cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
992
Views
0
Helpful
15
Replies

VPN connections to DMZ resources

qbakies11
Level 1
Level 1

I have an ASA 5510 that has a DMZ configured on it (192.168.0.0/24). The DMZ works fine except VPN users cannot hit any of the websites that run in the DMZ. My DMZ users connect through the Outside interface and are assigned a DHCP address from the pool (192.168.211.1-192.168.211.254).

Have the following ACE in my access-list attached to the outside interface to allow traffic from the VPN subnet to the DMZ interface since it is a higher security level:

access-list outside line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=300)

When I connect to VPN and try to hit a website in the DMZ I see the hitcount increment but I still get nothing. What am I missing?

1 Accepted Solution

Accepted Solutions

acomiskey
Level 10
Level 10

Missing nat exemption.

access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ) 0 access-list dmznat0

View solution in original post

15 Replies 15

colonha27
Level 1
Level 1

Good morning:

You have to include your DMZ addressing in the traffic to encrypt in VPN configuration. This if you have the split-tunneling feature.

Cordially.

acomiskey
Level 10
Level 10

Missing nat exemption.

access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ) 0 access-list dmznat0

That worked! Thank you!

Can you provide a quick 'dummies' explanation of why I needed that? Also, do I need the ACE entry I listed in my first post?

It wouldn't need to be there if you were hitting the webserver on a public ip address that was nat'd in the firewall, but since you are hitting the private dmz address, you need to exclude the traffic from nat.

You most likely do not need that access list entry because ipsec vpn traffic typically bypasses these acl's. To make sure, see if you have 'sysopt connection permit-ipsec or sysopt connection permit-vpn' in your configuration.

I spoke too soon. While that did allow my VPN users to get to websites in the DMZ it killed their access to resources on the LAN. After I connected to the VPN I opened NSLOOKUP and it was unable to resolve to the internal DNS servers I have specified. It was pushing everything out the split tunnel using the DNS server of the ISP for the Internet connection. That was why they were able to get to the DMZ websites, they were using the split-tunneling and surfing through the ISP instead of hitting the DMZ directly through the VPN tunnel.

Is there a question in there? If you post the config I'm sure we can clear it up.

Sorry, config is attached.

What's not working with that config?

My VPN users cannot access and websites that are running in the DMZ1. They can access resources that are on the INSIDE. They need to be able to do both.

This should still fix your problem and should not break the access to the inside.

access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ1) 0 access-list dmznat0

As soon as I do that my VPN users lose the ability to access resources on the INSIDE.

And you're doing "nat (DMZ1) access-list natdmz0" right? NOT "nat (inside) access-list natdmz0"?

Otherwise that doesn't make sense why it's doing that.

Yes, after I did that my SH RUN NAT looked like this:

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (DMZ1) 0 access-list dmznat0

After I discovered the issue with not being able to hit inside resources I removed the NAT statement but it did fix the issue. I had to restart the ASA to clear it.

Well, hopefully someone else can chime in here..it shouldn't be doing that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: