Cluster VPN and Certificate Wildcard

Hello

I'm going to set up a VPN cluster with three boxes of ASA and I wonder if anyone has any experience using a certificate with wildcards with this type of installation.

I'm done with the installation and everything works fine, but as shows my initial installation (and the doc I've read), the client connects first to:

cluster.Domaine.com

The captain, then returns the address or the domain name complete (I use fqdn) of the asa less busy in the cluster:

vpn01.domain.com

or

vpn02.domain.com

or

vpn03.domain.com

So I would need 4 certificates to meet my needs. The cluster.domaine.com certificate must also be present on all 3 boxes, because the cluster ip address is configured on all the boxes, and the role of the master is off if one of the boxes fails.

For this reason I thought it would be a good idea to use 1 wildcard certificate (*. doman.com) on all boxes and avoid the hassle.

No experience or recommendations?

ARO

/ K

I agree, I would like to you that since my deployment.

Tags: Cisco Security

Similar Questions

  • ASA (v9.1) VPN from Site to Site with IKEv2 and certificates CEP/NDE MS

    Hi all

    I am currently a problem with VPN Site to Site with IKEv2 and certifiactes as an authentication method.

    Here is the configuration:

    We have three locations with an any to any layer 2 connection. I created each ASA (ASA5510 worm 9.1) to establish one VPN of Site connection to the other for the other two places. Setting this up with pre shared keys and certificates that are signed by the CA MS administrator manually work correctly.

    But when we try to enroll these certificates through the Protocol, CEP/NDE his does not work.

    Here are my steps:

    1 configure the CA Turstpoint to apply to the certification authority

    2. request that the CA through the SCEP protocol works fine

    3. set up a Trustpoint and a pair of keys for the S2S - VPN connection

    4. registration form identity certificate CA via the SCEP Protocol with a one time password works fine

    5. set the trustpoint created as for the S2S - VPN IKEv2 authentication method.

    Now I did it also for the other site of the VPN Tunnel. But when I ping on a host that is on a different location to make appear the Tunnel VPN - the VPN session is not established. In the debugs I see that there are a few problems during authentication of the remote peer.

    On the MS that I see that the certifactes of identity for both ASAs are communicated and not revoked or pending state. The certificate based on the model of the "IPSec (Offline).

    When the CA-Admin and a certificate me manually based on a copy of the model of "Domaincontroller" connection is successfully established.

    So I would like to know which is the correct certificate for IP-Sec peers template to use for the Protocol, CEP and MS Enterprise CA (its server 2008R2 of Microsoft Enterprise)?

    Anyone done this before?

    ASA requires that the local and Remote certificate contains EKU IP Security Tunnel Endpoint (1.3.6.1.5.5.7.3.6) (aka IP Security Tunnel termination). You can create a Microsoft CA model to add.

    If you absolutely must go with the 'bad' cert, there is a command

    ignore-ipsec-keyusage

    but it is obsolete and not recommended.

    Meanwhile at the IETF:

    RFC 4809

    3.1.6.3 extended Key use

    Extended Key Usage (EKU) indications are not required.  The presence
    

    or lack of an EKU MUST NOT cause an implementation to fail an IKE
    

    connection.

  • Ignore CSR for installing Certificate wildcard in IDRAC6

    Hello

    I want to install the wildcard for IDRAC6 certificate. We manage more than 200 DELL servers.

    So get CSR and publish each possess the certificate makes no sense.

    Does anyone know how to ignore CSR and install Certificate wildcard for IDRAC6?

    Command line or GUI, both make me happy.

    Maybe in the case of OMSA will be appreciated.

    Thank you.

    Best solution.  I was able to download a certificate wildcard on 8 of our PE R710, R715 and R815 machines.  They are all iDRAC6.

    The key is to increase the key length before you download the wildcard certificate.

    Copy of key SSL and CRT (thus intermediate.crt files if necessary) files Linux host that has access to the RACADM utility

    Intermediate.CRT and concat your.crt

    Cat your.crt intermediate.crt > combo.crt

    VI the combi.crt and make sure that there is a hard return between the two certificiates.

    -CERTIFICATE OF END-
    -BEGIN CERTIFICATE-

    Increase the size of the key to modern SSL certificates

    racadm - r 192.168.rac.addr u root Pei yourPass config g cfgRacSecurity o cfgRacSecCsrKeySize 2048

    Download your private key

    racadm - r 192.168.rac.addr u root Pei yourPass sslkeyupload t 1 f your.key

    Download the certificate of Combo

    racadm - r 192.168.rac.addr u root Pei yourPass sslcertupload t 1 f combo.crt

    This will cause a restart of the iDRAC.  It will take about 5 minutes to complete

    Once done... *. example.NET certificate works

    Jim

  • Replication failover PIX VPN (CEP) certificate

    Hello

    Had a pair of PIX 525 on 6.3 (4) version running in active/failover mode, I recently configured VPN authenticated by certificates, which involved the use of PRACTICE in order to get the certificate to the PIX. Certificates have been imported for the PIX from a snap-in with the software component CEP Protocol Windows CA server by following the instructions described here: http://www.ciscosystems.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html#wp1007263 .

    It all works very well, the configuration has been saved, certificates registered cases using "ca save all", everything works well except the certificates that have been imported have not been replicated for the PIX failover - the command 'Show the ca certificate', shows not all certs.

    Private keys show 'sh ca mypubkey rsa' are the same on both devices.

    I'm not able to find any documentation about how certificates must be replicated on the PIX failover, and it is not possible to write certificates again on the PIX failover using the commands they were initially imported by:

    PIX - fw # conf t
    WARNING *.
    Configuration of replication is NOT performed the unit from standby to Active unit.
    Configurations are no longer synchronized.

    PIX - FW (config) auth ca ca
    WARNING *.
    Configuration of replication is NOT performed the unit from standby to Active unit.
    Configurations are no longer synchronized.

    Everyone knows a similar issue or how to get the PIX failover with the new ca certificates?

    Kind regards

    Sarunas

    Hello Sarunas

    PIX 6 indeed do not synchronize keys and certificates automatically.

    However, you should be able to do this first, forcing a failover (i.e. secondary image make it active), then register (now active) high school with the certification authority.

    HTH

    Herbert

  • HP20002D19WM came with no software (cyberlink) key and certificates of authenticity for windows

    I just bought the HP20002D19WM, which came with no software (cyberlink) key and certificates of authenticity for windows. I can't use any program cyberlink with a key number to enter. Also if I would give for somereason I wonder in my number of windows I would not be able to since I have ever trevieved it

    This is the original factory specifications for your laptop HP 2000-2d19WM. All Cyberlink OEM software should work without key, because it is not mandatory for the installed OEM mass products. Regarding the Windows product key, see Activation of Windows 8 product;

    • OEM Activation 3.0 (OA3) at the factory. A digital product key (DPK) is encrypted and installed on the motherboard BIOS during the manufacturing process. Windows 8 will be ignited automatically the first time that the computer is connected to the Internet. With systems activated by OA3, most of the computer's hardware can be replaced without the need to reactivate the software from Microsoft.

  • Blocking of the internal services of VPN and Proxy

    Hello

    I have some users with Windows 7 and MAC laptops inside my network domestic who is protected by the R7000.

    I'd like know if its possible to block sessions VPN and Proxy, initiated from these internal, to communicate with Internet computers.

    Thank you

    Try VPN Service to block.

  • RVL200 - SSL VPN and firewall rules

    Forgive my ignorance, but I have been immersed in the configuration of this device RVL200 to allow Remoting SSL VPN to a customer site, sight unseen.  I have the basics of the VPN set up in config, but now move the firewall rules.  We want to block all internal devices to access the Internet, but I don't want to cripple the remote clients that will be borrowed by blocking their return via the SSL VPN traffic.  This leads to my questions:

    (1) a rule of DENIAL of coverage for all traffic OUTBOUND will prevent the primary function of the VPN (to allow the administration away from machines on the local network)?

    (2) if the answer to #1 is 'Yes', what ports/services do I need to open the side LAN?

    (3) building # 2, configuring authorized outbound rules apply only for VPN clients, rather than all the hosts on LAN?

    (4) as the default INCOMING traffic rule is to REFUSE EVERYTHING, do I have to create a rule to allow the VPN tunnel, or guess that in the configuration of the router?

    Here are some other details:

    • The LAN behind the RVL200 is also isolated LAN in a manufacturing environment
    • All hosts on this network have a static IP address on a single subnet.
    • The RVL200 has been configured with a static, public IP on the WAN/INTERNET side.
    • DHCP has been disabled on the RVL200
    • Authentication to the device will use a local database.
    • There is no such thing as no DNS server on the local network
    • The device upstream of the RVL200 is a modem using PPPoE DSL, and the device has been configured for this setting.
    • Several database of local users accounts were created to facilitate the SSL VPN access.

    I worked with other aspects of it for a long time, but limited experience with VPN and the associated firewall rules and zero with this family of aircraft.  Any help will be greatly appreciated.

    aponikikay, there is no port forwarding necessary to the function of the RVL200 SSL - VPN.

    Topic 1. That is not proven. It shouldn't do. The router should automatically make sure that the SSL - VPN router service is functional and accessible.

    Re 2. No transfer necessary. In addition, never before TCP/UDP port 47 or 50 for VPN functions. The TCP 1723 port is used for PPTP. UDP 500 is used for ISAKMP. You usually also to transmit TCP/UDP 4500 port for IPSec encapsulation.

    Let's not port 47. ERM is an IP protocol that is used for virtual private networks. It is a TCP or UDP protocol. GRE has 47 IP protocol number. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols of free WILL.

    It goes the same for 50: ESP is the payload for IPSec tunnels. ESP is the Protocol IP 50. It has nothing to do with TCP or UDP port 50.

    'Transfer' of the GRE is configured with PPTP passthrough option.

    'Transfer' of the ESP is configured with IPSec passthrough option.

  • Connect to VPN and then log on to the domain by using different credentials.

    I have a laptop user who will take care of various remote sites.

    In XP, you had to first use DUN/VPN and then you can log in the field with different credentials that the VPN end point.

    With Vista if I use the method user to switch on the logon screen and the log in the VPN it also attempts to use these credentials for the domain.  The VPN device has its own separate authentication of the AD.  How to restore the loss of functionality that Vista has?

    I have to first connect to the VPN appliance and authenticate to that I do the network connection.  Then, I need vista to propose real logon to the computer or to the domain.

    I appreciate the help.

    Computers in discontinuous bench

    Hi StapleBench,

    The question you have posted is related to the VPN and domain environment is better suited in the TECHNET forums, and as I see that you already post your query in the TECHNET forum in the following link:

    http://social.technet.Microsoft.com/forums/en-us/itprovistanetworking/thread/f8579344-07f1-4855-8599-e55a0430c5f8

    I suggest you wait for a response on the TECHNET itself thread.

    Halima S - Microsoft technical support.

    Visit our Microsoft answers feedback Forum and let us know what you think.

  • site2site distance-VPN and access-PIX - no way?

    I have,

    I have a problem wrt site2site & VPN remote access on a PIX:

    My setup is as follows: PIX (6.3) puts an end to two a site2-site VPN and also should the remote access service clients using the client VPN Cisco (4.0.x).

    The problem is with remote access VPN clients, obtain an IP address on their VPN interface, but customers cannot reach anything. (Please note that the site2site VPN runs without problem)

    To be precise (see config-excerpts below):

    The customer, who has 212.138.109.20 as its IP address gets an IP 10.0.100.1 on his card-VPN which comes from the "vpnpool of the pool.

    configured on the PIX. This customer relationships to reach servers on interface 'inside' of the PIX as 10.0.1.28.

    However, the client cannot achieve * nothing *-a server on the inside or anything like that (e.g. Internet) outside!

    Using Ethereal traces, I discovered that the packets arrive inside interface coming 10.0.100.1 (IP address of the)

    VPN - client). I also see the response from the server (10.0.1.28) to 10.0.100.1. However for some reason any package does not thanks to

    the PIX to the customer. PIX-newspapers also show packets to and from the VPN client to the inside interface - and * no. * drops. So to my knowledge the packets from server to the VPN client really should be done through the PIX.

