05-01-2007 09:12 AM - edited 02-21-2020 01:30 AM
I have an ASS5510 with 3 interfaces, External, Internal, and DMZ. I have configured a mail server in the DMZ and I can get to it from the external interface and from the internal interface.
External access is a simple NAT..
static (outside,dmz) 192.168.200.25 XX.YY.ZZ.52 netmask 255.255.255.255
static (dmz,outside) XX.YY.ZZ.52 192.168.200.25 netmask 255.255.255.255
Internal access is similar...
static (dmz,inside) 192.168.100.21 192.168.200.25 netmask 255.255.255.255
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
so users on the internal lan see the mail server as 192.168.100.21, and they can connect just fine.
The problem I have is that when VPN users connect with their 10.10.10.0 address, they cannot connect to 192.168.100.21, and the internal DNS points then to that rather than to the XX.YY.ZZ.52 address on the outside.
How can I get the VPM users to connect?
Solved! Go to Solution.
05-01-2007 12:07 PM
Of course I will tell you not to as I don't want you to lock yourself out. If anything would break, it would only be the vpn. Take a look at this similar post. Notice the similar acl's which define interesting traffic to be tunneled. I assume you have disconnected from the vpn and reconnected? Maybe a clear xlate. Try getting a log when you are trying to access the dmz server. Also, if you are trying to access dmz server by fqdn instead of ip, make sure it is resolving to 200. address.
05-01-2007 09:45 AM
You need to add the dmz traffic to your interesting traffic in your crypto acl and also add nat exemption on dmz.
access-list
access-list dmz_nat0_outbound permit ip host 192.168.200.25 10.10.10.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
please rate if it helps
edit: I just noticed you are doing destination nat on inside interface. Why are you resolving to 192.168.100.21 as opposed to 200.21? If you were resolving to 200.21 then the above statements would work.
05-01-2007 09:59 AM
The internal hosts cant connect to 192.168.200.25 directly now. I probably don't have things set up for that properly, but thats because I'm using an inherited system, and I'm hardly an expert on the 5500.
So, would the proper path be to configure VPN and internal users to connect to 192.168.200.25?
05-01-2007 10:04 AM
Yes, then you can get rid of the Destination NAT on the inside interface
remove: static (dmz,inside) 192.168.100.21 192.168.200.25 netmask 255.255.255.255
The next statement will allow communication to DMZ with 200. address from inside 100. addresses. (which you already have but it won't work when combined with above destination nat statement)
keep: static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Then add above config for vpn clients.
05-01-2007 10:48 AM
OK, I can get to 192.168.200.25 from 192.168.100.X now, but I'm not sure which ACL I need to use. Here is what's in place (try not to laugh, I'd clean it up but I'm not sure what the last person was trying to accomplish)
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 72.245.21.51 eq smtp
access-list outside_access_in remark Mail Submission
access-list outside_access_in extended permit tcp any host 72.245.21.51 eq 587
access-list outside_access_in remark Mail Services TCP
access-list outside_access_in extended permit tcp any host 72.245.21.52 object-group MailServices
access-list outside_access_in extended permit ip host 192.168.200.25 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_access_in extended permit tcp interface inside host 192.168.200.25 object-group MailServices
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.0 host 192.168.100.21 object-group MailServices
access-list 99 standard permit 192.168.100.0 255.255.255.0
access-list 99 standard permit 192.168.200.0 255.255.255.0
access-list dmz_access_in extended permit udp host 192.168.200.25 object-group DNS_ref_1 eq domain
access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group DNS_ref_1 eq domain
access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldap
access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldaps
access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip host 192.168.200.25 10.10.10.0 255.255.255.0
global (outside) 200 interface
global (inside) 202 72.245.21.52
global (dmz) 203 192.168.200.25 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 192.168.100.1 255.255.255.255
nat (inside) 200 192.168.100.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) tcp interface smtp 192.168.100.20 smtp netmask 255.255.255.255
static (inside,outside) 72.245.21.51 srns2.centellax.com netmask 255.255.255.255
static (outside,dmz) 192.168.200.25 72.245.21.52 netmask 255.255.255.255
static (dmz,outside) 72.245.21.52 192.168.200.25 netmask 255.255.255.255
static (inside,dmz) 192.168.200.50 srns1.centellax.com netmask 255.255.255.255
static (inside,dmz) 192.168.200.51 srns2.centellax.com netmask 255.255.255.255
static (dmz,dmz) 72.245.21.52 192.168.200.25 netmask 255.255.255.255
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (outside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
05-01-2007 11:17 AM
Are you referring to the crypto acl i mentioned? If so, I can't tell from the above. Could you post a "show run crypto".
