Link to home
Start Free TrialLog in
Avatar of fox54
fox54

asked on

Cisco ASA VPN from DMZ interface to outside interface

Hi,

Here' the scheme

3 interfaces
Outside
Inside
DMZ (Wifi public access)


Is it possible to configure  VPN  for remote access for a client PC located in the DMZ to the outside interface so it can access a server in the Inside

If so any example ?
Avatar of arnold
arnold
Flag of United States of America image
Ok, You want to have a system that is on the wifi using remote VPN to connect back in and get access ...

first, you would need to allow looping,  traffic leaving the outside interface from the DMZ connected client to comeback on itself
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnsysop.html
same-security-traffic permit intra-interface
Avatar of fox54
fox54

ASKER

Seems like a startup point

So my DMZ will need the same Security level as my DMZ ?

Not sure for the rest
Avatar of arnold
arnold
Flag of United States of America image
The issue is commonly, the ASA is configured not allow an outgoing connection to come back on itself which is what you are looking to do

dmz -> outside ->outside -> VPN handling
see example mid way through the

the easiest thing, configure your WIFI client with remote access VPN. and try to connect while on the Wifi in the DMZ zone.

then look at using the same-security-traffic permit inter-interface or intra-interface and see whether the wifi connected user can establish the VPN connection.

Do you currently have vpn IP pool for users connecting outside your location?
Avatar of fox54
fox54

ASKER

Hi,

Found out myself how to do it.  Quite simple.  You just have to configure the DMZ interface to listen for IPsec traffic
Avatar of arnold
arnold
Flag of United States of America image
Are you accepting an inbound connection? Did you not want the client on the DMZ connect out?


You are terminating a VPN on the DMZ VLAN through which the client is then granted access to the Inside?
Avatar of fox54
fox54

ASKER

Not at all  Dmz has no access for Inside but as access to internet

DMZ is just a subnet with only wifi access points for internet access only.  So we have the DMZ interface listen to IPsec traffic as well as the outside so client can connect to the vpn from the Wifi in the DMZ and then have access to Inside
Avatar of arnold
arnold
Flag of United States of America image
Is the end point to which your DMZ client connection, and IP on the DMZ segment?
Glad it worked out for you.

besides wifi do you have servers/systems of yours in the DMZ, or this was just a choice for the VLAN on which wifi is setup?

DMZ if you are to provide wifi to your customer's could still be secure while not letting any of them access to any other VLAN.
Avatar of fox54
fox54

ASKER

No servers.  DMZ is only for public Wifi internet access
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

I think you have already sussed this TBH, Not sure why you are using IPSEC though, RA IPSEC has been depreciated (for clients, it's only really still exists for EZVpn). 


So the modern way to do this would be with AnyConnect, you would then need to enable anyconnect on the DMZ Interface, and provide either a NAT exemption for the VPN traffic, or (what I would do, though all Wifi traffic on the LAN would appear as one IP address which you might not want, {I'm just lazy}}) is PAT overload the incoming traffic on the inside interface.

This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.