Solved

Cisco ASA VPN users can't access DMZ

Posted on 2008-09-29
15
1,096 Views
Last Modified: 2012-06-21
I have a few VPN sites that I need to connect to my DMZ.  I am testing out only one for now.  I have attached the ASA config.  The office that I am trying to connect right now is the one named cwoffice which has the network id 172.29.37.0.

DMZ = 172.29.70.0
VPN = 172.29.37.0
Inside = 172.29.1.0

I created my access-list and applied it to my nat 0 statement.  I'm not sure what else I might be missing.  I appreciate your time in looking this over.

access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.1.0 255.255.255.0
nat (dmz) 0 access-list vpntodmz
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.29.1.3 255.255.255.192 
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 172.29.70.3 255.255.255.192 
!
interface Ethernet0/3
 no nameif
 no security-level
 ip address 192.168.251.6 255.255.255.252 
!
interface Management0/0
 no nameif
 no security-level
 ip address 192.168.251.2 255.255.255.252 
!
 
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.100.1
 
same-security-traffic permit intra-interface
object-group network trustedVpn
 network-object 172.25.0.0 255.255.240.0
 network-object 172.28.1.0 255.255.255.0
 network-object 172.29.0.0 255.255.224.0
 network-object 172.29.1.0 255.255.255.0
 network-object 172.29.130.0 255.255.255.0
 network-object 172.29.15.0 255.255.255.0
 network-object 172.29.3.0 255.255.255.0
 network-object 172.29.30.0 255.255.255.0
 network-object 172.29.31.0 255.255.255.0
 network-object 172.29.32.0 255.255.255.0
 network-object 172.29.33.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.199.0 255.255.255.0
 network-object 192.168.251.0 255.255.255.252
 network-object 192.168.251.4 255.255.255.252
 network-object 192.168.99.0 255.255.255.0
 network-object 10.0.0.0 255.255.255.0
 network-object 172.29.34.0 255.255.255.0
 network-object 172.29.37.0 255.255.255.0
 network-object 172.29.70.0 255.255.255.192
object-group service DSI_TCP tcp
 port-object range 2332 2332
 port-object range 5004 5004
object-group service DSI_UDP udp
 port-object range 17335 17335
 port-object range 22334 22335
 port-object range 2332 2332
 port-object range 5004 5004
access-list 2010 extended permit udp any host xxx.xxx.238.6 eq isakmp log 
access-list 2010 extended permit esp any host xxx.xxx.238.6 log 
access-list 2010 extended permit ip host xxx.xxx.156.164 xxx.xxx.238.0 255.255.255.0 log 
access-list 2010 extended permit ip 172.29.15.0 255.255.255.0 192.168.100.0 255.255.255.0 log 
access-list 2010 extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 log 
access-list 2010 extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 
access-list 2010 extended permit ip 172.29.33.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list 2010 extended permit icmp host xxx.xxx.74.142 192.168.100.0 255.255.255.0 echo-reply 
access-list 2010 extended permit tcp any object-group DSI_TCP host xxx.xxx.252.85 
access-list 2010 extended permit udp any object-group DSI_UDP host xxx.xxx.252.85 
access-list 2010 extended deny ip any any inactive 
access-list 2010 extended permit icmp host xxx.xxx.74.142 192.168.100.0 255.255.255.0 
access-list 2010 extended permit icmp host xxx.xxx.74.142 172.29.1.0 255.255.255.0 
access-list 2010 extended permit icmp host xxx.xxx.74.142 172.29.1.0 255.255.255.0 echo-reply 
access-list 2020 extended permit ip any any 
access-list Admin_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 
access-list Admin_splitTunnelAcl standard permit 172.25.0.0 255.255.240.0 
access-list Admin_splitTunnelAcl standard permit 172.29.0.0 255.255.224.0 
access-list Admin_splitTunnelAcl standard permit 172.29.70.0 255.255.255.192 
access-list nonat extended permit ip 172.25.0.0 255.255.240.0 172.29.0.0 255.255.224.0 
access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.25.0.0 255.255.240.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.25.0.0 255.255.240.0 
access-list nonat extended permit ip 172.25.0.0 255.255.240.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.0.0 255.255.224.0 
access-list nonat extended permit ip 172.29.0.0 255.255.224.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.29.0.0 255.255.224.0 
access-list nonat extended permit ip 172.29.30.0 255.255.255.0 any 
access-list nonat extended permit ip any 172.29.3.0 255.255.255.0 
