Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2543
Views
0
Helpful
1
Replies

Anyconnect Client unable to access DMZ

Go to solution
cirrus
Level 1
Level 1

‎08-03-2018 08:04 PM

Hi, would really appreciate your help.

Currently I have a network topology setup, comprising of Inside,DMZ and OffSite zones configured with ASA. On the ASA, I have configured Anyconnect to be authenticated with Windows Server. Everything's perfect when the remote client (Outside zone != OffSite Zone) VPN into the Internal Network via Anyconnect. However, if i have to access a resource in DMZ zone, the remote client is unable to do so. The remote client can only access the Inside Zone, but not DMZ Zone (specifically 192.168.1.11). Additionally, there is no default gateway specified for the AnyConnect, which I assume was the cause of not being able to access to DMZ Zone. Below shows the ASA configuration. Hope that you can reply as soon as possible as I am in urgent need.

 

ASA Version 9.1(5)
!
hostname asa5505
domain-name WSSEnterprise
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool SSLVPN 192.168.2.100-192.168.2.150 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 130.18.20.2 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object network obj_inside
subnet 192.168.2.0 255.255.255.0
object network DMZELK
host 192.168.1.10
object network DMZSMTP
host 192.168.1.11
object network vpnclients
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object-group network local-network
network-object 192.168.2.0 255.255.255.0
object-group network remote-networka
network-object 172.20.0.0 255.255.252.0
access-list OPEN extended permit ip any any
access-list asa-router-vpn extended permit ip object-group local-network object-group remote-network
access-list outside-in extended permit tcp any host 192.168.1.11 eq ftp
access-list outside-in extended permit tcp any host 192.168.1.11 eq ftp-data
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit tcp any any eq smtp
access-list outside-in extended permit tcp any any eq pop3
pager lines 24
logging enable
logging timestamp
logging trap informational
logging host inside 192.168.2.11
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj_inside obj_inside destination static vpnclients vpnclients
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp route-lookup
!
object network obj_inside
nat (inside,outside) dynamic interface
object network DMZELK
nat (dmz,outside) static 130.18.20.3
object network DMZSMTP
nat (dmz,outside) static 130.18.20.4
access-group OPEN global
route outside 0.0.0.0 0.0.0.0 130.18.20.1 10
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ws2018.local protocol ldap
aaa-server ws2018.local (inside) host 192.168.2.10
timeout 5
ldap-base-dn dc=ws2018,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=administrator,cn=Users,dc=ws2018,dc=local
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer 130.18.50.2
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=asa5505
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=asa5505
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
certificate 44311a5b
308201d9 30820142 a0030201 02020444 311a5b30 0d06092a 864886f7 0d010105
05003031 3110300e 06035504 03130761 73613535 3035311d 301b0609 2a864886
f70d0109 02160e61 73613535 30352e77 73323031 38301e17 0d313830 36303830
37353035 355a170d 32383036 30353037 35303535 5a303131 10300e06 03550403
13076173 61353530 35311d30 1b06092a 864886f7 0d010902 160e6173 61353530
352e7773 32303138 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081
89028181 0087c146 0d42d97e 3182bbef 09d96538 c080ae39 d698ec93 8646032d
ca8c52ab 5a0168de c197f1e5 9fdf9a3a b4a29d62 3b69f834 7d3854d3 d8ccfc31
9e1b155d 2f7eac73 a8e316b3 a6b40ae5 b85d422b 4ac0473e 9cbf262e 9a992638
614fa3b9 59ecbd17 2c8ace9c 278030f7 a5d5bfca f9506419 094a423d 266d4932
11c2256a e7020301 0001300d 06092a86 4886f70d 01010505 00038181 0031e602
bf6adcbf d0400ca1 9ff86655 03e6a395 a8de1c84 e853d775 902dc2d3 17bc9bf0
385f5735 fc6e1e27 9e8e4215 7d09f8c1 496fa257 761ef41e b255af3e b4e2fa6f
50453b56 b60c0041 e3ce4b47 e3a7ba38 86fac394 bdac50c0 f01c987e d52e1e6b
4d86c4b8 44643769 67bfddb2 f15be5a5 a04303ec dfd9d60f 87bc5510 08
quit
anyconnect image disk0:/anyconnect-win-4_4_03034-webdeploy-k9.zip 1
anyconnect profiles Ws2018_client_profile disk0:/Ws2018_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Ws2018 internal
group-policy GroupPolicy_Ws2018 attributes
wins-server value 192.168.2.10
dns-server value 192.168.2.10
vpn-tunnel-protocol ikev2 ssl-client
default-domain value ws2018.local
webvpn
anyconnect profiles value Ws2018_client_profile type user
username admin password 7KKG/zg/Wo8c.YfN encrypted
tunnel-group 130.18.50.2 type ipsec-l2l
tunnel-group 130.18.50.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Ws2018 type remote-access
tunnel-group Ws2018 general-attributes
address-pool SSLVPN
authentication-server-group ws2018.local
default-group-policy GroupPolicy_Ws2018
tunnel-group Ws2018 webvpn-attributes
group-alias Ws2018 enable
!
: end

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-03-2018 08:42 PM

Hi

I don't see any split tunnel which means you're doing a full tunnel and everything goes through the tunnel from remote endpoint.
However you're missing nat exemption for dmz.
Can you add please the following config and test again?

object network dmz-grp
subnet 192.168.1.0 255.255.255.0
nat(dmz,outside) source static dmz-grp dmz-grp destination static vpnclients vpnclients proxy-arp route-lookup


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-03-2018 08:42 PM

Hi

I don't see any split tunnel which means you're doing a full tunnel and everything goes through the tunnel from remote endpoint.
However you're missing nat exemption for dmz.
Can you add please the following config and test again?

object network dmz-grp
subnet 192.168.1.0 255.255.255.0
nat(dmz,outside) source static dmz-grp dmz-grp destination static vpnclients vpnclients proxy-arp route-lookup


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents