cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1580
Views
0
Helpful
4
Replies

VPN Client cannot access DMZ on ASA 5520

hoduong
Level 1
Level 1

We've setup VPN client with DMZ on the same 5520 and the VPN client(we use any connect) cannot access resources on the DMZ.  They can access the local lan fine.  I've tried different ways but still no go.  Please help.  Thank you.

Here's my partial configuration:

1.x.x.x  is my local lan

2.x.x.x is my dmz

3.x.x.x is my vpn pool

access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit udp any host xx.xx.xx.34 eq isakmp
access-list 101 extended permit esp any host xx.xx.xx.34
access-list 101 extended permit udp host 207.xx.xx.196 host xx.xx.xx.34 eq isakmp
access-list 101 extended permit udp host 207.xx.xx.196 host xx.xx.xx.34 eq 4500
access-list 101 extended permit udp host 129.xx.xx.16 host xx.xx.xx.34 eq 4500
access-list 101 extended permit udp host 129.xx.xx.16 host xx.xx.xx.34 eq isakmp
access-list 101 extended permit tcp any host xx.xx.xx.35 eq smtp
access-list 101 extended permit tcp any host xx.xx.xx.35 eq www
access-list 101 extended permit tcp any host xx.xx.xx.35 eq ftp
access-list 101 extended permit tcp any host xx.xx.xx.35 eq pop3
access-list 101 extended permit tcp any host xx.xx.xx.36 eq www
access-list 101 extended permit tcp any host xx.xx.xx.36 eq https
access-list 101 extended permit tcp any host xx.xx.xx.37 eq www
access-list 101 extended permit tcp any host xx.xx.xx.37 eq https
access-list 101 extended permit tcp any host xx.xx.xx.37 eq 8081
access-list 101 extended permit tcp any any range ftp-data ftp
access-list 101 extended permit tcp any host xx.xx.xx.35 eq 42356
access-list 101 extended permit tcp any host xx.xx.xx.35 eq ssh
access-list 101 extended permit tcp any host xx.xx.xx.36 eq ssh
access-list 101 extended permit tcp any host 2.2.2.4 eq ssh
access-list 101 extended permit tcp any host 2.2.2.5 eq ssh 
access-list 101 extended deny ip any any

access-list inside_nat0_outbound extended permit ip 1.0.0.0 255.0.0.0 3.3.3.0 255.255.255.0

access-list DMZ_nat0_in extended permit ip 2.0.0.0 255.0.0.0 3.3.3.0 255.255.255.0

access-list DMZ_access_in extended permit ip any any

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list DMZ_nat0_in

access-group 101 in interface outside
access-group DMZ_access_in in interface DMZ

4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

The issue is probably with nat.

Are you trying to reach the dmz hosts using their local ip addresses? Check your no nat ACLs

access-list inside_nat0_outbound extended permit ip 1.0.0.0 255.0.0.0 3.3.3.0 255.255.255.0

access-list DMZ_nat0_in extended permit ip 2.0.0.0 255.0.0.0 3.3.3.0 255.255.255.0

And make sure that the 2.0.0.0 really belongs to your local DMZ ip addresses.

I hope it helps.

PK

I've double checked the config and make sure they are in the no nat acl.  We've tried this already and still no luck.  When I try to ping the DMZ, I looked in the logging and saw the traffic but for the return traffic, it said "routing fail to locate next hop for icmp from dmz to inside"

Yes, I would like to use the local IP of the vpn client to access dmz( 2.x.x.x).

Do you have any other suggestions, I'll be glad to try them.  Thank you.

OK so the issue is that routing is pointing to the inside even though you are pinging from outside using the VPN.

Can you enable icmp inspection and try again?

PK

I turned it on and it's still a no go.  Is there something

wrong with my routing?

Here is my routing list from the config.

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1
route inside 1.1.10.0 255.255.255.0 1.1.1.3 1
route inside 1.6.1.0 255.255.255.0 1.1.1.3 1
route inside 1.6.2.0 255.255.255.0 1.1.1.3 1
route inside 1.8.1.0 255.255.255.0 1.1.1.3 1
route inside 1.8.2.0 255.255.255.0 1.1.1.3 1
route inside 1.9.0.0 255.255.0.0 1.1.1.235 1
route inside 1.12.0.0 255.255.0.0 1.1.1.235 1
route inside 1.14.0.0 255.255.0.0 1.1.1.235 1
route inside 1.16.1.0 255.255.255.0 1.1.1.235 1
route inside 1.16.2.0 255.255.255.0 1.1.1.235 1
route inside 1.16.3.0 255.255.255.0 1.1.1.235 1
route inside 1.16.4.0 255.255.255.0 1.1.1.235 1
route inside 1.16.5.0 255.255.255.0 1.1.1.235 1
route inside 1.206.0.0 255.255.0.0 1.1.1.3 1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: