cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
0
Helpful
6
Replies

VPN Users cannot reach DMZ

Hi

I have a ASA 5510 that has a couple of site to site vpn connections, they work

fine, the only problem is that they cannot reach the webserver in the dmz

VPN subnets 192.0.2.0 255.255.255.0, 192.0.4.0 255.255.255.0, 192.0.6.0 255.255.255.0

DMZ 172.16.0.0 255.255.255.0

Webserver DMZ 172.16.0.5 255.255.255.0

The users in the inside network and from the internet have no problems connecting.


I have attached the running config.

Thank you

6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Bert,

Can you also attach "show crypto ipsec sa" when tunnels are connected and initiating traffic to webserver.

NAT and permissions look OK of course, I would like to see if the IPsec SAs come up when you initiate traffic.

When you do the test  can you also do "show logg | i 172.16.0.5" ?

Maybe we should also look on other sites' configs.

Marcin

Rudresh Veerappaji
Cisco Employee
Cisco Employee

Hi Bert,

I checked the config and here is my observation: On the dmz interface you have the following access-list applied:

access-list dmz_access_in extended permit tcp any host 172.16.0.5 eq www

access-group dmz_access_in in interface dmz

i.e, on the inbound direction of the dmz interface, you are allowing any packet distined to host 172.16.0.5, but with this you are not allowing reply packets from the webserver (172.16.0.5) itself to outside machines.

I think the access-list on the dmz should look like this: (wherein we are allowing the webserver to reply to any request packets)

access-list dmz_access_in extended permit tcp  host 172.16.0.5 eq www any

access-group dmz_access_in in interface dmz

I surprised that the inside users are able to connect to this webserver in the dmz as you have said, since with the existing access-list, it would not allow this.

Let me know if this helps,

Cheers,

Rudresh V

Rudresh,

Traffic subject to VPN is byspassing ACLs unless you turn of the sysopt explictly. ...

dmz_access_in, will never be checked for traffic coming in from any other interfaces. Only traffic initiated from DMZ interface would be affected by this ACL.

Marcin

Thanks for the help guys, but I figured it out myself.

I will post my running config tomorrow if you're interested in the solution.

Thank you

Bert

Bert,

For future reference it's better to have solutions indeed, might help someone save some time in future

Marcin

rudv wrote:

Hi Bert,

I surprised that the inside users are able to connect to this webserver in the dmz as you have said, since with the existing access-list, it would not allow this.

Cheers,

Rudresh V

Rudresh ,

the traffic is by default allowed from the interfaces with a higher security-level ( inside 100 ) to a lower security level ( dmz 10 or outside 0 ) .By default meaning that there is no need of an access-list

Dan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: