Question

Locked

How come VPN Users are not able to connect to website in a DMZ?

By nbmprivat ·
Hi,

I have a internal network and a DMZ. In the DMZ there is a webserver.

Internal and HTTP clients can access the website in the DMZ, but when users access the network via VPN (cisco asa 5510) they are not able to access those websites hosted on the webserver.

I have no experience with this subject, so any help would be appreciated!

Any ideas?

This conversation is currently closed to new comments.

23 total posts (Page 1 of 3)   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Access list ?

by NetMan1958 In reply to How come VPN Users are no ...

Does the access list associated with the VPN allow access to the DMZ's subnet?

Collapse -

Reponse To Answer

by nbmprivat In reply to Access list ?

I guess you mean under Security Policy Rules?

I just added vpn/24 (source) - dmz-network (destination) in the "outside" policy. Now i must test.

Or did you mean something else?

Collapse -

What type of VPN

by NetMan1958 In reply to How come VPN Users are no ...

is this? Is it a point-to-point VPN between your 5510 and another VPN device or is it an SSL VPN or a VPN client on a computer to the 5510? Feel free to post your sanitized config.

Collapse -

Reponse To Answer

by nbmprivat In reply to What type of VPN

It's a VPN client (Cisco Systems VPN Client) on the computer to the 5510.

How do i post the config? I have no experience with firewalls/firewalls/VPN.

Collapse -

Post config

by NetMan1958 In reply to How come VPN Users are no ...

To post your config, connect to hte ASA either by the console or telnet/ssh. If you are using Putty or Hyperterminal, you can enable them to save the session to a file. Once connected, go into privileged mode with the command "enable". Then run the command "show run". This will cause your running config to display a page at a time. If you are capturing the session to a file, just keep hitting the space bar until it returns to the prompt. Otherwise, copy each page of output to the clipboard and paste it in a text file before you hit the space bar. After you have the complete config in a file, go through it and mask your passwords with "************" then copy / paste the file into a new post here.

Collapse -

Reponse To Answer

by nbmprivat In reply to Post config

I dont think any passwords are showing here. Otherwise please delete my post!

: Saved
:
ASA Version 7.2(3)
!
hostname pix1
domain-name dilf.dk
enable password a23WFee/cfUp5U3Q encrypted
names
name 192.168.1.8 dilf-exchange
name 192.168.1.10 odin
name 192.168.128.0 vpn
name 192.168.1.0 inside-network
name 192.168.2.11 loke
name 192.168.2.12 heimdal
name 192.168.1.7 dilf-master
name 192.168.1.16 SAN
name 192.168.1.9 deathstar
name 192.168.1.138 IT3
name 188.120.77.163 public-mail-ip
name 188.120.77.164 public-webmail-ip
name 188.120.77.165 public-website-dilf-ip
name 188.120.77.166 public-website-kairos-ip
name 192.168.2.0 dmz-network
name 192.168.2.15 kairostest
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 188.120.77.162 255.255.255.240
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd a23WFee/cfUp5U3Q encrypted
boot system disk0:/asa723-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dilf.dk
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit ip vpn 255.255.255.0 inside-network 255.255.255.0
access-list outside_access_in extended permit ip vpn 255.255.255.0 dmz-network 255.255.255.0
access-list outside_access_in extended permit tcp any host public-mail-ip eq smtp
access-list outside_access_in extended permit tcp any host public-webmail-ip eq imap4
access-list outside_access_in extended permit tcp any host public-webmail-ip eq https
access-list outside_access_in extended permit tcp any host public-website-kairos-ip eq www
access-list outside_access_in extended permit tcp any host public-webmail-ip eq ftp
access-list outside_access_in extended permit tcp any host public-website-dilf-ip eq www
access-list dmz_access_in extended permit tcp host heimdal any eq smtp
access-list dmz_access_in extended permit udp host heimdal any eq domain
access-list dmz_access_in extended permit tcp host heimdal any eq www
access-list dmz_access_in extended permit tcp host heimdal any eq https
access-list dmz_access_in extended permit tcp host loke host odin eq 1433
access-list dmz_access_in extended permit udp host loke any eq domain
access-list dmz_access_in extended permit tcp host loke any eq www
access-list dmz_access_in extended permit tcp host loke host dilf-master eq 1801
access-list dmz_access_in extended permit tcp host loke any eq smtp
access-list dmz_access_in extended permit tcp host loke any eq https
access-list dmz_access_in extended permit tcp host kairostest any eq www
access-list dmz_access_in extended permit tcp host kairostest any eq https
access-list dmz_access_in extended permit tcp host loke host deathstar eq 1433
access-list dmz_access_in extended permit tcp host loke any eq 1500
access-list dmz_access_in extended permit udp host loke any eq 1500
access-list dmz_access_in extended permit tcp host loke any eq ftp
access-list dmz_access_in extended permit tcp host 192.168.2.66 eq www any eq www
access-list dmz_access_in extended permit tcp host SAN any
access-list dmz_access_in extended permit tcp host loke vpn 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp host kairostest any eq smtp
access-list dmz_access_in extended permit tcp host kairostest host deathstar eq 1433
access-list dmz_access_in extended permit udp host kairostest any eq domain
access-list dmz_access_in extended permit tcp host kairostest host dilf-master eq 1801
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn 255.255.255.0
access-list inside standard permit inside-network 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 16348
logging asdm-buffer-size 200
logging monitor notifications
logging buffered notifications
logging trap notifications
logging history notifications
logging asdm informational
logging device-id hostname
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpn-scope 192.168.128.2-192.168.128.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 inside-network 255.255.255.0
static (inside,dmz) tcp odin smtp odin smtp netmask 255.255.255.255
static (inside,dmz) tcp dilf-master 1801 dilf-master 1801 netmask 255.255.255.255
static (inside,dmz) tcp odin 1433 odin 1433 netmask 255.255.255.255
static (inside,dmz) tcp deathstar 1433 deathstar 1433 netmask 255.255.255.255
static (inside,outside) tcp public-webmail-ip imap4 odin imap4 netmask 255.255.255.255
static (inside,outside) tcp public-webmail-ip ftp SAN ftp netmask 255.255.255.255
static (inside,outside) tcp public-webmail-ip https odin https netmask 255.255.255.255
static (dmz,outside) public-website-dilf-ip kairostest netmask 255.255.255.255
static (dmz,outside) public-mail-ip heimdal netmask 255.255.255.255
static (dmz,outside) public-website-kairos-ip loke netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 188.120.77.161 1
route inside dilf-master 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.118 255.255.255.255 inside
http 192.168.1.11 255.255.255.255 inside
http 192.168.1.140 255.255.255.255 inside
http 192.168.1.105 255.255.255.255 inside
http 192.168.1.126 255.255.255.255 inside
http 83.92.8.24 255.255.255.255 outside
http inside-network 255.255.255.0 management
http 192.168.1.15 255.255.255.255 inside
http IT3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set jkn-trans esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set jkn-trans
crypto map jkn-map 30 ipsec-isakmp dynamic dynmap
crypto map jkn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
client-update enable
telnet timeout 5
ssh 83.90.238.242 255.255.255.255 outside
ssh timeout 5
console timeout 10
vpdn username sv password *********
dhcpd address 172.16.1.10-172.16.1.20 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy vpn3000 internal
group-policy vpn3000 attributes
dns-server value 192.168.1.7
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside
default-domain value dilf.dk
address-pools value vpn-scope
username denice password 4i/YM.cvO4HOkbV/ encrypted
username mortenc password MuS4JK5WsOmD6StU encrypted
username camillah password Yu57eadvH6Dcx3YM encrypted
username carsten password GyOnk5J2IAL01TXq encrypted
username kirsten password j2GnKFxmD.WeGVLe encrypted
username mortenm password zGwhLUvxzdPgnHfr encrypted
username captokonto password kSnYCdg6ofgA77nO encrypted
username miec password /8d.BJg5WEBRjxzM encrypted
username usertest password vHEkJH8AWqY+OZgMdBVAGA== nt-encrypted
username usertest attributes
vpn-tunnel-protocol IPSec
group-lock value DefaultRAGroup
username servicegruppen password b/MSKf2yvkXUoICz encrypted
username berit password pwwVO7MGDeqmjXo/ encrypted
username ebita password 9WZv77dQ6rkR1.xi encrypted
username nicolai password u.vUujDnRcIZqymu encrypted
username mette password LkJGZAtXCBOArnXB encrypted
username karent password D9aDlAdXz4KERz1T encrypted
username tobias2 password vHEkJH8AWqY+OZgMdBVAGA== nt-encrypted
username tobias2 attributes
vpn-tunnel-protocol IPSec
group-lock value DefaultRAGroup
username tobias password 5Yk62l6dmm79C2z5 encrypted
username tobias attributes
vpn-group-policy DfltGrpPolicy
username toni password MUxV7zleBlZV2NmN encrypted
username unisys password o5i8GEabDlDtfjTe encrypted
username tomb password nw3DvEEmuN361z2H encrypted
username sorenv password .D2tK6VyXIcQ1Kx9 encrypted
username sorenkj password XRzQ28RVBHO42IKI encrypted
username Lasse password 5QTha3fQUUT88RhF encrypted
username kurt password jihAZ31/ZkgoapC9 encrypted
username jesper password ZG4prnkKi2nnewiW encrypted
username andersaa password JtDL/q7I88cUYrpw encrypted
username anders password d/zaT9pRuyEE9rwW encrypted
username jens password VfdCNc.90ppKrX7u encrypted
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool vpn-scope
authentication-server-group (outside) LOCAL
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:c2dfe0e06ed7f59c9c923779986db659
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

Collapse -

Try this

by NetMan1958 In reply to How come VPN Users are no ...

This line specifies the subnets the VPN can access:
"split-tunnel-network-list value inside"
"inside" refers to access-list named inside that looks like this:
"access-list inside standard permit inside-network 255.255.255.0"
It only allows access to the "inside-network" (192.168.1.0)
These lines prevent NAT being applied to traffic between the inside network and VPN :
"nat (inside) 0 access-list inside_nat0_outbound"
"access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn "

You need to add the "name 192.168.2.0 dmz-network" to the above by adding this to your config:
"access-list inside standard permit dmz-network 255.255.255.0"
"access-list inside_nat0_outbound extended permit ip dmz-network 255.255.255.0 vpn "

Add those lines and give it a try. Post back with the results.

Collapse -

Reponse To Answer

by nbmprivat In reply to Try this

That's GREAT if that works!!! :)

Can you please explain to me how to do this in the Cisco ASDM?

Collapse -

Reponse To Answer

by nbmprivat In reply to Try this

I gave it a shot but it didnt work :-(

No change. Without VPN the our websites are reachable.

With VPN connection the website gives me the following message:

Under construction
The site you are trying to view does not currently have a default page... bla bla
If you are the Web site administrator and feel you have received this message in error, please see "Enabling and Disabling Dynamic Content" in IIS Help.

Collapse -

RE: ASDM

by NetMan1958 In reply to How come VPN Users are no ...

I rarely ever use ASDM and to make the changes I suggested would take longer with ASDM than with the CLI. To do it with the CLI, telnet or ssh to the ASA. Type the followingcommands at the prompt (press ENTER after each command):
pix1> enable
(you will be prompted for the password. enter it.)
pix1# conf t
pix1(config)# access-list inside standard permit dmz-network 255.255.255.0
pix1(config)# access-list inside_nat0_outbound extended permit ip dmz-network 255.255.255.0 vpn
pix1(config)# exit
pix1#wr
pix1#exit
pix1>exit

Then try your VPN access to the DMZ.

Back to Networks Forum
23 total posts (Page 1 of 3)   01 | 02 | 03   Next

Related Discussions

Related Forums