access-list nonat extended permit ip 172.29.30.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.30.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.28.1.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.130.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.199.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.31.0 255.255.255.0 
access-list nonat extended permit ip 172.29.31.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 
access-list nonat extended permit ip 172.29.32.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 172.29.32.0 255.255.255.0 any 
access-list nonat extended permit ip 172.29.1.0 255.255.255.0 172.29.32.0 255.255.255.0 
access-list nonat extended permit ip 172.29.33.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 
access-list nonat extended permit ip 172.29.33.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 172.29.33.0 255.255.255.0 172.29.1.0 255.255.255.0 
access-list nonat extended permit ip any 172.29.33.0 255.255.255.0 
access-list nonat extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 
access-list nonat extended permit ip host 172.29.0.0 host xxx.xxx.238.6 
access-list nonat extended permit ip host xxx.xxx.74.142 hostxxx.xxx.238.6 
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list nonat extended permit ip 172.29.34.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.34.0 255.255.255.0 
access-list nonat extended permit ip 172.29.35.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.35.0 255.255.255.0 
access-list nonat extended permit ip 172.29.36.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.36.0 255.255.255.0 
access-list nonat extended permit ip 172.29.37.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.37.0 255.255.255.0 
access-list BREA extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 
access-list BREA extended permit ip 172.25.0.0 255.255.240.0 192.168.99.0 255.255.255.0 
access-list BREA extended permit ip 172.29.0.0 255.255.224.0 192.168.99.0 255.255.255.0 
access-list BREA extended permit ip 192.168.100.0 255.255.255.0 172.29.30.0 255.255.255.0 
access-list BREA extended permit ip 172.25.0.0 255.255.240.0 172.29.30.0 255.255.255.0 
access-list BREA extended permit ip 172.29.0.0 255.255.224.0 172.29.30.0 255.255.255.0 
access-list Outside_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 
access-list Test01 standard permit 192.168.100.0 255.255.255.0 
access-list Brian extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 
access-list Brian extended permit ip 172.25.0.0 255.255.240.0 172.29.15.0 255.255.255.0 
access-list Brian extended permit ip 172.29.0.0 255.255.224.0 172.29.15.0 255.255.255.0 
access-list Outside_40_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 
access-list TEST extended permit ip 192.168.100.0 255.255.255.0 192.168.199.0 255.255.255.0 
access-list TEST extended permit ip 172.25.0.0 255.255.240.0 192.168.199.0 255.255.255.0 
access-list TEST extended permit ip 172.29.0.0 255.255.224.0 192.168.199.0 255.255.255.0 
access-list TEST extended permit ip 192.168.100.0 255.255.255.0 172.29.130.0 255.255.255.0 
access-list TEST extended permit ip 172.25.0.0 255.255.240.0 172.29.130.0 255.255.255.0 
access-list TEST extended permit ip 172.29.0.0 255.255.224.0 172.29.130.0 255.255.255.0 
access-list GST-LA extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list GST-LA extended permit ip 172.25.0.0 255.255.240.0 192.168.1.0 255.255.255.0 
access-list GST-LA extended permit ip 172.29.0.0 255.255.224.0 192.168.1.0 255.255.255.0 
access-list GST-LA extended permit ip 192.168.100.0 255.255.255.0 172.29.31.0 255.255.255.0 
access-list GST-LA extended permit ip 172.25.0.0 255.255.240.0 172.29.31.0 255.255.255.0 
access-list GST-LA extended permit ip 172.29.0.0 255.255.224.0 172.29.31.0 255.255.255.0 
access-list GST extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 
access-list GST extended permit ip 172.25.0.0 255.255.240.0 172.29.32.0 255.255.255.0 
access-list GST extended permit ip 172.29.0.0 255.255.224.0 172.29.32.0 255.255.255.0 
access-list RUNSPRGS extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 
access-list RUNSPRGS extended permit ip 172.25.0.0 255.255.240.0 172.29.33.0 255.255.255.0 
access-list RUNSPRGS extended permit ip 172.29.0.0 255.255.224.0 172.29.33.0 255.255.255.0 
access-list inside_20_cryptomap extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 
access-list Outside_100_cryptomap extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 
access-list Outside_120_cryptomap extended permit ip host 172.29.0.0 host xxx.xxx.238.6 
access-list Outside_140_cryptomap extended permit ip host xxx.xxx.74.142 host xxx.xxx.238.6 
