cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3488
Views
0
Helpful
5
Replies

Site to Site VPN -> DMZ

SirRobSmith
Level 1
Level 1

Good evening,

First time poster, long time reader of these forums. I should probably stop to say thanks for all the advice I've managed to leech from the various comments that have been posted - thanks!

My problem is getting to the stage of being a little annoying.

I've got a Cisco 5520, to which is a Cisco 5505 is connected via a Site to Site tunnel.

The tunnel works just dandy, with traffic happily being passed to and from my Inside interface.

The issue comes with users connected to the 5505 access our DMZ, it simply refuses to work. I've read many posts about the changes made in 8.3 (which I'm running on the 5520) when it comes to NAT exemptions which I believe is the issue I'm having but I'm not able to implement any configuration to allow my site to site VPNs to connect to hosts within the DMZ.

An old copy of the configuration below (I tried many things after this point, but this is one of the cleaner copies!), any help would be very much appreciated.

Rob

Result of the command: "sh runn"

: Saved

:

ASA Version 8.3(2)

!

hostname ciscoasa

enable password ************* encrypted

passwd ************* encrypted

names

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.1

description GCI Internet connection VLAN 99

vlan 99

nameif GCI-Outside

security-level 0

ip address 213.218.219.65 255.255.255.192

!

interface GigabitEthernet0/1

description Inside Interface untagged 254

nameif Inisde

security-level 100

ip address 192.168.254.240 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description Placeholder Interface for Sub-Interfaces

no nameif

security-level 50

no ip address

!

interface GigabitEthernet0/3.1

description Tagged VLAN253 Traffic within DMZ

vlan 253

nameif DMZ-253

security-level 50

ip address 192.168.253.240 255.255.255.0

!

interface GigabitEthernet0/3.2

description Tagged VLAN 252 Traffic

vlan 252

nameif Edge

security-level 49

ip address 192.168.252.240 255.255.255.0

!

interface Management0/0

nameif Management

security-level 0

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa832-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network 192.168.197.0-Wibble

subnet 192.168.197.0 255.255.255.0

description STS Wibble Remote Network  

object network 192.168.196.0-Wibble2

subnet 192.168.196.0 255.255.255.0

description STS Wibble2 Remote Network 

object network 213.218.219.67

host 213.218.219.67

description Static NAT Translation address 

object network 10.128.117.0-Wibble3

subnet 10.128.117.0 255.255.255.0

description 12345

object network 192.168.253.15-CorporateProxy

host 192.168.253.15

description Corporate Proxy 

object network 192.168.253.22-NonCorporateProxy

host 192.168.253.22

description Stores Proxy 

object network 192.168.253.46-DMZWeb

host 192.168.253.46

description 1

object network 10.150.100.0-DTC

subnet 10.150.100.0 255.255.255.0

description DTC Remote Network 

object network NETWORK_OBJ_10.150.100.0_24

subnet 10.150.100.0 255.255.255.0

object network 10.150.101.0-Europa

subnet 10.150.101.0 255.255.255.0

description 123

object network 10.110.170.0-Wibble4

subnet 10.110.170.0 255.255.255.0

description 123

object network NETWORK_OBJ_10.110.170.0_24

subnet 10.110.170.0 255.255.255.0

object network 192.168.198.0-Wibble4

subnet 192.168.198.0 255.255.255.0

description 123

object network 10.128.116.0-Wibble6

subnet 10.128.116.0 255.255.255.0

description 123

object network NETWORK_OBJ_10.128.116.0_24

subnet 10.128.116.0 255.255.255.0

object network 192.168.192.0-Wibble4_Office

subnet 192.168.192.0 255.255.255.0

description F1234

object network NETWORK_OBJ_192.168.192.0_24

subnet 192.168.192.0 255.255.255.0

object network 192.168.200.10

host 192.168.200.10

object network 192.168.191.0-Darlington_Test

subnet 192.168.191.0 255.255.255.0

object-group network SiteToSiteVPNs

description Contains Site to Site VPN Groups

network-object object 192.168.197.0-Wibble

network-object object 192.168.196.0-Wibble2

network-object object 10.128.117.0-Wibble3

network-object object 10.150.100.0-DTC

network-object object 10.150.101.0-Europa

network-object object 10.110.170.0-Wibble4

network-object object 192.168.198.0-Wibble4

network-object object 10.128.116.0-Wibble6

network-object object 192.168.192.0-Wibble4_Office

network-object object 192.168.191.0-Darlington_Test

object-group network ExternalIPs

network-object object 213.218.219.67

object-group service DM_INLINE_TCP_1 tcp

port-object eq 8080

port-object eq https

object-group network DM_INLINE_NETWORK_1

network-object object 192.168.253.15-CorporateProxy

network-object object 192.168.253.22-NonCorporateProxy

object-group network DM_INLINE_NETWORK_2

network-object object 192.168.253.15-CorporateProxy

network-object object 192.168.253.22-NonCorporateProxy

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

port-object eq 3306

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq smtp

port-object eq ssh

object-group service DM_INLINE_TCP_4 tcp

port-object eq 1280

port-object eq 29002

port-object eq 29005

port-object eq 29006

port-object eq 61023

access-list GCI-Outside_cryptomap extended permit ip any 192.168.197.0 255.255.255.0

access-list Inisde_access_in extended permit ip host 192.168.191.50 any

access-list Inisde_access_in remark Allow Inside devices to access the web proxy

access-list Inisde_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_1

access-list Inisde_access_in remark Allow Internal Users to access Web / FTP

access-list Inisde_access_in extended permit tcp any object 192.168.253.46-DMZWeb object-group DM_INLINE_TCP_3

access-list Inisde_access_in remark Chp & Pin Authorisation/Downloads

access-list Inisde_access_in extended permit tcp any any object-group DM_INLINE_TCP_4

access-list Inisde_access_in remark RDP/VNC to site to site VPN

access-list Inisde_access_in extended permit ip any object-group SiteToSiteVPNs

access-list Inisde_access_in extended deny ip any any

access-list GCI-Outside_access_in extended permit ip any any

access-list GCI-Outside_1_cryptomap extended permit ip any 192.168.196.0 255.255.255.0

access-list GCI-Outside_cryptomap_1 extended permit ip any 10.128.117.0 255.255.255.0

access-list DMZ-253_access_in remark Allow Proxy to access the Internet

access-list DMZ-253_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any

access-list DMZ-253_access_in remark Allow DMZ Web Server to connect to the Internet

access-list DMZ-253_access_in extended permit tcp object 192.168.253.46-DMZWeb any object-group DM_INLINE_TCP_2

access-list DMZ-253_access_in extended deny ip any any

access-list GCI-Outside_3_cryptomap extended permit ip any 192.168.198.0 255.255.255.0

access-list GCI-Outside_4_cryptomap extended permit ip any 10.150.100.0 255.255.255.0

access-list GCI-Outside_5_cryptomap extended permit ip any 10.150.101.0 255.255.255.0

access-list GCI-Outside_7_cryptomap extended permit ip any 10.110.170.0 255.255.255.0

access-list GCI-Outside_8_cryptomap extended permit ip any 10.128.116.0 255.255.255.0

access-list GCI-Outside_9_cryptomap extended permit ip any 192.168.192.0 255.255.255.0

access-list GCI-Outside_10_cryptomap extended permit ip any 192.168.191.0 255.255.255.0

pager lines 24

logging enable

logging trap debugging

logging asdm debugging

logging host Inisde 192.168.154.60

mtu GCI-Outside 1500

mtu Inisde 1500

mtu DMZ-253 1500

mtu Edge 1500

mtu Management 1500

ip verify reverse-path interface GCI-Outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-634.bin

no asdm history enable

arp timeout 14400

nat (GCI-Outside,GCI-Outside) source static SiteToSiteVPNs SiteToSiteVPNs destination static SiteToSiteVPNs SiteToSiteVPNs description Allows InterSite Routing

nat (GCI-Outside,Inisde) source static any any destination static SiteToSiteVPNs SiteToSiteVPNs description Allow sites to talk to Inside.

nat (Inisde,GCI-Outside) source static any any destination static SiteToSiteVPNs SiteToSiteVPNs description Site-To-Site NAT Exempt Inside to VPN

nat (DMZ-253,GCI-Outside) source static any any destination static SiteToSiteVPNs SiteToSiteVPNs

!

object network 192.168.197.0-Wibble

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

object network 192.168.196.0-Wibble2

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

object network 10.128.117.0-Wibble3

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

object network 192.168.253.15-CorporateProxy

nat (DMZ-253,GCI-Outside) static 213.218.219.69

object network 192.168.253.22-NonCorporateProxy

nat (DMZ-253,GCI-Outside) static 213.218.219.88

object network 192.168.253.46-DMZWeb

nat (DMZ-253,GCI-Outside) static 213.218.219.82

object network 10.150.100.0-DTC

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

object network 10.150.101.0-Europa

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

object network 10.110.170.0-Wibble4

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

object network 192.168.198.0-Wibble4

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

object network 10.128.116.0-Wibble6

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

object network 192.168.192.0-Wibble4_Office

nat (GCI-Outside,GCI-Outside) dynamic 213.218.219.67

!

nat (Inisde,GCI-Outside) after-auto source static any 213.218.219.67

access-group GCI-Outside_access_in in interface GCI-Outside

access-group Inisde_access_in in interface Inisde

access-group DMZ-253_access_in in interface DMZ-253

route GCI-Outside 0.0.0.0 0.0.0.0 213.218.219.126 1

route Inisde 10.0.0.0 255.0.0.0 192.168.254.1 1

route GCI-Outside 10.110.170.0 255.255.255.0 213.218.219.126 1

route GCI-Outside 10.128.116.0 255.255.255.0 213.218.219.126 1

route GCI-Outside 10.128.117.0 255.255.255.0 213.218.219.126 1

route GCI-Outside 10.150.100.0 255.255.255.0 213.218.219.126 1

route GCI-Outside 10.150.101.0 255.255.255.0 213.218.219.126 1

route Inisde 172.16.0.0 255.255.0.0 192.168.254.1 1

route Inisde 192.168.0.0 255.255.0.0 192.168.254.1 1

route GCI-Outside 192.168.191.0 255.255.255.0 213.218.219.126 1

route GCI-Outside 192.168.192.0 255.255.255.0 213.218.219.126 1

route GCI-Outside 192.168.196.0 255.255.255.0 213.218.219.126 1

route GCI-Outside 192.168.197.0 255.255.255.0 213.218.219.126 1

route GCI-Outside 192.168.198.0 255.255.255.0 213.218.219.126 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 Management

http 192.168.0.0 255.255.0.0 Inisde

http 172.16.0.0 255.255.0.0 Inisde

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map GCI-Outside_map1 1 match address GCI-Outside_1_cryptomap

crypto map GCI-Outside_map1 1 set pfs group1

crypto map GCI-Outside_map1 1 set peer 92.27.104.41

crypto map GCI-Outside_map1 1 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 2 match address GCI-Outside_cryptomap_1

crypto map GCI-Outside_map1 2 set pfs group1

crypto map GCI-Outside_map1 2 set peer 63.130.248.189

crypto map GCI-Outside_map1 2 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 3 match address GCI-Outside_3_cryptomap

crypto map GCI-Outside_map1 3 set pfs group1

crypto map GCI-Outside_map1 3 set peer 154.32.92.204

crypto map GCI-Outside_map1 3 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 4 match address GCI-Outside_4_cryptomap

crypto map GCI-Outside_map1 4 set pfs group1

crypto map GCI-Outside_map1 4 set peer 195.244.209.169

crypto map GCI-Outside_map1 4 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 5 match address GCI-Outside_5_cryptomap

crypto map GCI-Outside_map1 5 set pfs group1

crypto map GCI-Outside_map1 5 set peer 195.244.209.168

crypto map GCI-Outside_map1 5 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 6 match address GCI-Outside_cryptomap

crypto map GCI-Outside_map1 6 set pfs group1

crypto map GCI-Outside_map1 6 set peer 95.177.124.233

crypto map GCI-Outside_map1 6 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 7 match address GCI-Outside_7_cryptomap

crypto map GCI-Outside_map1 7 set pfs group1

crypto map GCI-Outside_map1 7 set peer 63.130.248.186

crypto map GCI-Outside_map1 7 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 8 match address GCI-Outside_8_cryptomap

crypto map GCI-Outside_map1 8 set pfs group1

crypto map GCI-Outside_map1 8 set peer 63.130.248.187

crypto map GCI-Outside_map1 8 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 9 match address GCI-Outside_9_cryptomap

crypto map GCI-Outside_map1 9 set pfs group1

crypto map GCI-Outside_map1 9 set peer 63.130.248.188

crypto map GCI-Outside_map1 9 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 10 match address GCI-Outside_10_cryptomap

crypto map GCI-Outside_map1 10 set pfs group1

crypto map GCI-Outside_map1 10 set peer 92.27.143.0

crypto map GCI-Outside_map1 10 set transform-set ESP-3DES-MD5

crypto map GCI-Outside_map1 interface GCI-Outside

crypto isakmp enable GCI-Outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp nat-traversal 300

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 Inisde

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption 3des-sha1 rc4-sha1 aes128-sha1 aes256-sha1

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

username asdm password mEI9mGOFgPDwvzKv encrypted

username robsmith nopassword

tunnel-group 95.177.124.233 type ipsec-l2l

tunnel-group 95.177.124.233 ipsec-attributes

pre-shared-key *****

tunnel-group 92.27.104.41 type ipsec-l2l

tunnel-group 92.27.104.41 ipsec-attributes

pre-shared-key *****

tunnel-group 63.130.248.189 type ipsec-l2l

tunnel-group 63.130.248.189 ipsec-attributes

pre-shared-key *****

tunnel-group 154.32.92.204 type ipsec-l2l

tunnel-group 154.32.92.204 ipsec-attributes

pre-shared-key *****

tunnel-group 195.244.209.169 type ipsec-l2l

tunnel-group 195.244.209.169 ipsec-attributes

pre-shared-key *****

tunnel-group 195.244.209.168 type ipsec-l2l

tunnel-group 195.244.209.168 ipsec-attributes

pre-shared-key *****

tunnel-group 63.130.248.186 type ipsec-l2l

tunnel-group 63.130.248.186 ipsec-attributes

pre-shared-key *****

tunnel-group 63.130.248.187 type ipsec-l2l

tunnel-group 63.130.248.187 ipsec-attributes

pre-shared-key *****

tunnel-group 63.130.248.188 type ipsec-l2l

tunnel-group 63.130.248.188 ipsec-attributes

pre-shared-key *****

tunnel-group 92.27.143.0 type ipsec-l2l

tunnel-group 92.27.143.0 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:6c9f7a5f275020c5b6c5a71e9c45e6b6

: end

1 Accepted Solution

Accepted Solutions

Hello Rob,

Can we do the following for this network (192.168.191.0/24) and test

object network testnw

subnet 192.168.191.0 255.255.255.0

object network testdmz

subnet 192.168.253.0 255.255.255.0

nat (DMZ-253,GCI-Outside) 1 source static testdmz testdmz destination static  testdmz  testdmz

Harish.

View solution in original post

5 Replies 5

Hello Robert,

To me, your  NAT is good and I found an issue on the permission from DMZ to VPN network ( reverse traffic)

access-list 'DMZ-253_access_in'  acl permits only few traffic which doesnt include the subnet of site to site  VPNS,

You can probably try to do the following

access-list DMZ-253_access_in  line 1 extended permit ip 192.168.253.0 0.0.0.255  object SiteToSiteVPNs

I hope the other end ASA are fine in terms of NAT and intresting traffic!

let me know how it goes.

regards

Harish

Thanks for the reply, Harish.

I've tried numerous permit any/any type rules but sadly it still falls over in the same place. I've done some packet traces which are below which show the results I'm getting when trying to move traffic from one of my hosts on the remote site (192.168.191.50) to a host within my DMZ (192.168.253.46).

(From 5520 simulating traffic from my SitetoSite VPN -> DMZ)

From 5505 doing the same

Does this offer any further indication as to what my issue is? Currently I'm chasing a NAT Exempt type issue, I'm certainly no expert but that's my gut instinct as to what the issue is.

Thanks again,

Rob

Hello Rob,

Can we do the following for this network (192.168.191.0/24) and test

object network testnw

subnet 192.168.191.0 255.255.255.0

object network testdmz

subnet 192.168.253.0 255.255.255.0

nat (DMZ-253,GCI-Outside) 1 source static testdmz testdmz destination static  testdmz  testdmz

Harish.

That worked perfectly, Harish.

How infuriating! I could have sworn that I'd performed that exact same command.

Thank you very much!

Rob

Hello Rob,

excellent!.. can you make this answered so that others can learn too

regards

Harish.