VPN connections to DMZ resources

Answered Question
Feb 20th, 2009

I have an ASA 5510 that has a DMZ configured on it (192.168.0.0/24). The DMZ works fine except VPN users cannot hit any of the websites that run in the DMZ. My DMZ users connect through the Outside interface and are assigned a DHCP address from the pool (192.168.211.1-192.168.211.254).

Have the following ACE in my access-list attached to the outside interface to allow traffic from the VPN subnet to the DMZ interface since it is a higher security level:

access-list outside line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=300)

When I connect to VPN and try to hit a website in the DMZ I see the hitcount increment but I still get nothing. What am I missing?

I have this problem too.
0 votes
Correct Answer by acomiskey about 7 years 9 months ago

Missing nat exemption.

access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ) 0 access-list dmznat0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
colonha27 Fri, 02/20/2009 - 07:56

Good morning:

You have to include your DMZ addressing in the traffic to encrypt in VPN configuration. This if you have the split-tunneling feature.

Cordially.

Correct Answer
acomiskey Fri, 02/20/2009 - 07:57

Missing nat exemption.

access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ) 0 access-list dmznat0

qbakies11 Fri, 02/20/2009 - 08:12

That worked! Thank you!

Can you provide a quick 'dummies' explanation of why I needed that? Also, do I need the ACE entry I listed in my first post?

acomiskey Fri, 02/20/2009 - 08:16

It wouldn't need to be there if you were hitting the webserver on a public ip address that was nat'd in the firewall, but since you are hitting the private dmz address, you need to exclude the traffic from nat.

You most likely do not need that access list entry because ipsec vpn traffic typically bypasses these acl's. To make sure, see if you have 'sysopt connection permit-ipsec or sysopt connection permit-vpn' in your configuration.

qbakies11 Fri, 02/20/2009 - 11:04

I spoke too soon. While that did allow my VPN users to get to websites in the DMZ it killed their access to resources on the LAN. After I connected to the VPN I opened NSLOOKUP and it was unable to resolve to the internal DNS servers I have specified. It was pushing everything out the split tunnel using the DNS server of the ISP for the Internet connection. That was why they were able to get to the DMZ websites, they were using the split-tunneling and surfing through the ISP instead of hitting the DMZ directly through the VPN tunnel.

acomiskey Fri, 02/20/2009 - 11:07

Is there a question in there? If you post the config I'm sure we can clear it up.

qbakies11 Fri, 02/20/2009 - 11:18

My VPN users cannot access and websites that are running in the DMZ1. They can access resources that are on the INSIDE. They need to be able to do both.

acomiskey Fri, 02/20/2009 - 11:21

This should still fix your problem and should not break the access to the inside.

access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ1) 0 access-list dmznat0

qbakies11 Fri, 02/20/2009 - 11:22

As soon as I do that my VPN users lose the ability to access resources on the INSIDE.

acomiskey Fri, 02/20/2009 - 11:25

And you're doing "nat (DMZ1) access-list natdmz0" right? NOT "nat (inside) access-list natdmz0"?

Otherwise that doesn't make sense why it's doing that.

qbakies11 Fri, 02/20/2009 - 11:29

Yes, after I did that my SH RUN NAT looked like this:

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (DMZ1) 0 access-list dmznat0

After I discovered the issue with not being able to hit inside resources I removed the NAT statement but it did fix the issue. I had to restart the ASA to clear it.

acomiskey Fri, 02/20/2009 - 11:33

Well, hopefully someone else can chime in here..it shouldn't be doing that.

qbakies11 Wed, 03/04/2009 - 06:22

Just to close this case...I opened a TAC case and they stated that I needed to put in the same DMZNAT0 statement that you recommended. I told them about the issue it caused and it baffled them. So I went ahead and re-added the statements into the config during off hours and it worked fine. I don't know what happened the first time that caused the problems but it is working now. Thank you for the help. For clarification this is what I ended up adding:

access-list DMZNAT0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ1) 0 access-list DMZNAT0

Actions

This Discussion