access-list TCT extended permit ip 192.168.100.0 255.255.255.0 172.29.34.0 255.255.255.0 
access-list TCT extended permit ip 172.25.0.0 255.255.240.0 172.29.34.0 255.255.255.0 
access-list TCT extended permit ip 172.29.0.0 255.255.224.0 172.29.34.0 255.255.255.0 
access-list TCT extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list TCT extended permit ip 172.29.0.0 255.255.224.0 10.0.0.0 255.255.255.0 
access-list TCT extended permit ip 172.25.0.0 255.255.240.0 10.0.0.0 255.255.255.0 
access-list extended extended permit ip 10.0.0.0 255.255.255.0 any 
access-list extended extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list LR extended permit ip 172.29.0.0 255.255.192.0 172.29.36.0 255.255.255.0 
access-list LR extended permit ip 172.25.0.0 255.255.240.0 172.29.36.0 255.255.255.0 
access-list LR extended permit ip 192.168.100.0 255.255.255.0 172.29.36.0 255.255.255.0 
access-list TESTNET extended permit ip 192.168.100.0 255.255.255.0 172.29.35.0 255.255.255.0 
access-list TESTNET extended permit ip 172.25.0.0 255.255.240.0 172.29.35.0 255.255.255.0 
access-list TESTNET extended permit ip 172.29.0.0 255.255.192.0 172.29.35.0 255.255.255.0 
access-list cwoffice extended permit ip 192.168.100.0 255.255.255.0 172.29.37.0 255.255.255.0 
access-list cwoffice extended permit ip 172.25.0.0 255.255.240.0 172.29.37.0 255.255.255.0 
access-list cwoffice extended permit ip 172.29.0.0 255.255.192.0 172.29.37.0 255.255.255.0 
access-list cwoffice extended permit ip 172.29.70.0 255.255.255.192 172.29.37.0 255.255.255.0 
access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.1.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging standby
logging emblem
logging console alerts
logging monitor alerts
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool Admin-VPN-Pool-1 172.29.3.1-172.29.3.254 mask 255.255.255.0
ip verify reverse-path interface Outside
no failover
failover lan unit primary
no monitor-interface Outside
no monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Outside) 1 172.29.0.0 255.255.224.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list vpntodmz
access-group 2010 in interface Outside
access-group 2020 out interface inside
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.238.1 1
route inside 192.168.100.0 255.255.255.0 172.29.1.9 1
route inside 172.25.0.0 255.255.240.0 172.29.1.9 1
route inside 172.29.0.0 255.255.255.0 172.29.1.9 1
route inside 172.29.1.0 255.255.255.0 172.29.1.9 1
route inside 172.29.2.0 255.255.255.0 172.29.1.9 1
route inside 172.29.3.0 255.255.255.0 172.29.1.9 1
route inside 172.29.4.0 255.255.255.0 172.29.1.9 1
route inside 172.29.5.0 255.255.255.0 172.29.1.9 1
route inside 172.29.6.0 255.255.255.0 172.29.1.9 1
route inside 172.29.7.0 255.255.255.0 172.29.1.9 1
route inside 172.29.8.0 255.255.255.0 172.29.1.9 1
route inside 172.29.9.0 255.255.255.0 172.29.1.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server xxx.xxx protocol radius
aaa-server xxx.xxx host 192.168.100.7
 key xxx.xxx
 authentication-port 1812
 accounting-port 1813
aaa-server DisSDI protocol sdi
aaa-server DisSDI host 192.168.100.7
group-policy xxx.xxx.96.248 internal
group-policy xxx.xxx.96.248 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.20.185 internal
group-policy xxx.xxx.20.185 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.198.192 internal
group-policy xxx.xxx.198.192 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.74.142 internal
group-policy xxx.xxx.74.142 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.178.83 internal
group-policy xxx.xxx.178.83 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.97.250 internal
group-policy xxx.xxx.97.250 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.106.234 internal
group-policy xxx.xxx.106.234 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy BGTEST internal
group-policy BGTEST attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy Admin-Policy internal
group-policy Admin-Policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Admin_splitTunnelAcl
group-policy xxx.xxx.89.106 internal
group-policy xxx.xxx.89.106 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy RemoteSupport internal
group-policy RemoteSupport attributes
 vpn-tunnel-protocol IPSec 
group-policy Dispatch internal
group-policy Dispatch attributes
 wins-server value 192.168.100.1 192.168.100.8
 dns-server value 192.168.100.1 192.168.100.8
 vpn-tunnel-protocol IPSec 
 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.100.0 255.255.255.0 inside
http 172.29.0.0 255.255.224.0 inside
 
no snmp-server location
no snmp-server contact
snmp-server community xxx.xxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set pfs 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set pfs 
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set pfs 
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map Outside_map 40 match address BREA
crypto map Outside_map 40 set peer xxx.xxx.106.234 
crypto map Outside_map 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 50 match address GST-LA
crypto map Outside_map 50 set peer xxx.xxx.89.106 
crypto map Outside_map 50 set transform-set ESP-3DES-SHA
crypto map Outside_map 60 match address GST
crypto map Outside_map 60 set peer xxx.xxx.74.142 
crypto map Outside_map 60 set transform-set ESP-3DES-SHA
crypto map Outside_map 70 match address GST-LA
crypto map Outside_map 70 set peer xxx.xxx.178.83 
crypto map Outside_map 70 set transform-set ESP-3DES-SHA
crypto map Outside_map 80 match address RUNSPRGS
crypto map Outside_map 80 set peer xxx.xxx.96.248 
crypto map Outside_map 80 set transform-set ESP-3DES-SHA
crypto map Outside_map 100 match address Outside_100_cryptomap
crypto map Outside_map 100 set pfs 
crypto map Outside_map 100 set peer xxx.xxx.178.83 
crypto map Outside_map 100 set transform-set ESP-3DES-SHA
crypto map Outside_map 120 match address Outside_120_cryptomap
crypto map Outside_map 120 set pfs 
crypto map Outside_map 120 set peer xxx.xxx.238.6 
crypto map Outside_map 120 set transform-set ESP-3DES-SHA
crypto map Outside_map 140 match address Outside_140_cryptomap
crypto map Outside_map 140 set pfs 
crypto map Outside_map 140 set peer xxx.xxx.74.142 
crypto map Outside_map 140 set transform-set ESP-3DES-SHA
crypto map Outside_map 150 match address TCT
crypto map Outside_map 150 set peer xxx.xxx.97.250 
crypto map Outside_map 150 set transform-set ESP-3DES-SHA
crypto map Outside_map 160 match address TESTNET
crypto map Outside_map 160 set peer xxx.xxx.89.106 
crypto map Outside_map 160 set transform-set ESP-3DES-SHA
crypto map Outside_map 170 match address LR
crypto map Outside_map 170 set peer xxx.xxx.198.192 
crypto map Outside_map 170 set transform-set ESP-3DES-SHA
crypto map Outside_map 180 match address cwoffice
crypto map Outside_map 180 set peer xxx.xxx.20.185 
crypto map Outside_map 180 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map inside_map 20 match address inside_20_cryptomap
crypto map inside_map 20 set pfs 
crypto map inside_map 20 set peer xxx.xxx.238.6 
crypto map inside_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group xxx.xxx.74.142 type ipsec-l2l
tunnel-group xxx.xxx.74.142 general-attributes
 default-group-policy xxx.xxx.74.142
tunnel-group xxx.xxx.74.142 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group Admin type ipsec-ra
tunnel-group Admin general-attributes
 address-pool Admin-VPN-Pool-1
 default-group-policy Admin-Policy
tunnel-group Admin ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.106.234 type ipsec-l2l
tunnel-group xxx.xxx.106.234 general-attributes
 default-group-policy xxx.xxx.106.234
tunnel-group xxx.xxx.106.234 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx type ipsec-ra
tunnel-group xxx.xxx general-attributes
 address-pool Admin-VPN-Pool-1
 authentication-server-group DisSDI
 default-group-policy xxx.xxx
tunnel-group Dispatch ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.89.106 type ipsec-l2l
tunnel-group xxx.xxx.89.106 general-attributes
 default-group-policy xxx.xxx.89.106
tunnel-group xxx.xxx.89.106 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.96.248 type ipsec-l2l
tunnel-group xxx.xxx.96.248 general-attributes
 default-group-policy xxx.xxx.96.248
tunnel-group xxx.xxx.96.248 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group RemoteSupport type ipsec-ra
tunnel-group RemoteSupport general-attributes
 address-pool Admin-VPN-Pool-1
 default-group-policy RemoteSupport
tunnel-group RemoteSupport ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.238.6 type ipsec-l2l
tunnel-group xxx.xxx.238.6 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.178.83 type ipsec-l2l
tunnel-group xxx.xxx.178.83 general-attributes
 default-group-policy xxx.xxx.96.248
tunnel-group xxx.xxx.178.83 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.97.250 type ipsec-l2l
tunnel-group xxx.xxx.97.250 general-attributes
 default-group-policy xxx.xxx.97.250
tunnel-group xxx.xxx.97.250 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.198.192 type ipsec-l2l
tunnel-group xxx.xxx.198.192 general-attributes
 default-group-policy xxx.xxx.198.192
tunnel-group xxx.xxx.198.192 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.20.185 type ipsec-l2l
tunnel-group xxx.xxx.20.185 general-attributes
 default-group-policy xxx.xxx.20.185
tunnel-group xxx.xxx.20.185 ipsec-attributes
 pre-shared-key xxx.xxx
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 172.29.0.0 255.255.224.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 15
ssh version 2
console timeout 60
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
ntp authenticate
prompt hostname context 
: end