    I have attached the following as separate files:

    (o) the parts of the PIX config

    (o) packets showing PIX-log between the VPN client and the server (s) on the interface inside

    (o) ethereal-trace done inside the watch interface also packets between VPN client and server (s)

    I have really scratched my head for a while on this one, tested a lot of things, but I really don't know what could be a problem with my

    config.

    After all, it really should be possible to run site2site - and on the same PIX VPN remote access, shouldn't it?

    Thank you very much in advance for your help,.

    -ewald

    I think that your problem is in your ACL and your crypto card:

    access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0

    access-list 101 permit ip 10.0.3.0 255.255.255.0 10.0.2.0 255.255.255.0

    access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.100.0 255.255.255.0

    correspondence address 1 card crypto loc2rem 101

    This means that this map correspond to these addresses. But your dynamic map is one that must match 10.0.100.0, 10.0.1.0 traffic because your pool local ip is 10.0.100.x. I think what is happening is that the return traffic from the lan to vpn clients trying to get out of the static tunnel, which probably does not exist (for the netblocks - you probably have a security association for each pair of netblocks, but not for vpn clients) and so do not.

    I would recommend adding these lines:

    access-list 105 allow ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

    access-list 105 allow ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0

    access-list 105 permit 10.0.3.0 ip 255.255.255.0 10.0.2.0 255.255.255.0

    no correspondence address 1 card crypto loc2rem 101

    correspondence address 1 card crypto loc2rem 105

    Then reapply:

    loc2rem interface card crypto outside

  • Question of VPNS and router

    Hello

    I currently have a RV042G in my company.  It works fine, but I was looking for a solution that would allow me to use VPN so that I can tunnel inside and then again connect to the internet via the tunnel.  I want to have a way secure to connect to internet from my laptop while I am travelling and prefer to build my own VPN and do it myself.

    If I understand correctly, the RV042G does not allow this and it only access to the local network via the tunnel. What would be the next router allowing him to fill this purpose?

    Thank you!

    Hi rodman

    These devices work fine, you can also use third-party software not only software from Cisco to use the VPN features. On subscriptions, IAPH supports more special features such link Protect and IP addresses and you can have and buy a subscription in order to add these features to your device, however, if Don t you want what they you don t have to buy.

    Cisco provide one of the best support, it has plenty of support, it is possible via chat, email or telephone, it also provide assistance free of charge for the users of this forum if you don t buy a warranty

    I hope you find this answer useful,

    * Please answer question mark or note the fact other users can benefit from the TI *.

    Greetings,

    Johnnatan Rodriguez Miranda.

    Support of Cisco network engineer.

  • AnyConnect VPN and LAN access

    When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.

    Right?

    After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?

    Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN

    Thank you

    Frank

    Hello

    Yes, by default, all traffic will be sent through the tunnel.

    If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.

  • Mac, VM XP Pro, Cisco VPN and printing.

    I have an end-user running a Mac with a virtual XP Pro Machine that connects to our VPN corperate machine. This part works fine. Problems happen when he tries to print to a network printer. The job is just until it disconnects from the VPN and then it prints very well. No one knows what to do to fix this? I have little or no knowledge of MAC.

    Kind regards

    Dan

    This could be the reason why printing does not work. To print traffic really vpn tunnel as split tunnel is not configured.

  • AnyConnect vpn and a tunnel vpn Firewall even outside of the interface.

    I have a (no connection) remote access vpn and ipsec tunnel connection to return to our supplier is on the same firewall outside interface.

    The problem is when users remote vpn in they are not able to ping or join the provider above the tunnel network.

    now, I understand that this is a Bobby pin hair or u turn due to traffic but I'm still not able to understand how the remote vpn users can reach the network of the provider on the tunnel that ends on the same interface where remote access vpn is also configured.

    The firewall is asa 5510 worm 9.1

    Any suggestions please.

    Hello

    You are on the right track. Turning U will be required to allow vpn clients access to resources in the L2L VPN tunnel.

