VPN access to DMZ

[melbert2002]

Hello all,
Well Ive been trolling for the answers and couldnt find what I needed. I have a two office company both with their own networks. I have a VPN tunnel between the two offices and everything works great for the office. The only issue is that I can not have my remote office browse to our DMZ. From within the local office its fine, but I can not get to the DMZ from the remote. Ive been looking through and can not find anything that should stop traffic from flowing, but something is.

Do I need to explicitly allow traffic from the remote office over the VPN to the dmz? They get an IP address when they browse over from 192.168.100.xxx(local) to 192.168.200.xxx(vpn) the local address is 192.168.2.xxx and the dmz is 10.1.1.xxx

Thanks

Mel

 

[Supergrrover]

You need to add the traffic to the DMZ to the no-nat ACL and the VPN interesting traffic ACL. when I get back to my PC I can post the link to cisco. or you can post your config.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Supergrrover]

Here is the link

http://www.cisco.com/en/US/products...s_configuration_example09186a00806a5cea.shtml

Hope it helps.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[melbert2002]

Thanks for the info on this, Im reading the link now. I have also cleaned up my config so if you would not mind giving it a quick look.


Thanks

Mel

ASA Version 7.0(6)
!
hostname JUST-FWL01
enable password xxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 87.xxx.xxx.xxx 255.255.255.xxx
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
vlan 10
nameif wifi
security-level 75
ip address 192.168.10.xx 255.255.255.0
!
interface Ethernet0/1.20
vlan 20
nameif inside
security-level 100
ip address 192.168.2.xx 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.1.1.xx 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.xx 255.255.255.0
management-only
!
passwd MXqdgfZBPPW6uKw6 encrypted
ftp mode passive
object-group icmp-type ICMP_LIST
description List of allowed icmp packet types
icmp-object echo-reply
icmp-object echo
icmp-object unreachable
icmp-object source-quench
icmp-object time-exceeded
access-list acl_outside remark ** Access from Provider
access-list acl_outside extended permit ip 81.xx.xx.xx 255.255.255.xxx any
access-list acl_outside remark ** Allow some ICMP
access-list acl_outside extended permit icmp any any object-group ICMP_LIST
access-list acl_outside remark ** Allow access to the DMZ server
access-list acl_outside extended permit tcp any host 87.xxx.xxx.xxx eq www
access-list acl_outside extended permit tcp any host 87.xxx.xxx.xxx eq https
access-list acl_outside extended permit tcp any host 87.xxx.xxx.xxx eq smtp
access-list IPSEC_CO-LO remark ** VPN to CO-LO
access-list IPSEC_CO-LO extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list IPSEC_CO-LO extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list IPSEC_CO-LO extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_tunnel_vpn extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list acl_wifi extended permit ip any any
access-list IPSEC_OtherOffice extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console notifications
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu wifi 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool ipsec_vpn_pool 192.168.200.0-192.168.200.254
no failover
icmp permit any outside
icmp permit any wifi
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 87.xxx.xxx.xxx netmask 255.255.255.xxx
global (dmz) 1 interface
nat (wifi) 1 192.168.10.0 255.255.255.0
nat (inside) 0 access-list NO_NAT
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 2 10.1.1.xxx 255.255.255.255
static (inside,wifi) 192.168.10.0 192.168.2.0 netmask 255.255.255.0
static (dmz,outside) 87.xxx.xxx.xxx 10.1.1.xxx netmask 255.255.255.255
access-group acl_outside in interface outside
access-group acl_wifi in interface wifi
route outside 0.0.0.0 0.0.0.0 87.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy givinggroup internal
group-policy givinggroup attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_vpn
user-authentication enable
webvpn
username xxx password xxx encrypted
username xxx password xxx encrypted
username xxx password xxx encrypted
http server enable
http 81.xxx.xxx.xxx 255.255.255.224 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Provider-SET esp-3des esp-sha-hmac
crypto dynamic-map dyn1 10 set transform-set Provider-SET
crypto map CMAP 10 match address IPSEC_CO-LO
crypto map CMAP 10 set peer 146.xxx.xxx.xxx
crypto map CMAP 10 set transform-set QUBE-SET
crypto map CMAP 20 match address IPSEC_OtherOffice
crypto map CMAP 20 set peer 71.xxx.xxx.xxx
crypto map CMAP 20 set transform-set Provider-SET
crypto map CMAP 65535 ipsec-isakmp dynamic dyn1
crypto map CMAP interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption aes
isakmp policy 22 hash sha
isakmp policy 22 group 2
isakmp policy 22 lifetime 86400
isakmp policy 23 authentication pre-share
isakmp policy 23 encryption 3des
isakmp policy 23 hash sha
isakmp policy 23 group 2
isakmp policy 23 lifetime 86400
isakmp nat-traversal 10
isakmp ipsec-over-tcp port 10000
tunnel-group 146.xxx.xxx.xxx type ipsec-l2l
tunnel-group 146.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group givinggroup type ipsec-ra
tunnel-group givinggroup general-attributes
address-pool ipsec_vpn_pool
default-group-policy givinggroup
tunnel-group givinggroup ipsec-attributes
pre-shared-key *
tunnel-group 71.xxx.xxx.xxx type ipsec-l2l
tunnel-group 71.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 81.xx.xx.xx 255.255.255.224 outside
ssh 192.168.2.xx 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.xx-192.168.10.xxx wifi
dhcpd address 192.168.1.xx-192.168.1.xxx management
dhcpd dns 83.xxx.xxx.xx 217.xx.xxx.xx
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable wifi
dhcpd enable management
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

[Supergrrover]

Looks good
These should be added - you will have to mirror them on the remote end.

access-list NO_NAT extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NO_NAT extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NO_NAT extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NO_NAT extended permit ip 10.1.1.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list NO_NAT extended permit ip 10.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list IPSEC_OtherOffice extended permit ip 10.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list IPSEC_CO-LO extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list IPSEC_CO-LO extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list IPSEC_CO-LO extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0




Brent
Systems Engineer / Consultant
CCNP, CCSP