I need some help. We terminate our vpn users on a ASA firewall. Then the user is passed to the nac via a dmz. The trusted side of the nac is connected to the internal network. That works just fine. The problem is when the user tries to access a server located in a dmz on the same firewall. The internal switch routes the packet based on it's routing table. The packet is routed directly to the firewall via it's default route. The packet leaves the internal switch via a different connection that how it arrived in the internal network. Cisco TAC calls this assymetrical routing and the firewall is not capable of this. I hope this makes sense.
My questions are: 1. Do any of you terminate vpns on an asa and are the users able to get to servers on dmz's on the same firewall? 2. Have any of you tried policy based routing to try to deal with this? 3. Should I have both the trusted and untrusted interfaces of the CAS in separate dmz's on the firewall or is the current method ok? Any help would sure be appreciated! Thanks. Lane
