It could have some thing to do with the iOS or device type

Can you not get to the dmz from the Internet not using the VPN ?

Sent from Cisco Technical Support iPad App

Hi James,

Yes I can get to a webserver hosted on the DMZ from the internet.

Hi Kishore,

The DMZ and the INSIDE are on separate interfaces ethernet0/1 and ethernet0/2, the ACLs are correct from a server within the INSIDE interface. This server can RDP to the DMZ without issues, but the DMZ cannot access the INSIDE subnet.

These VPN users are people who need access to only the DMZ, should I just have them VPN into the DMZ? How can I configure the VPN using ASDM to login to the DMZ only?

I think this would be easier, but I just dont know how.

Hello Community,

I have enabled slit tunneling, so my vpn client can get to the internet from his/her laptop. I just still cannot RDP into the DMZ server. I can RDP into the INSIDE server.

(I am also able to RDP into the DMZ server from the INSIDE server)

Here is my sh run for the access list section and nating:

access-list outside_in extended permit tcp any host 173.xxx.xx.70 eq www

access-list nonat extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.210.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.220.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.210.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

ip local pool DMZPool 192.168.220.100-192.168.220.125 mask 255.255.255.0

ip local pool DMZ-Pool 192.168.210.100-192.168.210.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (DMZ) 1 192.168.220.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.210.0 255.255.255.0

static (DMZ,outside) 173.xxx.xxx.70 192.168.220.10 netmask 255.255.255.255

access-group outside_in in interface outside

It's hard to tell from your partial config how you have your split tunnel, and how you have designated your networks for the VPN connection. Can you post the full config?

Things that need to be checked:

- Your VPN connection needs to know that both the inside and DMZ networks should be reached from the client through the VPN. A common problem in such a scenario would be to only tell the VPN setup about the inside network, and then the client doesn't know how to route the request to go to the DMZ server.

- You may need a non-nat for the DMZ to VPN connections. Since you have a static NAT on your DMZ connection, you might be confusing the VPN connection setup. I would recommend excluding connections between your DMZ and your VPN group from NAT. I note that you have created the nonat ACL, but you have not applied it to your DMZ interface. You need a line that says:  nat (DMZ) 0 access-list nonat

Hi Dan,

I added the nat 0 command, but that did not help the VPN client get to the DMZ.

Anythign else I can try?

*********************************************************************************

ASA Version 8.0(4)

!

hostname ciscodemo

domain-name a.com

enable password U.Tf7Hhd3h encrypted

passwd 2KFQnI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 173.xxx.xx.66 255.255.255.224

!

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.220.222 255.255.255.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.210.222 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name aral.com

access-list outside_in extended permit tcp any host 173.xxx.xx.70 eq www

access-list nonat extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.210.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.220.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.210.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

ip local pool DMZPool 192.168.220.100-192.168.220.125 mask 255.255.255.0

ip local pool DMZ-Pool 192.168.210.100-192.168.210.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (DMZ) 0 access-list nonat

nat (DMZ) 1 192.168.220.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.210.0 255.255.255.0

static (DMZ,outside) 173.xxx.xx.70 192.168.220.10 netmask 255.255.255.255

access-group outside_in in interface outside

!

router rip

network 192.168.210.0

network 192.168.220.0

passive-interface DMZ

version 2

no auto-summary

!

route outside 0.0.0.0 0.0.0.0 173.xxx.xx.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.210.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DMZ_map interface DMZ

crypto isakmp enable outside

crypto isakmp enable DMZ

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc enable

group-policy DfltGrpPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-dmz

group-policy DMZAccess internal

group-policy DMZAccess attributes

dns-server value 10.10.10.11 10.10.10.22

vpn-tunnel-protocol IPSec

default-domain value a.com

username syn-client4 password dIb97qfm6shciivc encrypted privilege 0

username syn-client4 attributes

vpn-group-policy DMZAccess

username syn-client5 password dIb97qfm6shciivc encrypted privilege 0

username syn-client5 attributes

vpn-group-policy DMZAccess

username syn-client2 password dIb97qfm6shciivc encrypted privilege 0

username syn-client2 attributes

vpn-group-policy DMZAccess

username syn-client3 password dIb97qfm6shciivc encrypted privilege 0

username syn-client3 attributes

vpn-group-policy DMZAccess

username syn-client1 password dIb97qfm6shciivc encrypted privilege 0

username syn-client1 attributes

vpn-group-policy DMZAccess

tunnel-group DMZAccess type remote-access

tunnel-group DMZAccess general-attributes

address-pool DMZ-Pool

default-group-policy DMZAccess

tunnel-group DMZAccess ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect ftp

  inspect ipsec-pass-thru

  inspect http

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b20ed392a3bd1a057cc32e41683f55e6

: end

Hi Dan,

Do you need more info from me? Should I just make the VPN clients login directly to the DMZ subnet, I think this would solve many issues too. But I still would like a VPN group who can log directly into the DMz and another group to get logged into the INSIDE subnet.

Hi Community,

Can anyone suggest how I can connect to the DMZ? I have researched and tried everything in the ASDM, maybe its not possible?

I have a test laptop with VPN ready to test anything. Even if I give the laptop an IP address range from my DMZ, it will not connect to the DMZ server. I have made sure the routes are there on the laptop.

