ASA 5510 - VPN to DMZ with static rule?

Answered Question
Apr 9th, 2010

I have an ASA 5510 with a number of VPNs to other sites, allowing traffic to and from the inside networks.

I need to establish a VPN rule to another site, but they will have very limited access to resources on my LAN.  Because I may not be in control of the ASA on that end permanently I need to control that access on my 5510.

(the following are not my actual IPs, but I'm using them for this example)

My internal network: 10.100.1.x

My DMZ: 192.168.1.x

Other sites' internal network: 172.16.1.x

I wanted to try establishing a VPN between the site and specific DMZ addresses on my side, and then allow access to internal addresses using static rules.  I decided to use a static rule to allow them (for instance) http access to one specific server:

static (inside,dmz) tcp 192.168.1.200 80 10.100.1.200 80

I need to allow traffic there:

access-list DMZ_IN permit tcp host 172.16.1.10 host 192.168.1.200 eq 80

access-group DMZ_IN in interface dmz

And of course, access-list rules that allow traffic that I can apply to the VPN:

access-list toSite permit ip host 192.168.1.200 host 172.16.1.10

And I don't want that traffic NAT'd between my DMZ and the other site:

access-list nonatDMZ permit ip host 192.168.1.200 host 172.16.1.10

nat (dmz) 0 access-list nonatDMZ

nat (dmz) 1 0.0.0.0 0.0.0.0

And, of course, corresponding rules on their ASA need to be in place, allowing traffic to 192.168.1.200, and not to NAT it.

All that is in place, but http traffic from 172.16.1.10 to 192.168.1.200 never reaches 10.100.1.200.  I know the following:

1. The VPN is configured properly.  If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.

2. Packet tracer shows me the traffic is allowed.

3. The static rule works: accessing 192.168.1.200:80 from another host on that same DMZ interface brings me to 10.100.1.200:80

4. Running a packet sniffer on 10.100.1.200 shows that the traffic from 172.16.1.10 is not reaching it.

So I'm banging my head against the wall here.  I'm sure it's something simple that I'm missing.  Anything else I should be checking?  Should I be going about this a completely different way?

Thanks.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

What you are trying to achieve is not supported. You can't configure NATing between inside and dmz interfaces while your VPN connection is coming from the outside interface. The static NAT (inside,dmz) that you have configured will only work if the connection is initiated from inside towards dmz, and vice versa.

I believe what you are trying to achieve is only allowing access to10.100.1.200 on TCP/80 for the VPN tunnel.

You should configure your option 1:

1. The VPN is configured properly.  If I add rules allowing traffic to  (and from) 172.16.1.10 and 10.100.1.200 directly, they work.

To restrict the traffic to only TCP/80, you can configure vpn-filter and assigned it to the group-policy that you then assigned to that particular tunnel-group.

Example:

access-list web-allow permit tcp host 172.16.1.10 host 10.100.1.200 eq 80

group-policy web-policy internal

group-policy web-policy attribute

     vpn-filter value web-allow

tunnel-group general-attributes

     default-group-policy web-policy

Here is a sample config for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Fri, 04/09/2010 - 15:14

What you are trying to achieve is not supported. You can't configure NATing between inside and dmz interfaces while your VPN connection is coming from the outside interface. The static NAT (inside,dmz) that you have configured will only work if the connection is initiated from inside towards dmz, and vice versa.

I believe what you are trying to achieve is only allowing access to10.100.1.200 on TCP/80 for the VPN tunnel.

You should configure your option 1:

1. The VPN is configured properly.  If I add rules allowing traffic to  (and from) 172.16.1.10 and 10.100.1.200 directly, they work.

To restrict the traffic to only TCP/80, you can configure vpn-filter and assigned it to the group-policy that you then assigned to that particular tunnel-group.

Example:

access-list web-allow permit tcp host 172.16.1.10 host 10.100.1.200 eq 80

group-policy web-policy internal

group-policy web-policy attribute

     vpn-filter value web-allow

tunnel-group general-attributes

     default-group-policy web-policy

Here is a sample config for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

RHITCHCOCK Mon, 04/12/2010 - 13:39

I tested with some rules and it looks like that will work perfectly, thank you!

Actions

This Discussion