The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.
ASA 5506 EasyVPN & DMZ "ERROR: This configuration cannot be modified with Cisco Easy VPN Remote enabled."
I need to set up a DMZ interface for my ASA 5506 (IOS ver 9.5.2) that's set up as an Easy VPN client. When I try to modify the third interface I get this: "ERROR: This configuration cannot be modified with Cisco Easy VPN Remote enabled."
Googling around I found this thread which says such a thing should be possible but doesn't mention the above error message: https://supportforums.cisco.com/discussion/12460931/dmz-interface-asa-5506-x
Googling around for that error message I can only find the below two posts that don't seem to have anything to do with my issue:
https://supportforums.cisco.com/discussion/11219271/ssl-vpn-not-working
https://supportforums.cisco.com/discussion/11092461/asa5505-vlan1-subnet-change-remotely
I have the sneaking suspicion I can't have Easy VPN (client) and DMZ set up on the same device but I hope I'm wrong. Any help is appreciated.
Googling around I found this thread which says such a thing should be possible but doesn't mention the above error message: https://supportforums.cisco.com/discussion/12460931/dmz-interface-asa-5506-x
Googling around for that error message I can only find the below two posts that don't seem to have anything to do with my issue:
https://supportforums.cisco.com/discussion/11219271/ssl-vpn-not-working
https://supportforums.cisco.com/discussion/11092461/asa5505-vlan1-subnet-change-remotely
I have the sneaking suspicion I can't have Easy VPN (client) and DMZ set up on the same device but I hope I'm wrong. Any help is appreciated.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
The situation I'm running into is that the firewall is at a remote location, it's set up with Easy VPN so users, phones, printers etc at that location can just plug in or get on wifi and have a connection like they were sitting in our home location. Now we have another business that wants their own connection in our location.
My plan was to sit them on the DMZ and pass all traffic destined for their device through and block their device from getting to the inside network (my company's network). Is there another way to accomplish this with the equipment we already have?
My plan was to sit them on the DMZ and pass all traffic destined for their device through and block their device from getting to the inside network (my company's network). Is there another way to accomplish this with the equipment we already have?
Good to hear.
Would you mind sharing your solution with us? Perhaps someone else can profit from that.
Would you mind sharing your solution with us? Perhaps someone else can profit from that.
Ernie, instead of putting equipment from another company on the inside of my asa (since DMZ is not available) and trying to create ACL rules to isolate it, I requested a small range static IPs from my internet provider, plugged the internet connection into a dumb switch, gave the outside interface on my ASA one static IP, then let the other company plug their equipment into that dumb switch and gave them an outside IP address to use from that static range.
This way, their equipment never directly interacts with my equipment.
This way, their equipment never directly interacts with my equipment.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
If that's the case then it seems logical you can't have a DMZ on that interface. A DMZ is a separate 'inside' zone in your firewall which is exposed to the outside, but traffic has to traverse through the firewall.
An easy VPN client interface is on the outside of your firewall to be able to connect to a VPN server over the internet.
From a logical point of view, you can't have (and don't want) a DMZ on the outside interface.