Solved: Access to DMZ from remote sites over S2S VPN

rsmiley7732 · ‎11-11-2011

We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally

The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.

What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?

acomiskey · ‎11-11-2011

Yes. So if you're doing this in ASDM under Edit Site to Site connection Profile, it will look like that.

Local Network: 10.0.0/16, 10.3.0.0/24

Remote : 10.1.0.0/24

View solution in original post

acomiskey · ‎11-11-2011

As long as the traffic is specified in your crypto acls

access-list xxx extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0

and

access-list xxx extended permit ip 10.2.0.0 255.255.255.0 10.3.0.0 255.255.255.0

the only other thing you may be missing is nat exemption on the dmz interface.

access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.255.0

nat (DMZ) 0 access-list nonatdmz

Also make sure the dmz network is added to the nat 0 at the remote sites as well.

access-list nonat extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0

and

access-list nonat extended permit ip 10.2.0.0 255.255.255.0 10.3.0.0 255.255.255.0

rsmiley7732 · ‎11-11-2011

Right now those are in there in the DMZ section on our main ASA

access-list nonat extended permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.255.0

access-list nonat extended permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.255.0

Here's how the VPN is setup, but i think I may know why its failing

Main ASA

Site A Tunnel

Local: 10.0.0.0/16

Remote: 10.1.0.0/24

Site B Tunnel

Local: 10.0.0.0/16

Remote: 10.2.0.0/24

Site A

Main Tunnel

Local: 10.1.0.0/24

Remote: 10.0.0.0/16

Site B

Main Tunnel

Local: 10.2.0.0/24

Remote: 10.0.0.0/16

If I were to either the DMZ (10.3.0.0/24) to the end of the Remote sides for the two sides and the local side on the main, would that accomplish what i'm trying to do? Or can I just build a tunnel straight from DMZ to these locations and do it that way?

EDIT

Checked both ends, both have the nonat rule for the DMZ traffic

acomiskey · ‎11-11-2011

Add the following traffic to your existing vpn's. You have to tell the ASA's to encrypt this traffic. Post your configuration if possible, clean out any public ip's/passwords etc. It will be much easier to get you going.

Main ASA

Site A Tunnel

Local: 10.3.0.0/24

Remote: 10.1.0.0/24

Site B Tunnel

Local: 10.3.0.0/24

Remote: 10.2.0.0/24

Site A

Main Tunnel

Local: 10.1.0.0/24

Remote: 10.3.0.0/24

Site B

Main Tunnel

Local: 10.2.0.0/24

Remote: 10.3.0.0/24

rsmiley7732 · ‎11-11-2011

We did this before and the sharepoint site did work, but nothing external (webpages, anything on the net). Can i add that rule to an existing one, such as:

Main ASA

Site A Tunnel

Local: 10.0.0.0/16, 10.3.0.0/24

Remote: 10.1.0.0/24

acomiskey · ‎11-11-2011

Yes. So if you're doing this in ASDM under Edit Site to Site connection Profile, it will look like that.

Local Network: 10.0.0/16, 10.3.0.0/24

Remote : 10.1.0.0/24

rsmiley7732 · ‎11-11-2011

Definitely a facepalm, moment, but seems to work great, thank you!