Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with Site-To-Site VPN access to the DMZ

Status
Not open for further replies.
jjk3

jjk3

MIS
Nov 18, 2002
31
US
I am unable to get hosts accessing HQ via a site-to-site VPN to be able to access the DMZ.

I have reviewed several topics on tek-tips regarding VPN into the DMZ and most seem to have been an issue with not having a NAT 0 on the DMZ interface. I do have a nat 0 on my DMZ interface, but it still doesn't work.

I am able to see pings come out the DMZ interface, the server respond and the PIX receive the response, but the response never goes anywhere.

Please find the relevant parts of my config below. Any help on changes that I could try to resolve this would be appreciated.

Code: 
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 eth3 security15
nameif ethernet4 eth4 security20
nameif ethernet5 failover security25
access-list from-dmz permit tcp any any object-group Webservices 
access-list from-dmz permit tcp object-group PS-Webservers any object-group PS_JOLT_PROD 
access-list from-dmz permit tcp host 10.2.0.24 host 10.1.2.74 object-group CumulusPorts 
access-list from-dmz permit tcp any host 10.1.2.23 object-group VBulletin 
access-list from-dmz permit udp any host 10.1.2.23 eq pcanywhere-status 
access-list from-dmz permit tcp any object-group Mail-servers_ref_2 object-group Mail-services 
access-list from-dmz permit udp any object-group Mail-servers_ref_2 eq 113 
access-list from-dmz permit tcp any object-group Remote-access-internal_ref_1 object-group External-services 
access-list from-dmz permit udp any object-group Remote-access-internal_ref_1 object-group External-services-udp 
access-list from-dmz permit tcp object-group Webservers object-group MerlinAppServers_ref object-group Merlin-app-ports 
access-list from-dmz permit udp object-group Webservers object-group MerlinAppServers_ref object-group Merlin-app-shared-folder 
access-list from-dmz permit icmp any any 
access-list from-dmz permit tcp any any object-group Domain-trust-TCP 
access-list from-dmz permit udp any any object-group Domain-trust-UDP 
access-list from-dmz permit udp any any 
access-list from-dmz permit tcp any host AA.BB.CC.108 eq smtp 
access-list VPN-IRL remark Prevent any VoIP traffic to be routed over the VPN to IRL
access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0 255.255.0.0 
access-list VPN-IRL remark Allow VPN connection to IRL
access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 
access-list VPN-HIL remark Allow VPN connection to HIL
access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 
access-list NO-NAT remark Don't NAT traffic sent to IRL
access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 
access-list NO-NAT remark Don't NAT traffic sent to HIL
access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 
access-list NO-NAT-DMZ remark Don't NAT traffic sent to IRL
access-list NO-NAT-DMZ permit ip 10.2.0.0 255.255.0.0 172.18.0.0 255.255.0.0 
access-list NO-NAT-DMZ remark Don't NAT traffic sent to HIL
access-list NO-NAT-DMZ permit ip 10.2.0.0 255.255.0.0 172.20.0.0 255.255.0.0 
ip address outside AA.BB.CC.253 255.255.255.0
ip address inside 10.4.2.21 255.255.255.0
ip address dmz 10.2.0.1 255.255.0.0
ip address eth3 10.4.0.1 255.255.255.252
ip address eth4 10.4.0.5 255.255.255.252
ip address failover 10.4.0.9 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list NO-NAT-DMZ
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) AA.BB.CC.101 10.2.0.4 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.109 10.2.0.13 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.102 10.2.0.6 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.55 10.1.2.10 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.57 10.1.2.23 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.51 10.1.2.52 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.53 10.1.2.1 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.141 10.2.0.3 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.11 10.15.200.246 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.70 10.1.2.7 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.77 10.1.2.44 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.89 10.1.2.43 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.112 10.2.0.8 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.113 10.2.0.11 netmask 255.255.255.255 0 0 
static (inside,dmz) 172.18.0.0 172.18.0.0 netmask 255.255.0.0 0 0 
static (inside,outside) AA.BB.CC.16 10.16.200.16 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.2 10.16.200.2 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.80 10.16.200.7 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.114 10.2.0.16 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.115 10.2.0.12 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.83 10.1.2.53 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.118 10.2.0.19 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.84 10.1.2.54 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.120 10.2.0.24 netmask 255.255.255.255 0 0 
static (dmz,outside) AA.BB.CC.121 10.2.0.25 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.90 10.1.5.253 netmask 255.255.255.255 0 0 
static (inside,outside) AA.BB.CC.152 10.1.5.2 netmask 255.255.255.255 0 0 
static (inside,dmz) 172.20.0.0 172.20.0.0 netmask 255.255.0.0 0 0 
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.192.0.0 0 0 
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0 
static (dmz,outside) AA.BB.CC.122 10.2.0.26 netmask 255.255.255.255 0 0 
access-group from-internet in interface outside
access-group inside_access_in in interface inside
access-group from-dmz in interface dmz
routing interface inside
  ospf priority 0
  ospf message-digest-key 1 md5 A(hfIQ.]DET/Qb1}
routing interface eth3
router ospf 1
  network 10.0.0.0 255.192.0.0 area 10.0.0.0 
  area 10.0.0.0 authentication message-digest
  log-adj-changes
  default-information originate
route outside 0.0.0.0 0.0.0.0 AA.BB.CC.254 1
route outside 198.147.174.72 255.255.255.255 AA.BB.CC.251 1
route outside 198.151.185.90 255.255.255.255 AA.BB.CC.251 1
route outside 198.151.185.91 255.255.255.255 AA.BB.CC.251 1
sysopt connection permit-ipsec
sysopt noproxyarp dmz
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600
crypto map VPN 100 ipsec-isakmp
crypto map VPN 100 match address VPN-IRL
crypto map VPN 100 set peer XX.YY.ZZ.114
crypto map VPN 100 set transform-set ESP-AES-SHA
crypto map VPN 200 ipsec-isakmp
crypto map VPN 200 match address VPN-HIL
crypto map VPN 200 set peer QQ.RR.SS.66
crypto map VPN 200 set transform-set ESP-AES-SHA
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address XX.YY.ZZ.114 netmask 255.255.255.255 
isakmp key ******** address QQ.RR.SS.66 netmask 255.255.255.255 
isakmp identity address
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption aes
isakmp policy 100 hash sha
isakmp policy 100 group 2
isakmp policy 100 lifetime 3600
 
Sort by date Sort by votes
At 1st glance I can't see anything wrong. Just make sure that you employ NAT-0 on both VPN end-points. And allow ICMP echo replies from the VPN subnet on the outside interface aswell :)

This is only a quick look, but I hope I gave you some hints.

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T
 
Upvote 0 Downvote
Does one of your match addresses have the DMZ traffic addressed in the match acl?

crypto map VPN 100 match address VPN-IRL
crypto map VPN 200 match address VPN-HIL

access-list VPN-IRL remark Prevent any VoIP traffic to be routed over the VPN to IRL
access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list VPN-IRL remark Allow VPN connection to IRL
access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0
access-list VPN-HIL remark Allow VPN connection to HIL
access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0


Whats up with the permit and deny statments in the same ACL?

You will need to make sure you match address ACL has the DMZ subnet in it and on the distant end the reverse.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
304
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
367
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
299
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top