment
Question by:Strinalena
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 17

Expert Comment

by:max_the_king
ID: 39861413
hi,
you Just need to exempt nat between dmz and vpn subnet:

access-list nonatdmz permit ip <dmzsubnet> <vpnsubnet>
nat (dmz) 0 access-list nonatdmz

hope this helps
max
0
 

Author Comment

by:Strinalena
ID: 39862018
Hi,
The problem is that traffic can only reach the DMZ Subnet 10.60.1.0/24 if the VPN Traffic is Translated to the DMZ interface (192.168.244.1) so if we just exempt the traffic from Translation it will not be able to reach the destination or?
0
 
LVL 17

Accepted Solution

by:
max_the_king earned 2000 total points
ID: 39862416
Hi,
that depends on your architecture: if your VLAN is defined as an ASA subinterface, you can exempt NAT accordingly as the example in my previous post; if your VLAN is accessed through a router, you need to add a route on the ASA as well. In that case you need to add a route back from the router to VPN subnet, and that is to be configured on the router.

max
0
 

Author Comment

by:Strinalena
ID: 39862425
Thanks! Will try the following:
ASA - Route to 10.60.1.0/24 via 192.168.244.2 (The Router's Interface)
ASA - NAT Exempt for VPN to DMZ Subnet
Router - Route to VPN Subnet via 192.168.244.1 (ASA DMZ Interface)
0
 

Author Comment

by:Strinalena
ID: 39863229
Done that and it is working. Also had to filter traffic and applied VPN-Filter. It is working as expected. Thanks for your help.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question