    The essence is that the split tunneling to access list must include subnets of the remote VPN to peer once the user connects they have directions pertaining to remote resources on anyconnect VPN

    Please go through this post and it will guide you how to set up the u turn on the SAA.
    https://supportforums.Cisco.com/document/52701/u-turninghairpinning-ASA

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/100918-ASA-sslvpn-00.html

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • remote VPN and vpn site to site vpn remote users unable to access the local network

    As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

    The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

    ASA Version 8.2 (2)
    !
    host name
    domain kunchevrolet
    activate r8xwsBuKsSP7kABz encrypted password
    r8xwsBuKsSP7kABz encrypted passwd
    names of
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    PPPoE client vpdn group dataone
    IP address pppoe
    !
    interface Ethernet0/1
    nameif inside
    security-level 50
    IP 192.168.215.2 255.255.255.0
    !
    interface Ethernet0/2
    nameif Internet
    security-level 0
    IP address dhcp setroute
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    Shutdown
    No nameif
    no level of security
    no ip address
    management only
    !
    passive FTP mode
    clock timezone IST 5 30
    DNS server-group DefaultDNS
    domain kunchevrolet
    permit same-security-traffic intra-interface
    object-group network GM-DC-VPN-Gateway
    object-group, net-LAN
    access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
    192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
    tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    MTU 1500 Internet
    IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
    ICMP unreachable rate-limit 1 burst-size 1
    enable ASDM history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    AAA authentication LOCAL telnet console
    AAA authentication http LOCAL console
    AAA authentication enable LOCAL console
    LOCAL AAA authentication serial console
    Enable http server
    x.x.x.x 255.255.255.252 out http
    http 192.168.215.0 255.255.255.252 inside
    http 192.168.215.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic dynmap 65500 transform-set RIGHT
    card crypto 10 VPN ipsec-isakmp dynamic dynmap
    card crypto VPN outside interface
    card crypto 10 ASA-01 set peer 221.135.138.130
    card crypto 10 ASA - 01 the transform-set RIGHT value
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 65535
    preshared authentication
    the Encryption
    sha hash
    Group 2
    lifetime 28800
    Telnet 192.168.215.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 5
    Console timeout 0
    management-access inside
    VPDN group dataone request dialout pppoe
    VPDN group dataone localname bb4027654187_scdrid
    VPDN group dataone ppp authentication chap
    VPDN username bb4027654187_scdrid password * local store
    interface for identifying DHCP-client Internet customer
    dhcpd dns 218.248.255.141 218.248.245.1
    !
    dhcpd address 192.168.215.11 - 192.168.215.254 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    Des-sha1 encryption SSL
    WebVPN
    allow outside
    tunnel-group-list activate
    internal kun group policy
    kun group policy attributes
    VPN - connections 8
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value split tunnel
    kunchevrolet value by default-field
    test P4ttSyrm33SV8TYp encrypted password username
    username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
    username kunauto attributes
    Strategy Group-VPN-kun
    Protocol-tunnel-VPN IPSec
    tunnel-group vpngroup type remote access
    tunnel-group vpngroup General attributes
    address pool VPN_Users
    Group Policy - by default-kun
    tunnel-group vpngroup webvpn-attributes
    the vpngroup group alias activation
    vpngroup group tunnel ipsec-attributes
    pre-shared key *.
    type tunnel-group test remote access
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group ipsec-attributes x.x.x.x
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
    : end
    kunauto #.

    Hello

    Looking at the configuration, there is an access list this nat exemption: -.

    192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

    But it is not applied in the States of nat.

    Send the following command to the nat exemption to apply: -.

    NAT (inside) 0 access-list sheep

    Kind regards

    Dinesh Moudgil

    P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

  • VPN and DMZ problem

    I have an ASA 5510 with active VPN for remote access service. Users can log in and access inside resources without problem. the question is the servers in the DMZ, as the web server, they cannot access. Is there an easy way to allow access for users of VPN and?

    Thank you

    That will allow you to reach your dmz servers. For example if the demilitarized zone is 192.168.1.0, you can press their DMZ address 192.168.1.x etc. servers.

    Your other option is to use split tunneling, which would allow you to access the servers through their public ip addresses that are translated in the SAA.

Maybe you are looking for