[c-nsp] ASA VPN <-> DMZ

Jay Nakamura zeusdadog at gmail.com
Thu Jun 7 09:29:11 EDT 2012


So, the set up is, ASA has inside and DMZ interface.  DMZ being the
lower security level than the inside interface for obvious reasons.
>From the ASA, L2L IPSec tunnel to another location, where crypto map
ACL covers the subnet for inside and DMZ interface IP subnets.

As far as I know, this automatically lets remote VPN site to
communicate with Inside and DMZ hosts and Inside/DMZ hosts can
communicate with remote VPN site without any firewalling.

Is there any way to let remote VPN site to initiate traffic to DMZ but
not let DMZ initiate traffic to the remote VPN?  I know I can apply a
"VPN filter" to the L2L tunnel but that's not stateful inspection.

Thanks!


More information about the cisco-nsp mailing list