Open in new window

0
Comment
Question by:Swarley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602839
You got the NAT exemption right for the inside interface, but try adding this to enable it for VPN clients:
nat (dmz) 1 0.0.0.0 0.0.0.0
access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.37.0 255.255.255.0
0
 

Author Comment

by:Swarley
ID: 22606199
I added both entries but I the VPN users still can't see the DMZ.
0
 

Author Comment

by:Swarley
ID: 22606255
Would it matter the the servers on the DMZ do not use this ASA as it's gateway?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22606492
Yes it does. :-) Do they have public IP addresses?
0
 

Author Comment

by:Swarley
ID: 22606770
The servers themselves do not have public addresses.  They are mapped from the firewall.  Here is a quick little layout.

http://i316.photobucket.com/albums/mm354/Swarl3y/Layout-1.jpg

0
 

Author Comment

by:Swarley
ID: 22607823
Even if the servers aren't using the VPN ASA as a gateway, shouldn't still be able to contact that dmz interface?

Also, what would be the best way for me to have the VPN users get to the DMZ servers?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22607876
So the ASA is not handling the VPN? You have a seperate device?
0
 

Author Comment

by:Swarley
ID: 22607904
I have 2 ASAs.  One as a firewall and one for VPN.  They're both in the diagram in the link above.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22607952
That could be the problem - can you please post the configs for both of them in separate posts so I can analyze them?
0
 

Author Comment

by:Swarley
ID: 22608116
Firewall
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xxx.xxx.238.4 255.255.255.0 standby xxx.xxx.238.5 
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.2
 vlan 2
 nameif inside
 security-level 100
 ip address 172.29.1.1 255.255.255.192 standby 172.29.1.2 
!
interface Ethernet0/1.179
 description Network Managers
 vlan 179
 nameif Mgt-Network-VL179
 security-level 100
 ip address 10.1.179.11 255.255.255.0 standby 10.1.179.12 
!
interface Ethernet0/2
 description DMZ Interface
 nameif dmz
 security-level 50
 ip address 172.29.70.1 255.255.255.192 standby 172.29.70.2 
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 description LAN Failover Interface
!
 
