Solved: same

richyanni1 · ‎08-24-2016

I'm at a loss. I have attached my config. I can access DMZ from inside network but can not access DMZ from VPN.

Any Help would be great.

Rich

Also have issue accessing management 0/0 (192.168.1.1) from inside network E0/1 (192.168.2.0)

Marvin Rhoads · ‎08-24-2016

For your VPN-DMZ issue, the following is the most likely cause of your problem:

nat (inside,dmz) source static obj-dmz obj-dmz destination static obj-vpnpool obj-vpnpool

You should instead have:

nat (outside,dmz) source static obj-vpnpool obj-vpnpool static obj-dmz obj-dmz

This is because the VPN clients appear to come from outside (for NAT purposes) and need to be exempt from NAT when accessing DMZ resources.

For the management issues, the problem is asymmetric routing. When your packets arrive at the management interface, the ASA will try to send the return traffic (starting with the TCP 3-way handshake which will fail) via the inside interface but that won't work since the ASA allowed it, the source of the ACK would be the ASA inside interface IP address, not the management interface address to which the SYN was sent.

This is why most people historically have not used the ASA management interface unless they had a true out of band network for management. Cisco recently introduced a separate routing table for just management but you would have to upgrade to 9.5(1) or later take advantage of that.

View solution in original post

Marvin Rhoads · ‎08-24-2016

Rich,

The existing command:

http 192.168.2.0 255.255.255.0 inside

...will allow ASDM access from hosts on the subnet connected to the inside interface.

View solution in original post

Marvin Rhoads · ‎08-25-2016

Hmm, even though it says drop at step 7 due to VPN, I still think the NAT may not be quite correct.

Remove the existing NAT statement:

no

nat (outside,dmz) source static obj-vpnpool obj-vpnpool static obj-dmz obj-dmz

..and then try using a NAT statement similar to the (inside.outside) one except with dmz:

nat (dmz,outside) source static obj-dmz obj-dmz destination static obj-vpnpool obj-vpnpool no-proxy-arp route-lookup

View solution in original post

Marvin Rhoads · ‎08-24-2016

richyanni1 ,

For your VPN-DMZ issue, the following is the most likely cause of your problem:

nat (inside,dmz) source static obj-dmz obj-dmz destination static obj-vpnpool obj-vpnpool

You should instead have:

nat (outside,dmz) source static obj-vpnpool obj-vpnpool static obj-dmz obj-dmz

This is because the VPN clients appear to come from outside (for NAT purposes) and need to be exempt from NAT when accessing DMZ resources.

For the management issues, the problem is asymmetric routing. When your packets arrive at the management interface, the ASA will try to send the return traffic (starting with the TCP 3-way handshake which will fail) via the inside interface but that won't work since the ASA allowed it, the source of the ACK would be the ASA inside interface IP address, not the management interface address to which the SYN was sent.

This is why most people historically have not used the ASA management interface unless they had a true out of band network for management. Cisco recently introduced a separate routing table for just management but you would have to upgrade to 9.5(1) or later take advantage of that.

richyanni1 · ‎08-24-2016

Marvin,

I'm only looking to use the management interface for access to the ASDM and would like to access the ASDM from the inside interface also nothing more. Is there a way around that? Do I have to shutdown the management interface and set the inside for management also?

I will add the new nat tomorrow and verify.

Thank you for the quick response.

Rich

Marvin Rhoads · ‎08-24-2016

Rich,

The existing command:

http 192.168.2.0 255.255.255.0 inside

...will allow ASDM access from hosts on the subnet connected to the inside interface.

richyanni1 · ‎08-25-2016

Marvin,

I tried the nat command and still not working, the outside VPN to DMZ is giving me an error with packet tracer (acl-drop) Flow is denied by configured rule, been playing around and can't figure out which acl is causing the issue disabled several rules and still same denied issue. The management access from inside network already had the http 192.168.2.0 255.255.255.0 in the config but it's still does not work. It's been 6 yeas since I setup a firewall/router and this is an older ASA5510. not seeing the upgrade to 9.5(1) or later as available, am I incorrect on that I'm seeing 9.1.7-9

Thank you

Rich

Marvin Rhoads · ‎08-25-2016

Can you share the output from packet-tracer? Please include the "detailed" keyword at the end.

richyanni1 · ‎08-25-2016

Results below and complete trace attached.

Thank you for all your assistance.

Rich

<result>
<input-interface>outside</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>dmz</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason>
</result>

Marvin Rhoads · ‎08-25-2016

Hmm, even though it says drop at step 7 due to VPN, I still think the NAT may not be quite correct.

Remove the existing NAT statement:

no

nat (outside,dmz) source static obj-vpnpool obj-vpnpool static obj-dmz obj-dmz

..and then try using a NAT statement similar to the (inside.outside) one except with dmz:

nat (dmz,outside) source static obj-dmz obj-dmz destination static obj-vpnpool obj-vpnpool no-proxy-arp route-lookup

richyanni1 · ‎08-25-2016

same

GMG# packet-tracer input outside rawip 10.0.0.1 0 192.168.3.5 detailed xml

<Phase>
<id>1</id>
<type>ROUTE-LOOKUP</type>
<subtype>input</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
in 192.168.3.0 255.255.255.0 dmz
</extra>
</Phase>

<Phase>
<id>2</id>
<type>ACCESS-LIST</type>
<subtype>log</subtype>
<result>ALLOW</result>
<config>
access-group outside_acl in interface outside
access-list outside_acl extended permit ip object 10.0.0.0 any
</config>
<extra>
Forward Flow based lookup yields rule:
in id=0xae14c688, priority=13, domain=permit, deny=false
hits=1, user_data=0xab6b7e40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
</extra>
</Phase>

<Phase>
<id>3</id>
<type>NAT</type>
<subtype></subtype>
<result>ALLOW</result>
<config>
nat (dmz,outside) source static obj-dmz obj-dmz destination static obj-vpnpool obj-vpnpool no-proxy-arp route-lookup
</config>
<extra>
Static translate 10.0.0.1/0 to 10.0.0.1/0
Forward Flow based lookup yields rule:
in id=0xadc3aa88, priority=6, domain=nat, deny=false
hits=0, user_data=0xadc3a900, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=dmz
</extra>
</Phase>

<Phase>
<id>4</id>
<type>NAT</type>
<subtype>per-session</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
Forward Flow based lookup yields rule:
in id=0xad971e90, priority=0, domain=nat-per-session, deny=true
hits=21002, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
</extra>
</Phase>

<Phase>
<id>5</id>
<type>IP-OPTIONS</type>
<subtype></subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
Forward Flow based lookup yields rule:
in id=0xae0a0ed8, priority=0, domain=inspect-ip-options, deny=true
hits=47350, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
</extra>
</Phase>

<Phase>
<id>6</id>
<type>CP-PUNT</type>
<subtype></subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
Forward Flow based lookup yields rule:
in id=0xaebd03c0, priority=79, domain=punt, deny=true
hits=59, user_data=0xad84fe60, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.0.0.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
</extra>
</Phase>

<Phase>
<id>7</id>
<type>VPN</type>
<subtype>ipsec-tunnel-flow</subtype>
<result>DROP</result>
<config>
</config>
<extra>
Forward Flow based lookup yields rule:
in id=0xaeb24fd0, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=59, user_data=0xc7e4, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.0.0.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
</extra>
</Phase>

<result>
<input-interface>outside</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>dmz</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason>
</result>

ASA5500 - anyconnect VPN users can not access webserver in DMZ