How many times has someone wanted to access the DMZ (or some other network other than "inside") from the VPN? Why didn’t it work? Did you figure it out?
Well, the problem stems from IPSec. See, IPSec and NAT just do not get along. Mainly due to the security inherit in the protocol. So, how do you get around it? Well, you tell the ASA/PIX not to NAT your VPN traffic.
Let’s assume I have two networks: (inside) 10.10.10.0/24 and (dmz) 172.16.1.0/24 and let’s also assume that the VPN is being attached to the inside interface.
Create an access-list to match the VPN Traffic to the DMZ:
access-list DMZnoNAT permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0
Now, apply the access-list to the NAT statement on the interfaced named ‘dmz’, so it will not be nat’d (i.e. 0)
nat (dmz) 0 access-list DMZnoNAT
Done! You should now be able to pass VPN traffic from 10.10.10.0 to the DMZ on 172.16.1.0, because we are no longer NAT’ing the traffic, and IPSec is happy again!
Powered by Qumana