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 
same-security-traffic permit intra-interface
object-group service Mail-Servers tcp
 description Mail-Servers
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object range 995 995
 port-object eq pop3
object-group service Video-Cameras tcp
 description Video-Cameras
 port-object eq www
 port-object eq https
object-group service DSI_Servers_TCP tcp
 port-object eq 5004
 port-object eq 2332
 port-object eq 22335
 port-object eq 22334
 port-object eq 17335
object-group service DSI_Servers_Tc tcp
object-group service DSI_Servers_T tcp
 port-object eq 5004
 port-object eq 2332
 port-object range 3389 3389
object-group service DSI_Servers_U udp
 port-object eq 22335
 port-object eq 22334
 port-object eq 17335
 port-object eq 2332
 port-object eq 5004
access-list 2010 extended permit tcp any host xxx.xxx.252.82 object-group Mail-Servers log 
access-list 2010 extended permit tcp any host xxx.xxx.252.83 eq www log 
access-list 2010 extended permit tcp any host xxx.xxx.252.83 eq https 
access-list 2010 extended permit tcp any host xxx.xxx.238.30 object-group Video-Cameras log 
access-list 2010 extended permit udp any host xxx.xxx.238.20 eq tftp inactive 
access-list 2010 extended permit icmp any host xxx.xxx.252.82 echo log inactive 
access-list 2010 extended permit icmp any any log 
access-list 2010 extended permit ip host xxx.xxx.156.164 76.204.238.0 255.255.255.0 log 
access-list 2010 extended permit tcp any host xxx.xxx.252.85 object-group DSI_Servers_T log 
access-list 2010 extended permit udp any host xxx.xxx.252.85 object-group DSI_Servers_U log 
access-list 2010 extended permit tcp any host xxx.xxx.238.31 eq ftp 
access-list 2010 extended permit tcp any host xxx.xxx.238.45 eq 3389 
access-list 2010 extended permit tcp any host xxx.xxx.238.46 eq 5900 inactive 
access-list 2010 extended permit tcp any host xxx.xxx.238.47 object-group Mail-Servers 
access-list 2010 extended permit tcp xxx.xxx 255.255.255.240 host xxx.xxx.238.48 eq 5900 
access-list 2010 extended permit tcp any host xxx.xxx.238.49 eq www 
access-list 2010 extended permit tcp any host xxx.xxx.238.49 eq citrix-ica 
access-list 2010 extended permit tcp any host xxx.xxx.238.49 eq 3389 
access-list 2010 extended permit tcp any host xxx.xxx.238.49 eq https 
access-list 2010 extended permit tcp any host xxx.xxx.238.50 eq ssh 
access-list 2010 extended permit udp any host xxx.xxx.238.45 eq tftp inactive 
access-list 2010 extended permit tcp any host xxx.xxx.238.60 eq www 
access-list 2020 extended permit ip any any 
access-list 2030 extended permit ip any any 
access-list nonat extended permit ip 172.25.0.0 255.255.240.0 172.29.0.0 255.255.224.0 
access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.25.0.0 255.255.240.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.25.0.0 255.255.240.0 
access-list nonat extended permit ip 172.25.0.0 255.255.240.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.0.0 255.255.224.0 
access-list nonat extended permit ip 172.29.0.0 255.255.224.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 172.25.0.0 255.255.240.0 172.25.0.0 255.255.240.0 
access-list nonat extended permit ip 172.29.32.0 255.255.255.0 172.29.1.0 255.255.255.0 
access-list nonat extended permit ip 172.29.1.0 255.255.255.0 172.29.32.0 255.255.255.0 
access-list nonat extended permit ip 172.29.32.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 
access-list Mgt-VPN-VL72_access_in extended permit ip 172.29.1.0 255.255.255.192 xxx.xxx.72.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.1.0.0 255.255.0.0 
access-list dmztoin remark Web Service
access-list dmztoin extended permit tcp host 172.29.70.10 host 172.29.70.11 eq 8080 
access-list dmztoin remark SQL Server
access-list dmztoin extended permit tcp host 172.29.70.10 host 172.29.70.12 eq 1433 
access-list dmztoin remark SQL Probe
access-list dmztoin extended permit udp host 172.29.70.10 host 172.29.70.12 eq 1434 
access-list dmztoin extended deny ip 172.29.70.0 255.255.255.192 host 172.29.70.11 
access-list dmztoin extended deny ip 172.29.70.0 255.255.255.192 host 172.29.70.12 
access-list dmztoin extended permit ip any any 
pager lines 24
logging enable
logging standby
logging emblem
logging buffer-size 104856
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu Mgt-Network-VL179 1500
mtu dmz 1500
ip verify reverse-path interface Outside
failover
failover lan interface LAN-Failover Management0/0
failover link State Ethernet0/3
failover interface ip LAN-Failover 192.168.250.1 255.255.255.252 standby 192.168.250.2
failover interface ip State 192.168.250.5 255.255.255.252 standby 192.168.250.6
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any inside
asdm image disk0:/asdm-522.bin
asdm location 0.0.0.0 0.0.0.0 Outside
asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 172.29.3.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Mgt-Network-VL179) 1 10.1.179.0 255.255.255.0
nat (dmz) 1 172.29.70.0 255.255.255.192
static (inside,Outside) xxx.xxx.252.82 xxx.xxx netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.238.30 192.168.100.84 netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.252.85 xxx.xxx netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.238.31 xxx.xxx netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.238.45 xxx.xxx netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.238.46 xxx.xxx netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.238.47 xxx.xxx netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.238.48 xxx.xxx netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.238.49 xxx.xxx netmask 255.255.255.255 
static (inside,Outside) xxx.xxx.238.50 192.168.100.93 netmask 255.255.255.255 
static (inside,dmz) 172.29.70.11 xxx.xxx netmask 255.255.255.255 
static (inside,dmz) 172.29.70.12 192.168.100.91 netmask 255.255.255.255 
static (dmz,Outside) xxx.xxx.252.83 172.29.70.10 netmask 255.255.255.255 
access-group 2010 in interface Outside
access-group dmztoin in interface dmz
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.238.1 1
route inside 192.168.100.0 255.255.255.0 172.29.1.9 1
route inside 172.29.3.0 255.255.255.0 172.29.1.9 1
route inside 172.29.0.0 255.255.224.0 172.29.1.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.100.0 255.255.255.0 inside
http 172.29.0.0 255.255.224.0 inside
http 10.1.179.0 255.255.255.0 Mgt-Network-VL179
http 172.29.3.0 255.255.255.0 inside
snmp-server host inside 172.29.2.10 community foryourEYEsONLY2$@
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 172.29.0.0 255.255.224.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 30
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
  inspect pptp 
!
service-policy global_policy global
ntp authenticate
ntp server xxx.xxx.233.4 source Outside prefer
smtp-server 192.168.100.9
prompt hostname context 
Cryptochecksum:d978aeedbdc9356b557a4e3989812965
: end

Open in new window

0
 

Author Comment

by:Swarley
ID: 22608119
VPN with changes from above
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.29.1.3 255.255.255.192 
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 172.29.70.3 255.255.255.192 
!
interface Ethernet0/3
 no nameif
 no security-level
 ip address 192.168.251.6 255.255.255.252 
!
interface Management0/0
 no nameif
 no security-level
 ip address 192.168.251.2 255.255.255.252 
!
 
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.100.1
 
same-security-traffic permit intra-interface
object-group network trustedVpn
 network-object 172.25.0.0 255.255.240.0
 network-object 172.28.1.0 255.255.255.0
 network-object 172.29.0.0 255.255.224.0
 network-object 172.29.1.0 255.255.255.0
 network-object 172.29.130.0 255.255.255.0
 network-object 172.29.15.0 255.255.255.0
 network-object 172.29.3.0 255.255.255.0
 network-object 172.29.30.0 255.255.255.0
 network-object 172.29.31.0 255.255.255.0
 network-object 172.29.32.0 255.255.255.0
 network-object 172.29.33.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.199.0 255.255.255.0
 network-object 192.168.251.0 255.255.255.252
 network-object 192.168.251.4 255.255.255.252
 network-object 192.168.99.0 255.255.255.0
 network-object 10.0.0.0 255.255.255.0
 network-object 172.29.34.0 255.255.255.0
 network-object 172.29.37.0 255.255.255.0
 network-object 172.29.70.0 255.255.255.192
object-group service DSI_TCP tcp
 port-object range 2332 2332
 port-object range 5004 5004
object-group service DSI_UDP udp
 port-object range 17335 17335
 port-object range 22334 22335
 port-object range 2332 2332
 port-object range 5004 5004
access-list 2010 extended permit udp any host xxx.xxx.238.6 eq isakmp log 
access-list 2010 extended permit esp any host xxx.xxx.238.6 log 
access-list 2010 extended permit ip host xxx.xxx.156.164 xxx.xxx.238.0 255.255.255.0 log 
access-list 2010 extended permit ip 172.29.15.0 255.255.255.0 192.168.100.0 255.255.255.0 log 
access-list 2010 extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 log 
access-list 2010 extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 
access-list 2010 extended permit ip 172.29.33.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list 2010 extended permit icmp host xxx.xxx.74.142 192.168.100.0 255.255.255.0 echo-reply 
access-list 2010 extended permit tcp any object-group DSI_TCP host xxx.xxx.252.85 
access-list 2010 extended permit udp any object-group DSI_UDP host xxx.xxx.252.85 
access-list 2010 extended deny ip any any inactive 
access-list 2010 extended permit icmp host xxx.xxx.74.142 192.168.100.0 255.255.255.0 
access-list 2010 extended permit icmp host xxx.xxx.74.142 172.29.1.0 255.255.255.0 
access-list 2010 extended permit icmp host xxx.xxx.74.142 172.29.1.0 255.255.255.0 echo-reply 
access-list 2020 extended permit ip any any 
access-list Admin_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 
access-list Admin_splitTunnelAcl standard permit 172.25.0.0 255.255.240.0 
access-list Admin_splitTunnelAcl standard permit 172.29.0.0 255.255.224.0 
access-list Admin_splitTunnelAcl standard permit 172.29.70.0 255.255.255.192 
access-list nonat extended permit ip 172.25.0.0 255.255.240.0 172.29.0.0 255.255.224.0 
access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.25.0.0 255.255.240.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.25.0.0 255.255.240.0 
access-list nonat extended permit ip 172.25.0.0 255.255.240.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.0.0 255.255.224.0 
access-list nonat extended permit ip 172.29.0.0 255.255.224.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.29.0.0 255.255.224.0 
access-list nonat extended permit ip 172.29.30.0 255.255.255.0 any 
access-list nonat extended permit ip any 172.29.3.0 255.255.255.0 
