VPN connections to DMZ resources

Answered Question
Feb 20th, 2009
User Badges:

I have an ASA 5510 that has a DMZ configured on it (192.168.0.0/24). The DMZ works fine except VPN users cannot hit any of the websites that run in the DMZ. My DMZ users connect through the Outside interface and are assigned a DHCP address from the pool (192.168.211.1-192.168.211.254).


Have the following ACE in my access-list attached to the outside interface to allow traffic from the VPN subnet to the DMZ interface since it is a higher security level:


access-list outside line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=300)


When I connect to VPN and try to hit a website in the DMZ I see the hitcount increment but I still get nothing. What am I missing?

Correct Answer by acomiskey about 8 years 5 months ago

Missing nat exemption.


access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ) 0 access-list dmznat0


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
colonha27 Fri, 02/20/2009 - 07:56
User Badges:

Good morning:


You have to include your DMZ addressing in the traffic to encrypt in VPN configuration. This if you have the split-tunneling feature.


Cordially.

Correct Answer
acomiskey Fri, 02/20/2009 - 07:57
User Badges:
  • Green, 3000 points or more

Missing nat exemption.


access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ) 0 access-list dmznat0


qbakies11 Fri, 02/20/2009 - 08:12
User Badges:

That worked! Thank you!


Can you provide a quick 'dummies' explanation of why I needed that? Also, do I need the ACE entry I listed in my first post?

acomiskey Fri, 02/20/2009 - 08:16
User Badges:
  • Green, 3000 points or more

It wouldn't need to be there if you were hitting the webserver on a public ip address that was nat'd in the firewall, but since you are hitting the private dmz address, you need to exclude the traffic from nat.


You most likely do not need that access list entry because ipsec vpn traffic typically bypasses these acl's. To make sure, see if you have 'sysopt connection permit-ipsec or sysopt connection permit-vpn' in your configuration.

qbakies11 Fri, 02/20/2009 - 11:04
User Badges:

I spoke too soon. While that did allow my VPN users to get to websites in the DMZ it killed their access to resources on the LAN. After I connected to the VPN I opened NSLOOKUP and it was unable to resolve to the internal DNS servers I have specified. It was pushing everything out the split tunnel using the DNS server of the ISP for the Internet connection. That was why they were able to get to the DMZ websites, they were using the split-tunneling and surfing through the ISP instead of hitting the DMZ directly through the VPN tunnel.

acomiskey Fri, 02/20/2009 - 11:07
User Badges:
  • Green, 3000 points or more

Is there a question in there? If you post the config I'm sure we can clear it up.

acomiskey Fri, 02/20/2009 - 11:15
User Badges:
  • Green, 3000 points or more

What's not working with that config?

qbakies11 Fri, 02/20/2009 - 11:18
User Badges:

My VPN users cannot access and websites that are running in the DMZ1. They can access resources that are on the INSIDE. They need to be able to do both.

acomiskey Fri, 02/20/2009 - 11:21
User Badges:
  • Green, 3000 points or more

This should still fix your problem and should not break the access to the inside.


access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ1) 0 access-list dmznat0

qbakies11 Fri, 02/20/2009 - 11:22
User Badges:

As soon as I do that my VPN users lose the ability to access resources on the INSIDE.

acomiskey Fri, 02/20/2009 - 11:25
User Badges:
  • Green, 3000 points or more

And you're doing "nat (DMZ1) access-list natdmz0" right? NOT "nat (inside) access-list natdmz0"?


Otherwise that doesn't make sense why it's doing that.

qbakies11 Fri, 02/20/2009 - 11:29
User Badges:

Yes, after I did that my SH RUN NAT looked like this:


nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (DMZ1) 0 access-list dmznat0


After I discovered the issue with not being able to hit inside resources I removed the NAT statement but it did fix the issue. I had to restart the ASA to clear it.

acomiskey Fri, 02/20/2009 - 11:33
User Badges:
  • Green, 3000 points or more

Well, hopefully someone else can chime in here..it shouldn't be doing that.

qbakies11 Wed, 03/04/2009 - 06:22
User Badges:

Just to close this case...I opened a TAC case and they stated that I needed to put in the same DMZNAT0 statement that you recommended. I told them about the issue it caused and it baffled them. So I went ahead and re-added the statements into the config during off hours and it worked fine. I don't know what happened the first time that caused the problems but it is working now. Thank you for the help. For clarification this is what I ended up adding:


access-list DMZNAT0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ1) 0 access-list DMZNAT0

Actions

This Discussion