06-08-2013 12:12 PM - edited 03-11-2019 06:54 PM
Hello,
I'm using ASA version 9.1, and ASDM version 7.1.
When connecting from my VPN using AnyConnect VPN client, I can access computers in my LAN without any issue.
I cannot access anything on the DMZ.
My lan is 172.20.20.x
My DMZ is 172.21.20.x
and my VPN is 10.20.20.x
If you want to me to extract snippets of my config just let me know.
I'm very amateur with this unit so I'm not sure how to formulate the command, but I am thinking I just need an acces list?
Thanks!
Solved! Go to Solution.
06-08-2013 01:18 PM
Hi,
You need to add this
object network VPN-POOL
subnet 10.20.20.0 255.255.255.224
object network DMZ
subnet 172.21.20.0 255.255.255.0
nat (dmz,outside) source static DMZ DMZ destination static VPN-POOL VPN-POOL
As you can see your current NAT rule for the VPN (the top most) only handles "inside" <-> "outside" traffic. You need the above that handles the NAT for "dmz" <-> "outside"
Hope this helps
- Jouni
06-08-2013 12:22 PM
Hi,
There are a couple of basic things worth checking.
First one would be to determine if you are using a Full Tunnel or Split Tunnel VPN Client connection. Full Tunnel naturally means that all traffic is forwarded to the VPN connection while its active. Split Tunnel defines the network to which traffic is tunneled through the VPN connection.
This can be checked either through the configuration or when the VPN connection is up you have to navigate on the client software to the section which shows Route Details - Secured Routes. If the output is something along the lines of "0.0.0.0 0.0.0.0" then its Full Tunnel. If there is separate networks listed then its Split Tunnel.
In Split Tunnel VPN you would have to add the DMZ network into the Split Tunnel ACL.
In addition to the above you might be missing NAT configuration for the DMZ network to VPN Pool traffic.
Would have to really see the configurations to say anything specific but I would imagine that the above things are the most common problems.
- Jouni
06-08-2013 12:49 PM
No, I checked my split tunnel settings, and I have both networks listed in there. I will post my configuration below.
06-08-2013 12:24 PM
Hi Brendan,
please provide me the configuration of the firewall (sh run). remove any of the passwords or sensitive information
thanks
06-08-2013 01:01 PM
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
domain-name xxxxxxxxx.LOCAL
enable password xxxxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
ip local pool AnyConnectVPNPool 10.20.20.1-10.20.20.30 mask 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.20.1 255.255.254.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Acanac
ip address pppoe setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 172.21.20.1 255.255.255.0
!
banner login Welcome to Brendan's ASA5505 firewall.
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxx.LOCAL
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SRV-DMZ-LNX01
host 172.21.20.3
description DMZ Linux Host 1
object network SRV-DMZ-WIN01
host 172.21.20.2
description DMZ Windows Host 1
object network TEST
host 172.21.20.2
object service rdp
service tcp source range 1 65535 destination eq 3389
description Windows Remote Desktop
object service mssql
service tcp source range 1 65535 destination eq 1433
description MS SQL Server 2xxx
object network SRV-WIN
host 172.21.20.2
description Static NAT entry to my Windows web server.
object network SRV-LNX
host 172.21.20.3
description Static NAT entry to my Linux web server.
object network external-170
host x.x.x.x
object network external-171
host x.x.x.x
object network SRV-LAN-WIN01
host 172.20.20.60
object network TEST2
host 172.21.20.3
object network Stuff
host 172.20.20.60
object network external-175
host x.x.x.x
object network SRV-LAN-WIN02
host 172.20.20.61
object service kerboros_authentication
service udp destination eq 88
description Kerboros authentication
object service domain_file_replication_tcp
service tcp destination eq netbios-ssn
object service domain_file_replication_udp
service udp destination eq netbios-dgm
object service global_cat
service tcp destination range 3268 3269
object service ldap
service udp destination eq 389
object network external-169
host x.x.x.x
object network external-172
host x.x.x.x
object network Wan_to_SSH
host 172.21.20.3
object network NETWORK_OBJ_10.20.20.0_27
subnet 10.20.20.0 255.255.255.224
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network SRV-DMZ-GROUP
network-object object SRV-DMZ-LNX01
network-object object SRV-DMZ-WIN01
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq www
service-object tcp-udp destination eq domain
service-object tcp destination eq https
service-object tcp destination eq ssh
object-group network DM_INLINE_NETWORK_1
network-object host 66.49.220.95
network-object host 67.55.0.11
network-object host 8.8.8.8
object-group service domain-operations tcp-udp
description UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
port-object eq 135
object-group service file_replication_svc tcp-udp
port-object eq 445
object-group service kerboros_pwd_change tcp-udp
port-object eq 464
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list dmz_access_in remark Allow servers in DMZ to talk to http outside.
access-list dmz_access_in extended permit tcp object-group SRV-DMZ-GROUP any4 object-group DM_INLINE_TCP_1
access-list dmz_access_in extended permit object-group TCPUDP object-group SRV-DMZ-GROUP object-group DM_INLINE_NETWORK_1 eq domain
access-list dmz_access_in extended permit icmp object-group SRV-DMZ-GROUP any4
access-list dmz_access_in remark Deny all traffic to the inside which wasn't implicitcy allowed.
access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0
access-list OutsidetoDMZ extended permit object-group DM_INLINE_SERVICE_1 any4 object-group SRV-DMZ-GROUP
access-list Split_Tunnel_list standard permit 172.20.20.0 255.255.254.0
access-list Split_Tunnel_list standard permit 172.21.20.0 255.255.255.0
pager lines 50
logging enable
logging buffered debugging
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.20.0_27 NETWORK_OBJ_10.20.20.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network TEST
nat (dmz,outside) dynamic interface
object network SRV-WIN
nat (dmz,outside) static external-170 service tcp www www
object network SRV-LNX
nat (dmz,outside) static external-171 service tcp www www
object network TEST2
nat (dmz,outside) dynamic interface
object network Wan_to_SSH
nat (dmz,outside) static external-172 service tcp ssh ssh
access-group OutsidetoDMZ in interface outside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.20.20.0 255.255.254.0 inside
http 10.20.20.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 172.20.20.0 255.255.254.0 inside
ssh 10.20.20.0 255.255.255.224 inside
ssh timeout 5
console timeout 0
management-access inside
vpdn group Acanac request dialout pppoe
vpdn group Acanac localname xxxxxxxxx@xxxxxxxxxx
vpdn group Acanac ppp authentication pap
vpdn username xxxxxxxxx@xxxxxxxxxx password ***** store-local
dhcpd auto_config outside
!
dhcpd address 172.20.21.1-172.20.21.128 inside
dhcpd dns 67.55.0.11 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.3055-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_PrimaryAnyConnectVPN internal
group-policy GroupPolicy_PrimaryAnyConnectVPN attributes
banner value You are now connected via VPN, all activities will be logged.
wins-server none
dns-server value 67.55.0.11 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_list
default-domain value xxxxxx.LOCAL
username bwood password xxxxxxxxxxxxx encrypted
tunnel-group PrimaryAnyConnectVPN type remote-access
tunnel-group PrimaryAnyConnectVPN general-attributes
address-pool AnyConnectVPNPool
default-group-policy GroupPolicy_PrimaryAnyConnectVPN
tunnel-group PrimaryAnyConnectVPN webvpn-attributes
group-alias PrimaryAnyConnectVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxx
: end
asdm image disk0:/asdm-711.bin
no asdm history enable
06-08-2013 01:18 PM
Hi,
You need to add this
object network VPN-POOL
subnet 10.20.20.0 255.255.255.224
object network DMZ
subnet 172.21.20.0 255.255.255.0
nat (dmz,outside) source static DMZ DMZ destination static VPN-POOL VPN-POOL
As you can see your current NAT rule for the VPN (the top most) only handles "inside" <-> "outside" traffic. You need the above that handles the NAT for "dmz" <-> "outside"
Hope this helps
- Jouni
06-08-2013 04:28 PM
Your suggestion worked. Thank you.
11-02-2022 04:02 AM
Perfect solution
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide