VPN Clients not able to access DMZ - Page 3

imanco671 · ‎10-14-2011

Hello Community,

I have just setup my VPN Client. I have an inside subnet 192.168.210.0 and I have a DMZ subnet 192.168.220.0

I have my VPN users assigned an ip address from my pool 192.168.210.100 - 150

I am able to connect successfully and receive an Ip address and access servers on the 192.168.210.0 network, but I cannot access the DMZ servers.

Thanks in Advance!

imanco671 · ‎10-25-2011

Hi John,

I haved added the command for nat.

I have an outside connection I am using which is totally separate from the internal network I am trying to VPN into. Totally different carriers and IP addressing.

Here is my output:

ciscodemo(config)# sh vpn-sessiondb detail remote filter a-ipaddress 192.168.2$

Session Type: IPsec Detailed

Username : syn-client1 Index : 28

Assigned IP : 192.168.230.100 Public IP : 155.xxx.xx.35

Protocol : IKE IPsecOverNatT

License : IPsec

Encryption : 3DES AES128 Hashing : SHA1

Bytes Tx : 0 Bytes Rx : 8719

Pkts Tx : 0 Pkts Rx : 78

Pkts Tx Drop : 0 Pkts Rx Drop : 0

Group Policy : DMZAccess Tunnel Group : DMZAccess

Login Time : 12:37:19 EDT Tue Oct 25 2011

Duration : 0h:01m:57s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

IKE Tunnels: 1

IPsecOverNatT Tunnels: 1

IKE:

Tunnel ID : 28.1

UDP Src Port : 28708 UDP Dst Port : 4500

IKE Neg Mode : Aggressive Auth Mode : preSharedKeys

Encryption : 3DES Hashing : SHA1

Rekey Int (T): 86400 Seconds Rekey Left(T): 86286 Seconds

D/H Group : 2

Filter Name :

Client OS : WinNT Client OS Ver: 4.8.01.0300

IPsecOverNatT:

Tunnel ID : 28.2

Local Addr : 0.0.0.0/0.0.0.0/0/0

Remote Addr : 192.168.230.100/255.255.255.255/0/0

Encryption : AES128 Hashing : SHA1

Encapsulation: Tunnel

Rekey Int (T): 28800 Seconds Rekey Left(T): 28685 Seconds

Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Bytes Tx : 0 Bytes Rx : 8719

Pkts Tx : 0 Pkts Rx : 78

NAC:

Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds

SQ Int (T) : 0 Seconds EoU Age(T) : 116 Seconds

Hold Left (T): 0 Seconds Posture Token:

Redirect URL :

ciscodemo(config)#

John

John Blakley · ‎10-25-2011

Try this:

access-list vpn permit host 0.0.0.0

group-policy DMZAccess attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value vpn

You don't have an acl assigned to your group-policy (which may be the acl you were asking about earlier). I'm not sure if the ASA defaults to allow all traffic over the tunnel if it doesn't have a policy, or if the ASA denies all traffic. The above will force all traffic over the tunnel, so let's see if this helps.

HTH, John *** Please rate all useful posts ***

imanco671 · ‎10-25-2011

I have executed those command, but still no luck.

Sorry for having such a crazy issue.

John

John Blakley · ‎10-25-2011

Are you disconnecting from the VPN and reconnecting after the change?

HTH, John *** Please rate all useful posts ***

imanco671 · ‎10-25-2011

yes, I have been, I have also been doing a write mem on my ASA after every change.

John Blakley · ‎10-25-2011

Can you draw up a diagram of how you're laid out....I seriously don't see a problem with the config unless I'm just missing something. Is there anything between your ASA and the server in the dmz? Another router/firewall/switch? You should be able to connect and ping the device in the DMZ with no issue as long as you're not natting.

HTH, John *** Please rate all useful posts ***

imanco671 · ‎10-25-2011

There is a PIX firewall between my ASA and the internet. I have allows all traffic to pass to my ASA. I would not be able to RDP to the 192.168.210.11 server if something was being blocked.

Also, There is no firewall between my laptop and internet.

John Blakley · ‎10-25-2011

Let me lab it up and get back to you...

HTH, John *** Please rate all useful posts ***

imanco671 · ‎10-25-2011

okay thanks John, sorry for the headach!

John

Kishore Chennupati · ‎10-25-2011

Hi John,

Have you got both the below commands enabled?

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

HTH

Regards,

Kishore

jarose828 · ‎01-10-2016

I was having a similar issue with VPN user access to a secondary interface aswell. I had the config correct and it didn't work until I reconnected to anyconnect. Thanks for the tip imanco671.

