Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
1
Replies

Allow access to DMZ through VPN Tunnel

diehardpatsfan
Level 1
Level 1

‎03-24-2014 01:36 PM

I have two datacenters that have a VPN Site-To-Site Tunnel

DC1 is ASA Version 8.2
DC2 is ASA Version 9.1

I want to allow our backup device that is on the inside interface of DC2 to be able to backup devices in our DMZ at DC1

Lets say for example that the backup device is 192.168.10.20

At DC1 I have tried

access-list dmz_out extended permit tcp object-group dmz_hosts host 192.168.10.20 eq 2006
access-list dmz_out extended permit tcp host 192.168.10.20 object-group dmz_hosts eq 2006

Currently at DC1 there is

access-list no_nat extended permit ip object-group local_hosts object-group to_dc2

But I don't see a no_nat for the DMZ such as

access_list no_nat extended permit ip object-groups dmz_hosts object-group to_dc2
Could that be the issue?

At DC2 I see

access-list inside_out extended permit ip object-group local_hosts_dc2 object-group to_dc1

to_dc1 does include the subnet for the dmz and local_hosts_dc2 does include the subnet that contains the backup device


nat (inside,outside) source static lan_local lan_local destination static no_nat no_nat no-proxy-arp route-lookup
Again no_nat in this case does include the dmz at dc1 and lan_local includes the subnet of the backup device

 

When I show the access-lists there is no hit counter increment for it so I know neither of my rules are being hit.
dmz_out is tied to the dmz with access-group dmz_out in interface dmz
 

 

Labels:
0 Helpful
1 Reply 1

Jorge Garcia
Cisco Employee
Cisco Employee

‎03-24-2014 03:46 PM

Hi,

Thanks for contacting us! My name is Osvaldo García, from what I understood you need that a device located in the INSIDE network of the ASA at DC2 back up devices located in the DMZ network of the ASA at DC1, is that correct?

Please make sure that these 2 requirenments are configured:

[1] Review the access-list used in the crypto map, the command should be like:

crypto map <NAME> x match address <ACL>

This access-list should contain a statement with the DMZ network address as the source and the as the destination the LOCAL LAN of the DC2, i.e:

access-list <NAME> permit ip object-group dmz_hosts object-group to_dc2

NOTE: Please make sure to use IP as the permitted protocol. Also make sure to add this statement in the ACL used in the cyrpto map at DC2 in the opposite way, i.e:

access-list <NAME> permit ip object-group lan_local object-group dmz_hosts_at_DC1

 

[2] Please add the statement in NO_NAT access-list for the same traffic, i.e

access-list NO_NAT pemit ip object-group dmz_hosts object-group to_dc2

 

I think this only needs to be added in the DC1 ASA since you found that is already configured in the DC2 ASA.

 

As a comment, if you have access-list assigned to the ASA's interfaces, just make sure the traffic is allowed, start by permitting IP traffic between hosts and then you can narrow down to only permit the actual hosts and ports.

 

I hope this information helps you, 

Have a great day!

Best regards,

 

Osvaldo Garcia

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents