topic Re: VPN connections to DMZ resources in Network Security

VPN connections to DMZ resources

qbakies11 — Mon, 11 Mar 2019 14:54:15 GMT

I have an ASA 5510 that has a DMZ configured on it (192.168.0.0/24). The DMZ works fine except VPN users cannot hit any of the websites that run in the DMZ. My DMZ users connect through the Outside interface and are assigned a DHCP address from the pool (192.168.211.1-192.168.211.254).

Have the following ACE in my access-list attached to the outside interface to allow traffic from the VPN subnet to the DMZ interface since it is a higher security level:

access-list outside line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=300)

When I connect to VPN and try to hit a website in the DMZ I see the hitcount increment but I still get nothing. What am I missing?

Re: VPN connections to DMZ resources

colonha27 — Fri, 20 Feb 2009 15:56:47 GMT

Good morning:

You have to include your DMZ addressing in the traffic to encrypt in VPN configuration. This if you have the split-tunneling feature.

Cordially.

Re: VPN connections to DMZ resources

acomiskey — Fri, 20 Feb 2009 15:57:40 GMT

Missing nat exemption.

access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ) 0 access-list dmznat0

Re: VPN connections to DMZ resources

qbakies11 — Fri, 20 Feb 2009 16:12:45 GMT

That worked! Thank you!

Can you provide a quick 'dummies' explanation of why I needed that? Also, do I need the ACE entry I listed in my first post?

Re: VPN connections to DMZ resources

acomiskey — Fri, 20 Feb 2009 16:16:56 GMT

It wouldn't need to be there if you were hitting the webserver on a public ip address that was nat'd in the firewall, but since you are hitting the private dmz address, you need to exclude the traffic from nat.

You most likely do not need that access list entry because ipsec vpn traffic typically bypasses these acl's. To make sure, see if you have 'sysopt connection permit-ipsec or sysopt connection permit-vpn' in your configuration.

Re: VPN connections to DMZ resources

qbakies11 — Fri, 20 Feb 2009 19:04:21 GMT

I spoke too soon. While that did allow my VPN users to get to websites in the DMZ it killed their access to resources on the LAN. After I connected to the VPN I opened NSLOOKUP and it was unable to resolve to the internal DNS servers I have specified. It was pushing everything out the split tunnel using the DNS server of the ISP for the Internet connection. That was why they were able to get to the DMZ websites, they were using the split-tunneling and surfing through the ISP instead of hitting the DMZ directly through the VPN tunnel.

Re: VPN connections to DMZ resources

acomiskey — Fri, 20 Feb 2009 19:07:21 GMT

Is there a question in there? If you post the config I'm sure we can clear it up.

Re: VPN connections to DMZ resources

qbakies11 — Fri, 20 Feb 2009 19:12:31 GMT

Sorry, config is attached.

Re: VPN connections to DMZ resources

acomiskey — Fri, 20 Feb 2009 19:15:35 GMT

What's not working with that config?

Re: VPN connections to DMZ resources

qbakies11 — Fri, 20 Feb 2009 19:18:05 GMT

My VPN users cannot access and websites that are running in the DMZ1. They can access resources that are on the INSIDE. They need to be able to do both.

Re: VPN connections to DMZ resources

acomiskey — Fri, 20 Feb 2009 19:21:15 GMT

This should still fix your problem and should not break the access to the inside.

access-list dmznat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ1) 0 access-list dmznat0

Re: VPN connections to DMZ resources

qbakies11 — Fri, 20 Feb 2009 19:22:32 GMT

As soon as I do that my VPN users lose the ability to access resources on the INSIDE.

Re: VPN connections to DMZ resources

acomiskey — Fri, 20 Feb 2009 19:25:48 GMT

And you're doing "nat (DMZ1) access-list natdmz0" right? NOT "nat (inside) access-list natdmz0"?

Otherwise that doesn't make sense why it's doing that.

Re: VPN connections to DMZ resources

qbakies11 — Fri, 20 Feb 2009 19:29:07 GMT

Yes, after I did that my SH RUN NAT looked like this:

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (DMZ1) 0 access-list dmznat0

After I discovered the issue with not being able to hit inside resources I removed the NAT statement but it did fix the issue. I had to restart the ASA to clear it.

Re: VPN connections to DMZ resources

acomiskey — Fri, 20 Feb 2009 19:33:32 GMT

Well, hopefully someone else can chime in here..it shouldn't be doing that.

Re: VPN connections to DMZ resources

qbakies11 — Wed, 04 Mar 2009 14:22:13 GMT

Just to close this case...I opened a TAC case and they stated that I needed to put in the same DMZNAT0 statement that you recommended. I told them about the issue it caused and it baffled them. So I went ahead and re-added the statements into the config during off hours and it worked fine. I don't know what happened the first time that caused the problems but it is working now. Thank you for the help. For clarification this is what I ended up adding:

access-list DMZNAT0 extended permit ip 192.168.0.0 255.255.255.0 192.168.211.0 255.255.255.0

nat (DMZ1) 0 access-list DMZNAT0