Solved: Re: I can not acces to DMZ from vpn clients ASA 5505 v 9.1(1)

enrique.jara · ‎01-01-2013

ASA Version 9.1(1)

!

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool Pool_Vpn 172.26.0.10-172.26.0.19 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 5

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.10.1 255.255.255.0

!

interface Vlan5

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 10.0.0.200 255.255.255.0

!

boot system disk0:/asa911-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Router

host 10.0.10.2

description Router Ya.com

object network DMZ_Internet

subnet 10.0.0.0 255.255.255.0

object network NETWORK_OBJ_172.26.0.0_27

subnet 172.26.0.0 255.255.255.224

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network DMZ_outside

subnet 0.0.0.0 0.0.0.0

object network PC

host 192.168.1.2

object network Fuera

subnet 172.26.0.0 255.255.255.0

object network Escritorio_Remoto

host 192.168.1.2

object network COD3

host 192.168.1.2

object network COD4

host 192.168.1.2

object network EmuleTcp

object network EmuleUdp

object network terminal

object network Terminal

host 192.168.1.2

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq 5544

service-object udp destination eq 6699

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 interface outside

access-list outside_access_in extended permit tcp any any eq 3389

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended deny ip any any

access-list global_access extended permit ip any4 any4 inactive

access-list inside_access_in extended permit object-group TCPUDP any4 object PC range 27000 27050 inactive

access-list inside_access_in extended permit object-group TCPUDP any4 object PC eq 3074 inactive

access-list inside_access_in extended permit ip any4 any4

access-list inside_access_in extended deny ip any any

access-list DMZ_access_in extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0

access-list DMZ_access_in extended permit ip any4 any4

access-list Tunel_Casa_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list Tunel_Casa_splitTunnelAcl standard permit 172.26.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging class vpn trap informational asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any DMZ

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (DMZ,outside) source dynamic any interface

nat (outside,outside) source static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27 destination static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27 route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27

!

object network obj_any

nat (inside,outside) dynamic interface

object network DMZ_outside

nat (DMZ,outside) dynamic interface

object network Escritorio_Remoto

nat (outside,inside) static PC

object network COD3

nat (inside,outside) static interface service tcp 3074 3074

object network COD4

nat (inside,outside) static interface service udp 3074 3074

object network Terminal

nat (inside,outside) static interface service tcp 3389 3389

!

nat (inside,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

access-group global_access global

route outside 0.0.0.0 0.0.0.0 10.0.10.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication secure-http-client

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DMZ_map interface DMZ

crypto ca trustpool policy

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 enable DMZ

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.15-192.168.1.25 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

dhcpd address 10.0.0.100-10.0.0.115 DMZ

dhcpd dns 8.8.8.8 8.8.4.4 interface DMZ

dhcpd auto_config outside vpnclient-wins-override interface DMZ

dhcpd enable DMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy Tunel_Casa internal

group-policy Tunel_Casa attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-idle-timeout none

vpn-tunnel-protocol ikev1

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Tunel_Casa_splitTunnelAcl

tunnel-group Tunel_Casa type remote-access

tunnel-group Tunel_Casa general-attributes

address-pool Pool_Vpn

default-group-policy Tunel_Casa

tunnel-group Tunel_Casa ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ed92d9460fe9457fee4def565cb30f9f

: end

shamax_1983 · ‎01-01-2013

You need have a dynamic PAT on DMZ interface. But missing NAT-exempt(identity nat) for traffic passing between your DMZ interface and VPN clinets.

Try adding these lines

!

object network VPN_pool

range 172.26.0.10 172.26.0.19

!

nat (DMZ,outside) source static any any destination static VPN_pool VPN_pool

!

View solution in original post

shamax_1983 · ‎01-02-2013

Hi Enrique,

Thanks for the rating..

your "inside <-> VPN" traffic also needs a identity nat. . You may need to add this line as well.

!

nat (inside,outside) source static any any destination static VPN_pool VPN_pool

!

View solution in original post

Jouni Forss · ‎01-02-2013

Hi,

I would consider changing the whole NAT setup a bit

You could start by removing all the following NAT configurations and replacing them with new ones (provided I have understood the situation correctly)

no nat (DMZ,outside) source dynamic any interface

no nat (outside,outside) source static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27 destination static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27 route-lookup

no nat (inside,outside) source static any any destination static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27

no nat (DMZ,outside) source static any any destination static VPN_pool VPN_pool

no nat (inside,outside) source static any any destination static INSIDE_pool INSIDE_pool

It would also seem to me that the following configuration would be useless after configuring what I'm suggesting, so you could remove these also

object network obj_any

nat (inside,outside) dynamic interface

object network DMZ_outside

nat (DMZ,outside) dynamic interface

Leave all other NAT configurations as they are.

