ASA 5510 VPN and DMZ issue

Answered Question
May 1st, 2007

I have an ASS5510 with 3 interfaces, External, Internal, and DMZ. I have configured a mail server in the DMZ and I can get to it from the external interface and from the internal interface.

External access is a simple NAT..

static (outside,dmz) 192.168.200.25 XX.YY.ZZ.52 netmask 255.255.255.255

static (dmz,outside) XX.YY.ZZ.52 192.168.200.25 netmask 255.255.255.255

Internal access is similar...

static (dmz,inside) 192.168.100.21 192.168.200.25 netmask 255.255.255.255

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

so users on the internal lan see the mail server as 192.168.100.21, and they can connect just fine.

The problem I have is that when VPN users connect with their 10.10.10.0 address, they cannot connect to 192.168.100.21, and the internal DNS points then to that rather than to the XX.YY.ZZ.52 address on the outside.

How can I get the VPM users to connect?

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 7 months ago

Of course I will tell you not to as I don't want you to lock yourself out. If anything would break, it would only be the vpn. Take a look at this similar post. Notice the similar acl's which define interesting traffic to be tunneled. I assume you have disconnected from the vpn and reconnected? Maybe a clear xlate. Try getting a log when you are trying to access the dmz server. Also, if you are trying to access dmz server by fqdn instead of ip, make sure it is resolving to 200. address.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddd325c

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
acomiskey Tue, 05/01/2007 - 09:45

You need to add the dmz traffic to your interesting traffic in your crypto acl and also add nat exemption on dmz.

access-list permit ip host 192.168.200.25 10.10.10.0 255.255.255.0

access-list dmz_nat0_outbound permit ip host 192.168.200.25 10.10.10.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

please rate if it helps

edit: I just noticed you are doing destination nat on inside interface. Why are you resolving to 192.168.100.21 as opposed to 200.21? If you were resolving to 200.21 then the above statements would work.

jdehnert Tue, 05/01/2007 - 09:59

The internal hosts cant connect to 192.168.200.25 directly now. I probably don't have things set up for that properly, but thats because I'm using an inherited system, and I'm hardly an expert on the 5500.

So, would the proper path be to configure VPN and internal users to connect to 192.168.200.25?

acomiskey Tue, 05/01/2007 - 10:04

Yes, then you can get rid of the Destination NAT on the inside interface

remove: static (dmz,inside) 192.168.100.21 192.168.200.25 netmask 255.255.255.255

The next statement will allow communication to DMZ with 200. address from inside 100. addresses. (which you already have but it won't work when combined with above destination nat statement)

keep: static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Then add above config for vpn clients.

jdehnert Tue, 05/01/2007 - 10:48

OK, I can get to 192.168.200.25 from 192.168.100.X now, but I'm not sure which ACL I need to use. Here is what's in place (try not to laugh, I'd clean it up but I'm not sure what the last person was trying to accomplish)

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 72.245.21.51 eq smtp

access-list outside_access_in remark Mail Submission

access-list outside_access_in extended permit tcp any host 72.245.21.51 eq 587

access-list outside_access_in remark Mail Services TCP

access-list outside_access_in extended permit tcp any host 72.245.21.52 object-group MailServices

access-list outside_access_in extended permit ip host 192.168.200.25 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit icmp 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit tcp interface inside host 192.168.200.25 object-group MailServices

access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.0 host 192.168.100.21 object-group MailServices

access-list 99 standard permit 192.168.100.0 255.255.255.0

access-list 99 standard permit 192.168.200.0 255.255.255.0

access-list dmz_access_in extended permit udp host 192.168.200.25 object-group DNS_ref_1 eq domain

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group DNS_ref_1 eq domain

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldap

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldaps

access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip host 192.168.200.25 10.10.10.0 255.255.255.0

global (outside) 200 interface

global (inside) 202 72.245.21.52

global (dmz) 203 192.168.200.25 netmask 255.255.255.255

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 192.168.100.1 255.255.255.255

nat (inside) 200 192.168.100.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

static (inside,outside) tcp interface smtp 192.168.100.20 smtp netmask 255.255.255.255

static (inside,outside) 72.245.21.51 srns2.centellax.com netmask 255.255.255.255

static (outside,dmz) 192.168.200.25 72.245.21.52 netmask 255.255.255.255

static (dmz,outside) 72.245.21.52 192.168.200.25 netmask 255.255.255.255

static (inside,dmz) 192.168.200.50 srns1.centellax.com netmask 255.255.255.255

static (inside,dmz) 192.168.200.51 srns2.centellax.com netmask 255.255.255.255

static (dmz,dmz) 72.245.21.52 192.168.200.25 netmask 255.255.255.255

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

acomiskey Tue, 05/01/2007 - 11:17

Are you referring to the crypto acl i mentioned? If so, I can't tell from the above. Could you post a "show run crypto".