Im stumpted......

John,

I'm a little confused as to what the next few lines are for:

global (outside) 1 interface

global (DMZ) 1 interface

nat (DMZ) 0 access-list nonat

nat (DMZ) 1 192.168.220.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.210.0 255.255.255.0

The DMZ is on the 192.168.22.0/24 subnet, correct? If that's the case, the only acl that you need to bypass nat is your nonat acl.

The other thing that I'm in agreement with is the fact that you really should put your ip pool on a different subnet altogether.

ip local pool DMZPool 192.168.220.100-192.168.220.125 mask 255.255.255.0

ip local pool DMZ-Pool 192.168.210.100-192.168.210.150 mask 255.255.255.0 <-- What is this one for?

I'm not sure you need the following:

crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DMZ_map interface DMZ

Also, you're not really doing anything with the group-policy and split tunneling. You should put your split tunneling policy (from the DfltGrpPolicy) under the DMZAccess attributes section.

group-policy DMZAccess internal

group-policy DMZAccess attributes

dns-server value 10.10.10.11 10.10.10.22

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-dmz

tunnel-group DMZAccess type remote-access

tunnel-group DMZAccess general-attributes

address-pool DMZ-Pool

default-group-policy DMZAccess

Lastly, let's say you put the remote users on 172.16.30.0/24 and your pool assigns that. I put a static route on my ASA pointing to my router. (route outside 172.16.30.0 255.255.255.0 192.168.201.1) That'll push traffic that belongs to the VPN back out of the ASA. Otherwise, because you're giving an address out of the pool that you use locally, it may try to route local instead of away from the ASA.

John

Hi John,

global (DMZ) 1 interface

nat (DMZ) 0 access-list nonat

I have added the global (DMZ) 1 interface, so my DMZ servers can access the internet.

I have added nat (DMZ) 0 access-list nonat - Dan recommended it

ip local pool DMZPool 192.168.220.100-192.168.220.125 mask 255.255.255.0

This is just another pool that I tried using, my VPN  clients are not using this pool, I have just left it inactive, The  192.168.210.0 is the pool I am using for them.

crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DMZ_map interface DMZ

I am not sure of the above, I just used the ASDM wizard to configure the VPN. If I need to delete, I will...

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-dmz

Would you like me to issue the above commands?

Lastly,  let's say you put the remote users on 172.16.30.0/24 and your  pool  assigns that. I put a static route on my ASA pointing to my router.   (route outside 172.16.30.0 255.255.255.0 192.168.201.1) That'll push   traffic that belongs to the VPN back out of the ASA. Otherwise, because   you're giving an address out of the pool that you use locally, it may   try to route local instead of away from the ASA

okay so you suggest making up a new subnet for the VPN  users to use. Using a new subnet not assigned to any interface on my  ASA and then setup routing?

Thanks for the reply John,

Sorry, I am a beginner....I am trying to grasp everything, but can understand you though......

John,

This will be enough for your dmz hosts to get to the internet.

global (outside) 1 interface

nat (DMZ) 1 192.168.220.0 255.255.255.0

I think ASDM may have put in the crypto map because of the global command (I can't verify this though). It applied it to the dmz interface which you don't need.

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-dmz

Would you like me to issue the above commands?

You need to put the above commands under the group-policy that your users reference in the VPN client. (group-policy DMZAccess attributes)

Lastly,   let's say you put the remote users on 172.16.30.0/24 and your  pool   assigns that. I put a static route on my ASA pointing to my router.    (route outside 172.16.30.0 255.255.255.0 192.168.201.1) That'll push    traffic that belongs to the VPN back out of the ASA. Otherwise,  because   you're giving an address out of the pool that you use locally,  it may   try to route local instead of away from the ASA

okay  so you suggest making up a new subnet for the VPN  users to use. Using a  new subnet not assigned to any interface on my  ASA and then setup  routing?

Yes I do, and that's correct.

John

Hi John,

I have taken split tunneling off, I have also taken off the "nat (DMZ) 0 access-list nonat" line.

I have added a new pool called DMZ230 which is on a new subnet of 192.168.230.0

From you earlier replys, I see you now want me to add a static route on my ASA?

Should I enter the below?

route outside 192.168.230.0 255.255.255.0 192.168.210.1

The 192.168.220.1 is my internal router which is not implemented into the network yet, Should I just use my 192.168.210.0 interface on the ASA which is 192.168.210.222?

My understanding now is: VPN users assigned to new subnet, this subnet has to be routed to the INSIDE interface (not the DMZ interface), then the users should be able to access the DMZ.

Not trying to doubt anything, but do I have to define this new vpn subnet (192.168.230.0) somewhere else on my ASA too?

John,

You'll need to assign the local pool to your DMZAccess group that you created for the vpn users to use. Other than that, you don't need to reference this subnet anywhere else in the ASA.

You should put the static route pointing to whatever your default gateway is for the ASA. If the gateway for the ASA is 192.168.220.1, then that's what you'd put for this static route. If you have any other devices that need to see this subnet like a L3 switch, other routers, etc, they'll need to know to get to the 192.168.230.0/24 subnet to go to your inside interface on the ASA. Does that make sense?

John