Kishore Chennupati · ‎10-25-2011

Hi John,

ciscodemo(config)# sh vpn-sessiondb detail remote filter a-ipaddress 192.168.2$

Session Type: IPsec Detailed

Username : syn-client1 Index : 28

Assigned IP : 192.168.230.100 Public IP : 155.xxx.xx.35

Protocol : IKE IPsecOverNatT

License : IPsec

Encryption : 3DES AES128 Hashing : SHA1

Bytes Tx : 0 Bytes Rx : 8719

Pkts Tx : 0 Pkts Rx : 78

Pkts Tx Drop : 0 Pkts Rx Drop : 0

Group Policy : DMZAccess Tunnel Group : DMZAccess

Login Time : 12:37:19 EDT Tue Oct 25 2011

Duration : 0h:01m:57s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

IKE Tunnels: 1

IPsecOverNatT Tunnels: 1

IKE:

Tunnel ID : 28.1

UDP Src Port : 28708 UDP Dst Port : 4500

IKE Neg Mode : Aggressive Auth Mode : preSharedKeys

Encryption : 3DES Hashing : SHA1

Rekey Int (T): 86400 Seconds Rekey Left(T): 86286 Seconds

D/H Group : 2

Filter Name :

Client OS : WinNT Client OS Ver: 4.8.01.0300

IPsecOverNatT:

Tunnel ID : 28.2

Local Addr : 0.0.0.0/0.0.0.0/0/0

Remote Addr : 192.168.230.100/255.255.255.255/0/0

Encryption : AES128 Hashing : SHA1

Encapsulation: Tunnel

Rekey Int (T): 28800 Seconds Rekey Left(T): 28685 Seconds

Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Bytes Tx : 0 Bytes Rx : 8719

Pkts Tx : 0 Pkts Rx : 78

NAC:

Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds

SQ Int (T) : 0 Seconds EoU Age(T) : 116 Seconds

Hold Left (T): 0 Seconds Posture Token:

Redirect URL :

Looks like you have a one way traffic issue here. The ASA is receiving some traffic but its not transmitting anything back to it. Is it possible to run some debugs?

Clear the ACL counters for the DMZ access and the try to ping the server or RDP and see if the ACL hits increment. That will give us an idea whether the packets from the VPN client are actually reaching that far.

Also, can you please paste the output of " sh nat " and "sh nat etc.

HTH,

Regards

Kishore

Note: We will fix your issue john dont worry

imanco671 · ‎10-27-2011

Hello Kishore,

I have made sure that both commands were executed. I then tried to connect to the VPN and RDP into the DMZ server, but without luck.

I have cleared ARP and I have cleared the ACL Counters.

Here are the commands I executed on my ASA:

ciscodemo# sh nat inside

match ip inside 192.168.210.0 255.255.255.0 outside 192.168.230.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 20

match ip inside 192.168.210.0 255.255.255.0 outside 192.168.220.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.220.0 255.255.255.0 outside 192.168.230.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.210.0 255.255.255.0 DMZ 192.168.230.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.210.0 255.255.255.0 DMZ 192.168.220.0 255.255.255.0

NAT exempt

translate_hits = 1, untranslate_hits = 0

match ip inside 192.168.220.0 255.255.255.0 DMZ 192.168.230.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.210.0 255.255.255.0 inside 192.168.230.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.210.0 255.255.255.0 inside 192.168.220.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.220.0 255.255.255.0 inside 192.168.230.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.210.0 255.255.255.0 outside any

dynamic translation to pool 1 (173.xxx.xxx.66 [Interface PAT])

translate_hits = 920, untranslate_hits = 0

match ip inside 192.168.210.0 255.255.255.0 DMZ any

dynamic translation to pool 1 (No matching global)

translate_hits = 33, untranslate_hits = 0

match ip inside 192.168.210.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.230.0 255.255.255.0 outside any

dynamic translation to pool 1 (173.xxx.xx.66 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.230.0 255.255.255.0 DMZ any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.230.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

ciscodemo# sh nat dmz

match ip DMZ host 192.168.220.10 outside any

static translation to 173.xxx.xx.70

translate_hits = 3122, untranslate_hits = 151

match ip DMZ 192.168.220.0 255.255.255.0 outside any

dynamic translation to pool 1 (173.xxx.xx.66 [Interface PAT])

translate_hits = 10, untranslate_hits = 0

match ip DMZ 192.168.220.0 255.255.255.0 DMZ any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Thanks

John

imanco671 · ‎10-31-2011

Anything more I can test or try?

I am still unable allow access from VPN to DMZ.

John