I have an ASA 5510 that has a DMZ configured on it (192.168.0.0/24). The DMZ works fine except VPN users cannot hit any of the websites that run in the DMZ. My DMZ users connect through the Outside interface and are assigned a DHCP address from the pool (192.168.211.1-192.168.211.254).
Have the following ACE in my access-list attached to the outside interface to allow traffic from the VPN subnet to the DMZ interface since it is a higher security level:
access-list outside line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=300)
When I connect to VPN and try to hit a website in the DMZ I see the hitcount increment but I still get nothing. What am I missing?
Solved! Go to Solution.
You have to include your DMZ addressing in the traffic to encrypt in VPN configuration. This if you have the split-tunneling feature.
That worked! Thank you!
Can you provide a quick 'dummies' explanation of why I needed that? Also, do I need the ACE entry I listed in my first post?
It wouldn't need to be there if you were hitting the webserver on a public ip address that was nat'd in the firewall, but since you are hitting the private dmz address, you need to exclude the traffic from nat.
You most likely do not need that access list entry because ipsec vpn traffic typically bypasses these acl's. To make sure, see if you have 'sysopt connection permit-ipsec or sysopt connection permit-vpn' in your configuration.
I spoke too soon. While that did allow my VPN users to get to websites in the DMZ it killed their access to resources on the LAN. After I connected to the VPN I opened NSLOOKUP and it was unable to resolve to the internal DNS servers I have specified. It was pushing everything out the split tunnel using the DNS server of the ISP for the Internet connection. That was why they were able to get to the DMZ websites, they were using the split-tunneling and surfing through the ISP instead of hitting the DMZ directly through the VPN tunnel.
My VPN users cannot access and websites that are running in the DMZ1. They can access resources that are on the INSIDE. They need to be able to do both.
This should still fix your problem and should not break the access to the inside.
access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0
nat (DMZ1) 0 access-list dmznat0
And you're doing "nat (DMZ1) access-list natdmz0" right? NOT "nat (inside) access-list natdmz0"?
Otherwise that doesn't make sense why it's doing that.
Yes, after I did that my SH RUN NAT looked like this:
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (DMZ1) 0 access-list dmznat0
After I discovered the issue with not being able to hit inside resources I removed the NAT statement but it did fix the issue. I had to restart the ASA to clear it.
Just to close this case...I opened a TAC case and they stated that I needed to put in the same DMZNAT0 statement that you recommended. I told them about the issue it caused and it baffled them. So I went ahead and re-added the statements into the config during off hours and it worked fine. I don't know what happened the first time that caused the problems but it is working now. Thank you for the help. For clarification this is what I ended up adding:
access-list DMZNAT0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0
nat (DMZ1) 0 access-list DMZNAT0