ASA 5505 Site-to-Site VPN to remote dmz access

garrickaking · ‎07-17-2013

I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.

I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.

Lets call:

Site 1 LAN: 192.168.1.0

Site 2 LAN: 192.168.2.0

Site 2 DMZ: 172.16.2.0

Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation (192.168.1.10) can ping anything in site 2s LAN (192.168.2.0/24).

Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address 172.16.2.2. I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "192.168.2.8." Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.

I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.

Awesome, I can now ping 192.168.2.8 from anywhere within Site 2. The problem is... I can't ping 192.168.2.8 from my workstation in site 1 (192.168.1.10). If I run Packet Tracer (interface dmz, packet type TCP, source 172.16.2.2 port "echo", destination 192.168.1.10 port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?

I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.

Thanks,

Garrick

Jouni Forss · ‎07-17-2013

Hi,

I personally dont use ASDM for that many configurations. Mainly to monitor things. So I cant help much with that. To be honest its much more time consuming to try guide doing the changes through ASDM rather than seing the CLI format configurations and suggesting the changes.

I would personally just add the DMZ network with its original IP address on the existing L2L VPN between the sites instead of doing a NAT. From there on in it would be pretty straight forward

Add the DMZ network to the L2L VPN connections ACL on both sites configurations
Add NAT0 configurations on both sites for the DMZ traffic

If you have 8.3 or newer software level on the Site 2 then the NAT0 / NAT Exempt configuration would be (presuming interface names)

object network DMZ

subnet 172.16.2.0 255.255.255.0

object network SITE1-LAN

subnet 192.168.1.0 255.255.255.0

nat (dmz,outside) source static DMZ DMZ destination static SITE1-LAN SITE1-LAN

And naturally the ACL addition to the L2L VPN connection would be

access-list L2LVPN permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0

And also the corresponding configurations on the Site 1

- Jouni

garrickaking · ‎07-17-2013

Jouni,

I can't add the entire network, as the unrestricted traffic on the Site2 DMZ (users smartphones, personal laptops, clients) is not allowed to enter the LAN at Site 2, and especially not at site 1. I should have mentioned that. The thing we want to be able to pass through is the specific IP of the WAP. Once I figure out how to make it work at all, I'll be restricting down the allowed protocols to provide bare minimum monitoring. That's why I decided to NAT the WAPs IP to a LAN ip. I figure that way, the ASA 5540 at Site 1 will be perfectly okay with that 192.168.2.8 ip address coming in. Any idea why packet tracer doesn't give me any feedback as to why this is failing?

Jouni Forss · ‎07-17-2013

Hi,

I would have to see the "packet-tracer" command used and the full output.

I imagine if you need to restrict traffic going from the DMZ to the same sites LAN and the remote sites LAN, you should really use the interface ACL and keep the NAT simple.

- Jouni

garrickaking · ‎07-17-2013

The traffic is already restricted from the DMZ to the LAN, which is why I NATd to allow Site 2 LAN to hit the WAP IP. Again, I'm sorry if the way I'm asking things is off skew. I'm normally just a virtual infrastructure / windows server guy. New employer needs SOMEONE to clean this stuff up. I just putty'd in and got the config. Currently sanitizing it to post. From what everyone says, I guess it would be best for me to drop ASDM and just learn the CLI. Really appreciate the help JouniForss.

garrickaking · ‎07-17-2013

Here's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.

:
ASA Version 8.4(1)
!

no names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address -OMITTED- 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.21.1 255.255.255.0

!
interface Ethernet0/0
description Outside WAN1 port
switchport access vlan 2
!
interface Ethernet0/1
description Inside LAN port
!
interface Ethernet0/2
description Inside LAN port
!
interface Ethernet0/3
description Outside DMZ port
switchport access vlan 3
!
interface Ethernet0/4
description Outside DMZ port
switchport access vlan 3
!
interface Ethernet0/5
description Outside DMZ port
switchport access vlan 3
!
interface Ethernet0/6

