10-11-2010 04:20 AM - edited 03-11-2019 11:52 AM
Hi
I have a ASA 5510 that has a couple of site to site vpn connections, they work
fine, the only problem is that they cannot reach the webserver in the dmz
VPN subnets 192.0.2.0 255.255.255.0, 192.0.4.0 255.255.255.0, 192.0.6.0 255.255.255.0
DMZ 172.16.0.0 255.255.255.0
Webserver DMZ 172.16.0.5 255.255.255.0
The users in the inside network and from the internet have no problems connecting.
I have attached the running config.
Thank you
10-11-2010 05:14 AM
Bert,
Can you also attach "show crypto ipsec sa" when tunnels are connected and initiating traffic to webserver.
NAT and permissions look OK of course, I would like to see if the IPsec SAs come up when you initiate traffic.
When you do the test can you also do "show logg | i 172.16.0.5" ?
Maybe we should also look on other sites' configs.
Marcin
10-11-2010 07:08 AM
Hi Bert,
I checked the config and here is my observation: On the dmz interface you have the following access-list applied:
access-list dmz_access_in extended permit tcp any host 172.16.0.5 eq www
access-group dmz_access_in in interface dmz
i.e, on the inbound direction of the dmz interface, you are allowing any packet distined to host 172.16.0.5, but with this you are not allowing reply packets from the webserver (172.16.0.5) itself to outside machines.
I think the access-list on the dmz should look like this: (wherein we are allowing the webserver to reply to any request packets)
access-list dmz_access_in extended permit tcp host 172.16.0.5 eq www any
access-group dmz_access_in in interface dmz
I surprised that the inside users are able to connect to this webserver in the dmz as you have said, since with the existing access-list, it would not allow this.
Let me know if this helps,
Cheers,
Rudresh V
10-11-2010 07:22 AM
Rudresh,
Traffic subject to VPN is byspassing ACLs unless you turn of the sysopt explictly. ...
dmz_access_in, will never be checked for traffic coming in from any other interfaces. Only traffic initiated from DMZ interface would be affected by this ACL.
Marcin
10-11-2010 07:30 AM
Thanks for the help guys, but I figured it out myself.
I will post my running config tomorrow if you're interested in the solution.
Thank you
Bert
10-11-2010 07:36 AM
Bert,
For future reference it's better to have solutions indeed, might help someone save some time in future
Marcin
10-11-2010 08:34 AM
rudv wrote:
Hi Bert,
I surprised that the inside users are able to connect to this webserver in the dmz as you have said, since with the existing access-list, it would not allow this.
Cheers,
Rudresh V
Rudresh ,
the traffic is by default allowed from the interfaces with a higher security-level ( inside 100 ) to a lower security level ( dmz 10 or outside 0 ) .By default meaning that there is no need of an access-list
Dan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: