Solved: Re: Access DMZ from VPN

Brendan Wood · ‎06-08-2013

Hello,

I'm using ASA version 9.1, and ASDM version 7.1.

When connecting from my VPN using AnyConnect VPN client, I can access computers in my LAN without any issue.

I cannot access anything on the DMZ.

My lan is 172.20.20.x

My DMZ is 172.21.20.x

and my VPN is 10.20.20.x

If you want to me to extract snippets of my config just let me know.

I'm very amateur with this unit so I'm not sure how to formulate the command, but I am thinking I just need an acces list?

Thanks!

Jouni Forss · ‎06-08-2013

Hi,

You need to add this

object network VPN-POOL

subnet 10.20.20.0 255.255.255.224

object network DMZ

subnet 172.21.20.0 255.255.255.0

nat (dmz,outside) source static DMZ DMZ destination static VPN-POOL VPN-POOL

As you can see your current NAT rule for the VPN (the top most) only handles "inside" <-> "outside" traffic. You need the above that handles the NAT for "dmz" <-> "outside"

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎06-08-2013

Hi,

There are a couple of basic things worth checking.

First one would be to determine if you are using a Full Tunnel or Split Tunnel VPN Client connection. Full Tunnel naturally means that all traffic is forwarded to the VPN connection while its active. Split Tunnel defines the network to which traffic is tunneled through the VPN connection.

This can be checked either through the configuration or when the VPN connection is up you have to navigate on the client software to the section which shows Route Details - Secured Routes. If the output is something along the lines of "0.0.0.0 0.0.0.0" then its Full Tunnel. If there is separate networks listed then its Split Tunnel.

In Split Tunnel VPN you would have to add the DMZ network into the Split Tunnel ACL.

In addition to the above you might be missing NAT configuration for the DMZ network to VPN Pool traffic.

Would have to really see the configurations to say anything specific but I would imagine that the above things are the most common problems.

- Jouni

Brendan Wood · ‎06-08-2013

No, I checked my split tunnel settings, and I have both networks listed in there. I will post my configuration below.

plotniku7 · ‎06-08-2013

Hi Brendan,

please provide me the configuration of the firewall (sh run). remove any of the passwords or sensitive information

thanks

Brendan Wood · ‎06-08-2013

: Saved

:

ASA Version 9.1(1)

!

hostname ciscoasa

domain-name xxxxxxxxx.LOCAL

enable password xxxxxxxxxxxxx encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd xxxxxxxxxxxx encrypted

names

ip local pool AnyConnectVPNPool 10.20.20.1-10.20.20.30 mask 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.20.20.1 255.255.254.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group Acanac

ip address pppoe setroute

!

interface Vlan3

nameif dmz

security-level 50

ip address 172.21.20.1 255.255.255.0

!

banner login Welcome to Brendan's ASA5505 firewall.

boot system disk0:/asa911-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxxxxxxx.LOCAL

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network SRV-DMZ-LNX01

host 172.21.20.3

description DMZ Linux Host 1

object network SRV-DMZ-WIN01

host 172.21.20.2

description DMZ Windows Host 1

object network TEST

host 172.21.20.2

object service rdp

service tcp source range 1 65535 destination eq 3389

description Windows Remote Desktop

object service mssql

service tcp source range 1 65535 destination eq 1433

description MS SQL Server 2xxx

object network SRV-WIN

host 172.21.20.2

description Static NAT entry to my Windows web server.

object network SRV-LNX

host 172.21.20.3

description Static NAT entry to my Linux web server.

object network external-170

host x.x.x.x

object network external-171

host x.x.x.x

object network SRV-LAN-WIN01

host 172.20.20.60

object network TEST2

host 172.21.20.3

object network Stuff

host 172.20.20.60

object network external-175

host x.x.x.x

object network SRV-LAN-WIN02

host 172.20.20.61

object service kerboros_authentication

service udp destination eq 88

description Kerboros authentication

object service domain_file_replication_tcp

service tcp destination eq netbios-ssn

object service domain_file_replication_udp

service udp destination eq netbios-dgm

object service global_cat

service tcp destination range 3268 3269

object service ldap

service udp destination eq 389

object network external-169

host x.x.x.x

object network external-172

host x.x.x.x

object network Wan_to_SSH

host 172.21.20.3

object network NETWORK_OBJ_10.20.20.0_27

subnet 10.20.20.0 255.255.255.224

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network SRV-DMZ-GROUP

network-object object SRV-DMZ-LNX01

network-object object SRV-DMZ-WIN01

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq www

service-object tcp-udp destination eq domain

service-object tcp destination eq https

service-object tcp destination eq ssh

object-group network DM_INLINE_NETWORK_1

network-object host 66.49.220.95

network-object host 67.55.0.11

network-object host 8.8.8.8

object-group service domain-operations tcp-udp

description UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.

port-object eq 135

object-group service file_replication_svc tcp-udp

port-object eq 445

object-group service kerboros_pwd_change tcp-udp

port-object eq 464

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list dmz_access_in remark Allow servers in DMZ to talk to http outside.

access-list dmz_access_in extended permit tcp object-group SRV-DMZ-GROUP any4 object-group DM_INLINE_TCP_1

access-list dmz_access_in extended permit object-group TCPUDP object-group SRV-DMZ-GROUP object-group DM_INLINE_NETWORK_1 eq domain

access-list dmz_access_in extended permit icmp object-group SRV-DMZ-GROUP any4

access-list dmz_access_in remark Deny all traffic to the inside which wasn't implicitcy allowed.

access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0

access-list OutsidetoDMZ extended permit object-group DM_INLINE_SERVICE_1 any4 object-group SRV-DMZ-GROUP

access-list Split_Tunnel_list standard permit 172.20.20.0 255.255.254.0

access-list Split_Tunnel_list standard permit 172.21.20.0 255.255.255.0

pager lines 50

logging enable

logging buffered debugging

logging asdm notifications

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.20.0_27 NETWORK_OBJ_10.20.20.0_27 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network TEST

nat (dmz,outside) dynamic interface

object network SRV-WIN

nat (dmz,outside) static external-170 service tcp www www

object network SRV-LNX

nat (dmz,outside) static external-171 service tcp www www

object network TEST2

nat (dmz,outside) dynamic interface

object network Wan_to_SSH

nat (dmz,outside) static external-172 service tcp ssh ssh

access-group OutsidetoDMZ in interface outside

access-group dmz_access_in in interface dmz

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 172.20.20.0 255.255.254.0 inside

http 10.20.20.0 255.255.255.224 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 172.20.20.0 255.255.254.0 inside

ssh 10.20.20.0 255.255.255.224 inside

ssh timeout 5

console timeout 0

management-access inside

vpdn group Acanac request dialout pppoe

vpdn group Acanac localname xxxxxxxxx@xxxxxxxxxx

vpdn group Acanac ppp authentication pap

vpdn username xxxxxxxxx@xxxxxxxxxx password ***** store-local

dhcpd auto_config outside

!

dhcpd address 172.20.21.1-172.20.21.128 inside

dhcpd dns 67.55.0.11 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

anyconnect image disk0:/anyconnect-linux-2.5.3055-k9.pkg 2

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_PrimaryAnyConnectVPN internal

group-policy GroupPolicy_PrimaryAnyConnectVPN attributes

banner value You are now connected via VPN, all activities will be logged.

wins-server none

dns-server value 67.55.0.11 8.8.8.8

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_list

default-domain value xxxxxx.LOCAL

username bwood password xxxxxxxxxxxxx encrypted

tunnel-group PrimaryAnyConnectVPN type remote-access

tunnel-group PrimaryAnyConnectVPN general-attributes

address-pool AnyConnectVPNPool

default-group-policy GroupPolicy_PrimaryAnyConnectVPN

tunnel-group PrimaryAnyConnectVPN webvpn-attributes

group-alias PrimaryAnyConnectVPN enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:xxxxxxxxxxxx

: end

asdm image disk0:/asdm-711.bin

no asdm history enable

Jouni Forss · ‎06-08-2013

Hi,

You need to add this

object network VPN-POOL

subnet 10.20.20.0 255.255.255.224

object network DMZ

subnet 172.21.20.0 255.255.255.0

nat (dmz,outside) source static DMZ DMZ destination static VPN-POOL VPN-POOL

As you can see your current NAT rule for the VPN (the top most) only handles "inside" <-> "outside" traffic. You need the above that handles the NAT for "dmz" <-> "outside"

Hope this helps

- Jouni

Brendan Wood · ‎06-08-2013

Your suggestion worked. Thank you.

robsim · ‎11-02-2022

Perfect solution