description Outside DMZ port
switchport access vlan 3
!
interface Ethernet0/7
description Outside DMZ port
switchport access vlan 3
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name -OMITTED-
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net_SITE1_lan
subnet 192.168.1.0 255.255.255.0
object network net_SITE2_lan
subnet 192.168.21.0 255.255.255.0
object network net_SITE1_dmz
subnet 172.16.1.0 255.255.255.0
object network net_SITE2_dmz
subnet 172.16.21.0 255.255.255.0
object network SITE2_DMZ_WAP
host 172.16.21.2
object network 192.168.21.8
host 192.168.21.8
description FOR SITE2 WAP
access-list inside_access_in extended permit ip object net_SITE2_lan any
access-list inside_access_in extended deny tcp any any eq smtp
access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
pager lines 24
logging enable
logging buffer-size 16384
logging buffered notifications
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021

no logging message 302020
flow-export destination inside 192.168.1.35 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
!
object network obj_any
nat (inside,outside) dynamic interface
object network SITE2_DMZ_WAP
nat (dmz,any) static 192.168.21.8
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 162.227.34.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec LOCAL
http server enable
http server idle-timeout 60
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 192.168.1.35 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CMAP_OUTSIDE 1 set reverse-route
crypto map CMAP_OUTSIDE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60
ssh version 2
console timeout 60
management-access inside

dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd dns 192.168.2.2 192.168.1.6 interface inside
dhcpd lease 34000 interface inside
dhcpd domain -DOMAIN OMITTED- interface inside
dhcpd update dns both interface inside
!
dhcpd address 172.16.21.100-172.16.21.200 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd lease 34000 interface dmz
dhcpd enable dmz
!
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server -NTP SERVERS OMITTED-
ntp server -NTP SERVERS OMITTED-
webvpn

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username -OMITTED- password -OMITTED- encrypted privilege 15
tunnel-group -IP OMITTED- type ipsec-l2l
tunnel-group -IP OMITTED- general-attributes
default-group-policy GroupPolicy1
tunnel-group -IP OMITTED- ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 5
!
class-map netflow-export-class
match any
class-map inspection_default
match default-inspection-traffic
class-map QoS_RDP
match access-list QoS_RDP_Server_Branch
class-map QoS_EA
match port tcp eq 2000
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect xdmcp
class netflow-export-class
flow-export event-type all destination 192.168.1.35
class QoS_RDP
priority
class QoS_EA
priority
!
service-policy global_policy global

prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Logoff

Jouni Forss · ‎07-18-2013

Hi,

Can you use the "packet-tracer" command on the CLI of the ASA and share that output with us. You could actually check both directions (to and from the L2L VPN) and see what kind of output it produceses

Command format would be

packet-tracer input dmz icmp 172.16.21.2 8 0 192.168.1.10

packet-tracer input outside icmp 192.168.1.10 8 0 192.168.21.8

The above would both simulate an ICMP Echo heading to either direction. The "8" and "0" in the command refer to the Type and Code of the ICMP message and they are for ICMP Echo.

In the case of the "dmz" related command, if the L2L VPN connection isnt up when you first attempt it then the first "packet-tracer" command will always fail. The second time you enter the command the L2L VPN should be up (if it already wasnt) and the output should then be accurate.

So if you can first take those outputs and share them with us we could confirm that correct rules/configurations are matched on the ASA.

- Jouni

Jouni Forss · ‎07-18-2013

Also,

There is actually a default setting on the ASA that makes it so that ALL traffic coming through a VPN connection bypass your "outside" interface ACL. So currently the ACL rule permitting Site 1 and Site 2 traffic doesnt have any effect as its bypassed.

The command you currently have enabled (the ASA default) is

sysopt connection permit-vpn

If you were to change this global configuration to

no sysopt connection permit-vpn

It would mean that ALL connections iniatied to this site through VPN connections would also have to match the interface ACL rules on the interface where the VPN connection terminates (outside).

You might be wondering why the command above doesnt show in your configuration. With some commands the default setting is not shown in the configuration at all. When you change it however then this nondefault setting will be shown.

If you were to use the command

show run all

You would see ALL the default settings also. And thats a lot more output than a normal "show run"

You can also combine that with more specific command like

show run all sysopt

To list your system option settings.

- Jouni