For future reference, always remove public ip addresses from your posts for your own security.

edit: it's very possible that the vpn part was already configured, it just wasn't working becuase it was resolving to the inside address. You seem to have already had this statement

access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

which leads me to believe it was set up at one time. But lets see the show run crypto first.

jdehnert Tue, 05/01/2007 - 11:25

I usually do pull external IP's, but I spaced it since I'm multi tasking here ATM.

Here is the crypto output...

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

isakmp ipsec-over-tcp port 10000

jdehnert Tue, 05/01/2007 - 11:36

Yes. they can get to 192.168.100 without any problems. No joy for 192.168.200 yet.

acomiskey Tue, 05/01/2007 - 11:47

You should have to specify interesting traffic. I'm surprised you don't have something like...

access-list outside_cryptomap_dyn_20 extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

I assume access-list 99 is for split tunnel?

jdehnert Tue, 05/01/2007 - 11:56

Crypto map wise, I have what was there before me. the 99 is for split tunnel.

Should I add those lines? FYI, I am NOT at the site, so if there is a possibility of breaking what is running there now, I don;t want to do that.

Correct Answer
acomiskey Tue, 05/01/2007 - 12:07

Of course I will tell you not to as I don't want you to lock yourself out. If anything would break, it would only be the vpn. Take a look at this similar post. Notice the similar acl's which define interesting traffic to be tunneled. I assume you have disconnected from the vpn and reconnected? Maybe a clear xlate. Try getting a log when you are trying to access the dmz server. Also, if you are trying to access dmz server by fqdn instead of ip, make sure it is resolving to 200. address.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddd325c

jdehnert Tue, 05/01/2007 - 12:28

I have dis, and re connected. Same behavior so far. I m using the FQDN to access the mail server, and it is resolving to 192.168.200.25.

I have been pawing through the access lists, here is what I have trimmed down to...

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit tcp any host XX.YY.21.51 eq smtp

access-list outside_access_in extended permit tcp any host XX.YY.21.51 eq 587

access-list outside_access_in extended permit tcp any host XX.YY.21.52 object-group MailServices

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outside_access_in extended permit tcp 10.10.10.0 255.255.255.0 host 192.168.200.25 object-group MailServices

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit icmp 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit icmp 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list inside_access_in extended permit tcp any host 192.168.200.25 object-group MailServices

access-list 99 standard permit 192.168.100.0 255.255.255.0

access-list 99 standard permit 192.168.200.0 255.255.255.0

access-list dmz_access_in extended permit udp host 192.168.200.25 object-group DNS_ref_1 eq domain

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group DNS_ref_1 eq domain

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldap

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldaps

access-list dmz_access_in extended permit icmp 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

I also added ..

nat (dmz) 0 access-list inside_nat0_outbound

then BINGO! I'm in!

HUGE thanks for the help. Support was always the best when I was at Cisco, and it still seems to be.

acomiskey Tue, 05/01/2007 - 12:30

Ha, and I don't even work for Cisco.

Also the last nat (dmz) 0 you added will work but it is misleading.(because of the name of the acl, 192.168.200.x will never be a source address as inside_nat0_outbound would make you believe)

It works because there is a corresponding acl

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

that is the same as if you did this.

nat (dmz) 0 access-list dmz_nat0_outbound

access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

which I had posted before. It should have worked and I would change it for future reference, it's just a little cleaner. Glad it worked out. Enjoy!

jdehnert Tue, 05/01/2007 - 12:32

Looks like Compass Network Services, LLC will be giving Cisco a run for it's money then.

tarandeep Fri, 05/11/2007 - 07:26

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

Actions

This Discussion