The new configurations could be for example

Default PAT for DMZ (First removed rule above)

nat (DMZ,outside) after-auto source dynamic any interface

NAT0 / NAT Exempt style configuration for the VPN Pool for both DMZ and INSIDE networks

NAT configurations that should allow traffic from VPN-POOL to both INSIDE and DMZ

object network VPN-POOL

subnet 172.26.0.0 255.255.255.0

object network INSIDE

subnet 192.168.1.0 255.255.255.0

object network DMZ

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) source static INSIDE INSIDE destination static VPN-POOL VPN-POOL

nat (DMZ,outside) source static DMZ DMZ destination static VPN-POOL VPN-POOL

Also one thing that caught my eye was that you have this ACL attached globally yet you have interface ACLs

no access-group global_access global

no access-list global_access extended permit ip any4 any4 inactive

As the only rule in the ACL is set to "inactive" I would suggest removing the "access-group" command for it.

Also please remove this line from the Split Tunnel ACL

no access-list Tunel_Casa_splitTunnelAcl standard permit 172.26.0.0 255.255.255.0

Atleast it seems to me something that should not be there as the ACL defines the networks that need to be accessed through the VPN connection and that network range is the VPN-POOL.

Also consider clearing all NAT translations before testing connections (clear xlate)

If you decide to change the configurations as I suggested, please take a backup of the current configuration so you can change back to the old configuration if needed.

- Jouni

View solution in original post

Jouni Forss · ‎02-07-2013

Hi,

Did you mean to say that you can access the DMZ network from the VPN Client but NOT the INSIDE network?

It seems that for the most part your configurations have stayed the same compared to the situation when you made the changes that corrected the situation.

Relating to the NAT configuration it seems you have added this configuration line

nat (inside,outside) source static any any destination static VPN_pool VPN_pool

To my understanding its not needed as we previously configured NAT rules for the LAN to VPN and DMZ to VPN traffic already with the following configurations

nat (inside,outside) source static INSIDE INSIDE destination static VPN-POOL VPN-POOL

nat (DMZ,outside) source static DMZ DMZ destination static VPN-POOL VPN-POOL

You could perhaps try to remove the configuration

nat (inside,outside) source static any any destination static VPN_pool VPN_pool

Or did I missunderstand the problem somehow?

- Jouni

View solution in original post

shamax_1983 · ‎01-01-2013

You need have a dynamic PAT on DMZ interface. But missing NAT-exempt(identity nat) for traffic passing between your DMZ interface and VPN clinets.

Try adding these lines

!

object network VPN_pool

range 172.26.0.10 172.26.0.19

!

nat (DMZ,outside) source static any any destination static VPN_pool VPN_pool

!

enrique.jara · ‎01-02-2013

Hello again,

Now I lost the ping with my hosts in the inside interface, is this posible ?

ASA Version 9.1(1)

!

hostname CASA

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

ip local pool Pool_Vpn 172.26.0.10-172.26.0.19 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 5

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.10.1 255.255.255.0

!

interface Vlan5

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 10.0.0.200 255.255.255.0

!

banner exec Solo Enrique Jara CeÃ±a Puede administrar este equipo. Si no eres Ã©l, desconectate

banner login Solo Enrique Jara CeÃ±a Puede administrar este equipo. Si no eres Ã©l, desconectate

banner motd Solo Enrique Jara CeÃ±a Puede administrar este equipo. Si no eres Ã©l, desconectate

banner asdm Solo Enrique Jara CeÃ±a Puede administrar este equipo. Si no eres Ã©l, desconectate

boot system disk0:/asa911-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Router

host 10.0.10.2

description Router Ya.com

object network DMZ_Internet

subnet 10.0.0.0 255.255.255.0

object network NETWORK_OBJ_172.26.0.0_27

subnet 172.26.0.0 255.255.255.224

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network DMZ_outside

subnet 0.0.0.0 0.0.0.0

object network PC

host 192.168.1.2

object network Fuera

subnet 172.26.0.0 255.255.255.0

object network Escritorio_Remoto

host 192.168.1.2

object network COD3

host 192.168.1.2

object network COD4

host 192.168.1.2

object network EmuleTcp

object network EmuleUdp

object network terminal

object network Terminal

host 192.168.1.2

object network VPN_pool

range 172.26.0.10 172.26.0.19

object network INSIDE_pool

range 192.168.1.2 192.168.1.254

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq 5544

service-object udp destination eq 6699

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 interface outside

access-list outside_access_in extended permit tcp any any eq 3389

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended deny ip any any

access-list global_access extended permit ip any4 any4 inactive

access-list inside_access_in extended permit object-group TCPUDP any4 object PC range 27000 27050 inactive

access-list inside_access_in extended permit object-group TCPUDP any4 object PC eq 3074 inactive

access-list inside_access_in extended permit ip any4 any4

access-list inside_access_in extended deny ip any any

access-list DMZ_access_in extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0

access-list DMZ_access_in extended permit ip any4 any4

access-list Tunel_Casa_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list Tunel_Casa_splitTunnelAcl standard permit 172.26.0.0 255.255.255.0

access-list Tunel_Casa_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging class vpn trap informational asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any DMZ

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (DMZ,outside) source dynamic any interface

nat (outside,outside) source static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27 destination static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27 route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.26.0.0_27 NETWORK_OBJ_172.26.0.0_27

nat (DMZ,outside) source static any any destination static VPN_pool VPN_pool

nat (inside,outside) source static any any destination static INSIDE_pool INSIDE_pool