Strinalena
asked on
VPN Client Traffic to DMZ Interface
Need to Plan for the following:
VPN Client Traffic Currently can reach the Inside Networks of an ASA. Inside Users are also able to access Resources on a DMZ Interface. For VPN Users there is NAT Exemption to reach inside resources. For Internal users, there is PAT on the DMZ interface to reach the DMZ subnets. Need to configure the VPN Client Users to be able to reach the DMZ Subnets. NAT configuration is below. ASA is 5505 version 8.2:
nat (inside) 0 access-list inside_nat0_outbound (just specifies Inside to VPN)
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
global (DMZ) 1 interface
Inside Subnet - 10.70.1.0/24
VPN Subnet - 10.70.10.0/24
DMZ Interface - 192.168.244.1/30
DMZ Remote subnet to Reach - 10.60.1.0/24
Topology is - ASA (inside) - Internal Switch via one VLAN (301) - Users
ASA (DMZ) - DMZ Switch via 192.168.244.0/30 (VLAN192) subnet - DMZ Remote subnet
Is there a way to terminate VPN client traffic on the ASA outside and then to somehow reroute and PAT it the same way as the inside users traffic?
VPN Client Traffic Currently can reach the Inside Networks of an ASA. Inside Users are also able to access Resources on a DMZ Interface. For VPN Users there is NAT Exemption to reach inside resources. For Internal users, there is PAT on the DMZ interface to reach the DMZ subnets. Need to configure the VPN Client Users to be able to reach the DMZ Subnets. NAT configuration is below. ASA is 5505 version 8.2:
nat (inside) 0 access-list inside_nat0_outbound (just specifies Inside to VPN)
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
global (DMZ) 1 interface
Inside Subnet - 10.70.1.0/24
VPN Subnet - 10.70.10.0/24
DMZ Interface - 192.168.244.1/30
DMZ Remote subnet to Reach - 10.60.1.0/24
Topology is - ASA (inside) - Internal Switch via one VLAN (301) - Users
ASA (DMZ) - DMZ Switch via 192.168.244.0/30 (VLAN192) subnet - DMZ Remote subnet
Is there a way to terminate VPN client traffic on the ASA outside and then to somehow reroute and PAT it the same way as the inside users traffic?
ASKER
Hi,
The problem is that traffic can only reach the DMZ Subnet 10.60.1.0/24 if the VPN Traffic is Translated to the DMZ interface (192.168.244.1) so if we just exempt the traffic from Translation it will not be able to reach the destination or?
The problem is that traffic can only reach the DMZ Subnet 10.60.1.0/24 if the VPN Traffic is Translated to the DMZ interface (192.168.244.1) so if we just exempt the traffic from Translation it will not be able to reach the destination or?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! Will try the following:
ASA - Route to 10.60.1.0/24 via 192.168.244.2 (The Router's Interface)
ASA - NAT Exempt for VPN to DMZ Subnet
Router - Route to VPN Subnet via 192.168.244.1 (ASA DMZ Interface)
ASA - Route to 10.60.1.0/24 via 192.168.244.2 (The Router's Interface)
ASA - NAT Exempt for VPN to DMZ Subnet
Router - Route to VPN Subnet via 192.168.244.1 (ASA DMZ Interface)
ASKER
Done that and it is working. Also had to filter traffic and applied VPN-Filter. It is working as expected. Thanks for your help.
you Just need to exempt nat between dmz and vpn subnet:
access-list nonatdmz permit ip <dmzsubnet> <vpnsubnet>
nat (dmz) 0 access-list nonatdmz
hope this helps
max