Solved: VPN client connects to ASA but not DMZ's or Internet

whiteford · ‎02-22-2008

Hi, I have a Cisco 5520. I have managed to use the Cisco VPN Client to connect to the Outside interface and communicate with the servers on the LAN. My VPN pool is 192.168.8.x/24 and I simply added a rule on the Outside:

source = 192.168.8.x/24 destination = any

protocol = ip

then a rule on the Inside:

source = any destination = 192.168.8.x/24

protocol = ip

Now I just need to work out who to get to the Internet and the DMZ I have on this ASA.

The Internet is just through the Outside of the ASA's Interface and the DMZ of a giga port on the ASA.

Let me know what info you need.

Thanks

acomiskey · ‎02-22-2008

Internet-

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.8.0 255.255.255.0

DMZ Access-

access-list dmz_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

View solution in original post

husycisco · ‎02-22-2008

Hi Andy

Please attach your running-config.

Do you want your VPN clients to connect internet via VPN tunnel over ASA or you want them to connect internet via their local gateway and utilize the local bandwidth instead main office's?

Regards

whiteford · ‎02-22-2008

Hi there, I'll get the config over when I get it, however it's huge, do you need just part of it?

And yes their internet traffic has to go over the tunnel to the ASA.

acomiskey · ‎02-22-2008

Internet-

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.8.0 255.255.255.0

DMZ Access-

access-list dmz_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

husycisco · ‎02-22-2008

Andy,

You can exclude the outside_access_in and inside_access_in access-lists, exclude object groups and names. Also use attach file feature and upload your config as a txt file.

Regards

whiteford · ‎02-22-2008

Here it is, let me know if I've cut too much out and I'll paste back what you need.

acomiskey · ‎02-22-2008

Add..

access-list DMZ2_nat0_outbound extended permit ip any 192.168.8.0 255.255.255.0

access-list DMZ_inbound_nat0_acl outside extended permit ip any 192.168.8.0 255.255.255.0

access-list DMZ4_outbound_nat0_acl outside extended permit ip any 192.168.8.0 255.255.255.0

same-security-traffic permit intra-interface

nat (outside) 1 192.168.8.0 255.255.255.0

whiteford · ‎02-25-2008

I will try this tomorrow, for my understading what does "same-security-traffic permit intra-interface" do?

Also could "nat (outside) 1 192.168.8.0 255.255.255.0"

be

"nat (VPN_Client) 1 192.168.8.0 255.255.255.0"

so I know what it is? or does it have to be outside?

acomiskey · ‎02-25-2008

same-security-traffic permit intra-interface allows traffic to enter and exit the same interface. Since you want your vpn clients to access the internet via the outside interface of the ASA, this traffic will be bouncing off the outside interface.

No, it must be...

nat (outside) 1 192.168.8.0 255.255.255.0

whiteford · ‎02-26-2008

Thanks for your inforamtive replies they are a great help I'm going to try this today, what does the 1 mean in the "nat (outside) 1 192.168.8.0 255.255.255.0

"?

whiteford · ‎02-26-2008

Hi I get this eror:

ASA(config)# nat (outside) 1 192.168.8.0 255.255.255.0

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

ASA(config)#

acomiskey · ‎02-26-2008

The "1" ties the statement to the "1" in your global (outside) 1 interface command.

The message you are getting is just a warning, it's not an error, and you do not need the outside keyword. Should work fine.

whiteford · ‎02-26-2008

Hi, it's not working yet, but I realised I didn't add:

same-security-traffic permit intra-interface

global (outside) 1 interface

Only:

nat (outside) 1 192.168.8.0 255.255.255.0

Do I need the other 2 lines?

acomiskey · ‎02-26-2008

Yes you need both of those.

whiteford · ‎02-27-2008

Damn your good that fixed it all!

I tried similar stuff through the ASDM, but couldn't find the "same-security-traffic permit intra-interface "

global (outside) 1 interface was already on the ASA

also is "access-list dmz_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound " basically and exempt rule?