Unable to access an outside server connected through a VPN tunnel at DMZ interface

Unanswered Question

Hi,

I have to access an outside server connected through a third party VPN tunnel at DMZ Interface on my ASA 5520. At the same time, outside secure server should be able to access two servers on my inside network as well. I have configured the CISCO ASA 5200 and outside server is able to access the inside servers but inside users are not able to access the outside server.

Inside Network--Third Party Firewall-----ASA 5520---Outside Network

                                                              l----DMZ-----Third Party VPN---Outside Server

Please find below the message captured through packet tracer

fx1(config)# packet-tracer input inside tcp 192.168.206.168 135 10.10.1.2 135

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0        255.0.0.0       Inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 1 0.0.0.0 0.0.0.0
  match ip Inside any Inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 6, untranslate_hits = 0
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

But if allow the NAT exemptions using the following command then, I'm able to access the outside server but outside server will not able to access the servers kept on my inside servers.

fx1(config)# access-list NATEX extended permit ip 200.1.1.0 255.255.255.0 192.168.104.0 255.255.255.0
fx1(config)# access-list NATEX extended permit ip 200.1.1.0 255.255.255.0 192.168.206.0 255.255.254.0
fx1(config)# nat (Inside) 0 access-list NATEX

Please find below the message captured through packet tracer

fx1(config)# packet-tracer input dmz tcp 192.168.206.168 1100 192.168.104.150 1100

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,DMZ) BOS-SAW-TRANS-IP-priext BOS-SAW-TRANS-IP-priint netmask 255.
255.255.255
  match ip Inside host BOS-SAW-TRANS-IP-priint DMZ any
    static translation to BOS-SAW-TRANS-IP-priext
    translate_hits = 77, untranslate_hits = 13678
Additional Information:
NAT divert to egress interface Inside
Untranslate BOS-SAW-TRANS-IP-priext/0 to BOS-SAW-TRANS-IP-priint/0 using netmask
255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ-access-in in interface DMZ
access-list DMZ-access-in extended permit tcp host PRI-enSBSAA host BOS-SAW-TRAN
S-IP-priext object-group enSBSStcpPorts
object-group service enSBSStcpPorts tcp
description: enSBSStcpPorts
port-object range 9100 9105
port-object eq 1100
port-object eq 1106
port-object eq echo
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: DROP
Config:
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

fx1(config)#

Attached, please find the config for ASA 5520.

Apprecaite, if someone can lend a helping hand to resolve the above problem.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion