https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556298#M601314 <HTML><HEAD></HEAD><BODY><P>Thanks for the help guys, but I figured it out myself.</P><P></P><P>I will post my running config tomorrow if you're interested in the solution.</P><P></P><P>Thank you</P><P></P><P>Bert</P></BODY></HTML> Mon, 11 Oct 2010 14:30:14 GMT Bert Kelchtermans 2010-10-11T14:30:14Z https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556294#M601310 <P>Hi</P><P></P><P>I have a ASA 5510 that has a couple of site to site vpn connections, they work</P><P>fine, the only problem is that they cannot reach the webserver in the dmz</P><P></P><P>VPN subnets 192.0.2.0 255.255.255.0, 192.0.4.0 255.255.255.0, 192.0.6.0 255.255.255.0</P><P></P><P>DMZ 172.16.0.0 255.255.255.0</P><P></P><P>Webserver DMZ 172.16.0.5 255.255.255.0</P><P></P><P>The users in the inside network and from the internet have no problems connecting.</P><P></P><P><BR />I have attached the running config.</P><P></P><P></P><P>Thank you</P> Mon, 11 Mar 2019 18:52:50 GMT https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556294#M601310 Bert Kelchtermans 2019-03-11T18:52:50Z https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556295#M601311 <HTML><HEAD></HEAD><BODY><P>Bert,</P><P></P><P>Can you also attach "show crypto ipsec sa" when tunnels are connected and initiating traffic to webserver.</P><P></P><P>NAT and permissions look OK of course, I would like to see if the IPsec SAs come up when you initiate traffic.</P><P></P><P>When you do the test&nbsp; can you also do "show logg | i 172.16.0.5" ?</P><P></P><P>Maybe we should also look on other sites' configs.</P><P></P><P>Marcin</P></BODY></HTML> Mon, 11 Oct 2010 12:14:56 GMT https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556295#M601311 Marcin Latosiewicz 2010-10-11T12:14:56Z https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556296#M601312 <HTML><HEAD></HEAD><BODY><P>Hi Bert,</P><P></P><P>I checked the config and here is my observation: On the dmz interface you have the following access-list applied:</P><P></P><P>access-list dmz_access_in extended permit tcp any host 172.16.0.5 eq www</P><P>access-group dmz_access_in in interface dmz</P><P></P><P>i.e, on the inbound direction of the dmz interface, you are allowing any packet distined to host 172.16.0.5, but with this you are not allowing reply packets from the webserver (172.16.0.5) itself to outside machines.</P><P></P><P>I think the access-list on the dmz should look like this: (wherein we are allowing the webserver to reply to any request packets)</P><P></P><P>access-list dmz_access_in extended permit tcp&nbsp; host 172.16.0.5 eq www <STRONG>any</STRONG></P><P>access-group dmz_access_in in interface dmz</P><P></P><P>I surprised that the inside users are able to connect to this webserver in the dmz as you have said, since with the existing access-list, it would not allow this.</P><P></P><P>Let me know if this helps,</P><P></P><P>Cheers,</P><P>Rudresh V</P></BODY></HTML> Mon, 11 Oct 2010 14:08:36 GMT https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556296#M601312 Rudresh Veerappaji 2010-10-11T14:08:36Z https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556297#M601313 <HTML><HEAD></HEAD><BODY><P>Rudresh,</P><P></P><P>Traffic subject to VPN is byspassing ACLs unless you turn of the sysopt explictly. ...</P><P></P><P>dmz_access_in, will never be checked for traffic coming in from any other interfaces. Only traffic initiated from DMZ interface would be affected by this ACL.</P><P></P><P>Marcin</P></BODY></HTML> Mon, 11 Oct 2010 14:22:25 GMT https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556297#M601313 Marcin Latosiewicz 2010-10-11T14:22:25Z https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556298#M601314 <HTML><HEAD></HEAD><BODY><P>Thanks for the help guys, but I figured it out myself.</P><P></P><P>I will post my running config tomorrow if you're interested in the solution.</P><P></P><P>Thank you</P><P></P><P>Bert</P></BODY></HTML> Mon, 11 Oct 2010 14:30:14 GMT https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556298#M601314 Bert Kelchtermans 2010-10-11T14:30:14Z https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556299#M601315 <HTML><HEAD></HEAD><BODY><P>Bert,</P><P></P><P>For future reference it's better to have solutions indeed, might help someone save some time in future <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Marcin</P></BODY></HTML> Mon, 11 Oct 2010 14:36:11 GMT https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556299#M601315 Marcin Latosiewicz 2010-10-11T14:36:11Z https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556300#M601316 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>rudv wrote:</P><P></P><P>Hi Bert,</P><P></P><P></P><P>I surprised that the inside users are able to connect to this webserver in the dmz as you have said, since with the existing access-list, it would not allow this.</P><P></P><P></P><P>Cheers,</P><P>Rudresh V</P></PRE><P>Rudresh ,</P><P></P><P>the traffic is by default allowed from the interfaces with a higher security-level ( inside 100 ) to a lower security level ( dmz 10 or outside 0 ) .By default meaning that there is no need of an access-list</P><P></P><P>Dan</P></BODY></HTML> Mon, 11 Oct 2010 15:34:23 GMT https://community.cisco.com/t5/network-security/vpn-users-cannot-reach-dmz/m-p/1556300#M601316 Dan-Ciprian Cicioiu 2010-10-11T15:34:23Z