Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 VPN and DMZ issue

I have an ASS5510 with 3 interfaces, External, Internal, and DMZ. I have configured a mail server in the DMZ and I can get to it from the external interface and from the internal interface.

External access is a simple NAT..

static (outside,dmz) 192.168.200.25 XX.YY.ZZ.52 netmask 255.255.255.255

static (dmz,outside) XX.YY.ZZ.52 192.168.200.25 netmask 255.255.255.255

Internal access is similar...

static (dmz,inside) 192.168.100.21 192.168.200.25 netmask 255.255.255.255

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

so users on the internal lan see the mail server as 192.168.100.21, and they can connect just fine.

The problem I have is that when VPN users connect with their 10.10.10.0 address, they cannot connect to 192.168.100.21, and the internal DNS points then to that rather than to the XX.YY.ZZ.52 address on the outside.

How can I get the VPM users to connect?

  • Security Management
1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA 5510 VPN and DMZ issue

Of course I will tell you not to as I don't want you to lock yourself out. If anything would break, it would only be the vpn. Take a look at this similar post. Notice the similar acl's which define interesting traffic to be tunneled. I assume you have disconnected from the vpn and reconnected? Maybe a clear xlate. Try getting a log when you are trying to access the dmz server. Also, if you are trying to access dmz server by fqdn instead of ip, make sure it is resolving to 200. address.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddd325c

15 REPLIES
Green

Re: ASA 5510 VPN and DMZ issue

You need to add the dmz traffic to your interesting traffic in your crypto acl and also add nat exemption on dmz.

access-list permit ip host 192.168.200.25 10.10.10.0 255.255.255.0

access-list dmz_nat0_outbound permit ip host 192.168.200.25 10.10.10.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

please rate if it helps

edit: I just noticed you are doing destination nat on inside interface. Why are you resolving to 192.168.100.21 as opposed to 200.21? If you were resolving to 200.21 then the above statements would work.

New Member

Re: ASA 5510 VPN and DMZ issue

The internal hosts cant connect to 192.168.200.25 directly now. I probably don't have things set up for that properly, but thats because I'm using an inherited system, and I'm hardly an expert on the 5500.

So, would the proper path be to configure VPN and internal users to connect to 192.168.200.25?

Green

Re: ASA 5510 VPN and DMZ issue

Yes, then you can get rid of the Destination NAT on the inside interface

remove: static (dmz,inside) 192.168.100.21 192.168.200.25 netmask 255.255.255.255

The next statement will allow communication to DMZ with 200. address from inside 100. addresses. (which you already have but it won't work when combined with above destination nat statement)

keep: static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Then add above config for vpn clients.

New Member

Re: ASA 5510 VPN and DMZ issue

OK, I can get to 192.168.200.25 from 192.168.100.X now, but I'm not sure which ACL I need to use. Here is what's in place (try not to laugh, I'd clean it up but I'm not sure what the last person was trying to accomplish)

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 72.245.21.51 eq smtp

access-list outside_access_in remark Mail Submission

access-list outside_access_in extended permit tcp any host 72.245.21.51 eq 587

access-list outside_access_in remark Mail Services TCP

access-list outside_access_in extended permit tcp any host 72.245.21.52 object-group MailServices

access-list outside_access_in extended permit ip host 192.168.200.25 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit icmp 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit tcp interface inside host 192.168.200.25 object-group MailServices

access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.0 host 192.168.100.21 object-group MailServices

access-list 99 standard permit 192.168.100.0 255.255.255.0

access-list 99 standard permit 192.168.200.0 255.255.255.0

access-list dmz_access_in extended permit udp host 192.168.200.25 object-group DNS_ref_1 eq domain

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group DNS_ref_1 eq domain

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldap

access-list dmz_access_in extended permit tcp host 192.168.200.25 object-group LDAP_SERVERS eq ldaps

access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip host 192.168.200.25 10.10.10.0 255.255.255.0

global (outside) 200 interface

global (inside) 202 72.245.21.52

global (dmz) 203 192.168.200.25 netmask 255.255.255.255

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 192.168.100.1 255.255.255.255

nat (inside) 200 192.168.100.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

static (inside,outside) tcp interface smtp 192.168.100.20 smtp netmask 255.255.255.255

static (inside,outside) 72.245.21.51 srns2.centellax.com netmask 255.255.255.255

static (outside,dmz) 192.168.200.25 72.245.21.52 netmask 255.255.255.255

static (dmz,outside) 72.245.21.52 192.168.200.25 netmask 255.255.255.255

static (inside,dmz) 192.168.200.50 srns1.centellax.com netmask 255.255.255.255

static (inside,dmz) 192.168.200.51 srns2.centellax.com netmask 255.255.255.255

static (dmz,dmz) 72.245.21.52 192.168.200.25 netmask 255.255.255.255

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

Green

Re: ASA 5510 VPN and DMZ issue

Are you referring to the crypto acl i mentioned? If so, I can't tell from the above. Could you post a "show run crypto".

For future reference, always remove public ip addresses from your posts for your own security.

edit: it's very possible that the vpn part was already configured, it just wasn't working becuase it was resolving to the inside address. You seem to have already had this statement

access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

which leads me to believe it was set up at one time. But lets see the show run crypto first.

New Member

Re: ASA 5510 VPN and DMZ issue

I usually do pull external IP's, but I spaced it since I'm multi tasking here ATM.

Here is the crypto output...

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

isakmp ipsec-over-tcp port 10000

Green

Re: ASA 5510 VPN and DMZ issue

Can vpn users hit the inside?

New Member

Re: ASA 5510 VPN and DMZ issue

Yes. they can get to 192.168.100 without any problems. No joy for 192.168.200 yet.

Green

Re: ASA 5510 VPN and DMZ issue

You should have to specify interesting traffic. I'm surprised you don't have something like...

access-list outside_cryptomap_dyn_20 extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

I assume access-list 99 is for split tunnel?

235
Views
10
Helpful
15
Replies
This widget could not be displayed.