For future reference, always remove public ip addresses from your posts for your own security.
edit: it's very possible that the vpn part was already configured, it just wasn't working becuase it was resolving to the inside address. You seem to have already had this statement
access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0
which leads me to believe it was set up at one time. But lets see the show run crypto first.
05-01-2007 11:25 AM
I usually do pull external IP's, but I spaced it since I'm multi tasking here ATM.
Here is the crypto output...
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
05-01-2007 11:29 AM
Can vpn users hit the inside?
05-01-2007 11:36 AM
Yes. they can get to 192.168.100 without any problems. No joy for 192.168.200 yet.
05-01-2007 11:47 AM
You should have to specify interesting traffic. I'm surprised you don't have something like...
access-list outside_cryptomap_dyn_20 extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
I assume access-list 99 is for split tunnel?
05-01-2007 11:56 AM
Crypto map wise, I have what was there before me. the 99 is for split tunnel.
Should I add those lines? FYI, I am NOT at the site, so if there is a possibility of breaking what is running there now, I don;t want to do that.
05-01-2007 12:07 PM
Of course I will tell you not to as I don't want you to lock yourself out. If anything would break, it would only be the vpn. Take a look at this similar post. Notice the similar acl's which define interesting traffic to be tunneled. I assume you have disconnected from the vpn and reconnected? Maybe a clear xlate. Try getting a log when you are trying to access the dmz server. Also, if you are trying to access dmz server by fqdn instead of ip, make sure it is resolving to 200. address.
05-01-2007 12:28 PM
I have dis, and re connected. Same behavior so far. I m using the FQDN to access the mail server, and it is resolving to 192.168.200.25.
I have been pawing through the access lists, here is what I have trimmed down to...
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit tcp any host XX.YY.21.51 eq smtp
access-list outside_access_in extended permit tcp any host XX.YY.21.51 eq 587
access-list outside_access_in extended permit tcp any host XX.YY.21.52 object-group MailServices
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_access_in extended permit tcp 10.10.10.0 255.255.255.0 host 192.168.200.25 object-group MailServices
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_access_in extended permit icmp 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit tcp any host 192.168.200.25 object-group MailServices
access-list 99 standard permit 192.168.100.0 255.255.255.0
access-list 99 standard permit 192.168.200.0 255.255.255.0
access-list dmz_access_in extended permit udp host 192.168.200.25 object-group DNS_ref_1 eq domain
access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group DNS_ref_1 eq domain
access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldap
access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldaps
access-list dmz_access_in extended permit icmp 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0
I also added ..
nat (dmz) 0 access-list inside_nat0_outbound
then BINGO! I'm in!
HUGE thanks for the help. Support was always the best when I was at Cisco, and it still seems to be.
05-01-2007 12:30 PM
Ha, and I don't even work for Cisco.
Also the last nat (dmz) 0 you added will work but it is misleading.(because of the name of the acl, 192.168.200.x will never be a source address as inside_nat0_outbound would make you believe)
It works because there is a corresponding acl
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0
that is the same as if you did this.
nat (dmz) 0 access-list dmz_nat0_outbound
access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0
which I had posted before. It should have worked and I would change it for future reference, it's just a little cleaner. Glad it worked out. Enjoy!
05-01-2007 12:32 PM
Looks like Compass Network Services, LLC will be giving Cisco a run for it's money then.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide