I am trying to be compliant with our security assessor's request to place our OpenVPN server in such a way that the ingress point is in the DMZ. I am able to connect and gain access to our internal network using ACLs on a Cisco ASA, but here is the trickier part.
Our internal network at our HQ office also has a site-to-site VPN (non OpenVPN) through the Cisco ASA to a co-location (Colo), also using a Cisco ASA. When connected to OpenVPN, I cannot access the remote Colo resources that are available to the HQ LAN.
My assumption is that there is something in the routing that needs to be configured. The OpenVPN server has a single interface (eth0) that is on the DMZ. Is there any kind of configuration in OpenVPN that will allow me to accomplish this goal?
Here is my basic setup:
HQ DMZ network is 172.16.100.0/24
OpenVPN has a static IP in the DMZ. OpenVPN service issues addresses in 172.16.101.0/24 (also on same DMZ interface).
HQ subnet is 10.0.0.0/24.
Cisco ASA ACLs permit OpenVPN assigned addresses into HQ LAN successfully.
Colo subnet is 10.100.0.0/24, but cannot be accessed from the OpenVPN assigned network, despite adding ACLs to allow the traffic from them.
When using a web browser to access a Colo HTTPs resource, the browser just spins and never connects to the resource. However, I can access external resources (general internet) and the specifically allowed HQ LAN resources that are defined in the Cisco ACLs - just not the Colo resources.
Has anyone had any experience doing something like this? Or is there any documentation that refutes the need to place OpenVPN in the DMZ for security compliance?
Routing Help With DMZ Setup
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.