access-list nonat extended permit ip 172.29.30.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.30.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.28.1.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.130.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.199.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.31.0 255.255.255.0 
access-list nonat extended permit ip 172.29.31.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 
access-list nonat extended permit ip 172.29.32.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 172.29.32.0 255.255.255.0 any 
access-list nonat extended permit ip 172.29.1.0 255.255.255.0 172.29.32.0 255.255.255.0 
access-list nonat extended permit ip 172.29.33.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 
access-list nonat extended permit ip 172.29.33.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip 172.29.33.0 255.255.255.0 172.29.1.0 255.255.255.0 
access-list nonat extended permit ip any 172.29.33.0 255.255.255.0 
access-list nonat extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 
access-list nonat extended permit ip host 172.29.0.0 host xxx.xxx.238.6 
access-list nonat extended permit ip host xxx.xxx.74.142 hostxxx.xxx.238.6 
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list nonat extended permit ip 172.29.34.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.34.0 255.255.255.0 
access-list nonat extended permit ip 172.29.35.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.35.0 255.255.255.0 
access-list nonat extended permit ip 172.29.36.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.36.0 255.255.255.0 
access-list nonat extended permit ip 172.29.37.0 255.255.255.0 any 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.37.0 255.255.255.0 
access-list BREA extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 
access-list BREA extended permit ip 172.25.0.0 255.255.240.0 192.168.99.0 255.255.255.0 
access-list BREA extended permit ip 172.29.0.0 255.255.224.0 192.168.99.0 255.255.255.0 
access-list BREA extended permit ip 192.168.100.0 255.255.255.0 172.29.30.0 255.255.255.0 
access-list BREA extended permit ip 172.25.0.0 255.255.240.0 172.29.30.0 255.255.255.0 
access-list BREA extended permit ip 172.29.0.0 255.255.224.0 172.29.30.0 255.255.255.0 
access-list Outside_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 
access-list Test01 standard permit 192.168.100.0 255.255.255.0 
access-list Brian extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 
access-list Brian extended permit ip 172.25.0.0 255.255.240.0 172.29.15.0 255.255.255.0 
access-list Brian extended permit ip 172.29.0.0 255.255.224.0 172.29.15.0 255.255.255.0 
access-list Outside_40_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 
access-list TEST extended permit ip 192.168.100.0 255.255.255.0 192.168.199.0 255.255.255.0 
access-list TEST extended permit ip 172.25.0.0 255.255.240.0 192.168.199.0 255.255.255.0 
access-list TEST extended permit ip 172.29.0.0 255.255.224.0 192.168.199.0 255.255.255.0 
access-list TEST extended permit ip 192.168.100.0 255.255.255.0 172.29.130.0 255.255.255.0 
access-list TEST extended permit ip 172.25.0.0 255.255.240.0 172.29.130.0 255.255.255.0 
access-list TEST extended permit ip 172.29.0.0 255.255.224.0 172.29.130.0 255.255.255.0 
access-list GST-LA extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list GST-LA extended permit ip 172.25.0.0 255.255.240.0 192.168.1.0 255.255.255.0 
access-list GST-LA extended permit ip 172.29.0.0 255.255.224.0 192.168.1.0 255.255.255.0 
access-list GST-LA extended permit ip 192.168.100.0 255.255.255.0 172.29.31.0 255.255.255.0 
access-list GST-LA extended permit ip 172.25.0.0 255.255.240.0 172.29.31.0 255.255.255.0 
access-list GST-LA extended permit ip 172.29.0.0 255.255.224.0 172.29.31.0 255.255.255.0 
access-list GST extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 
access-list GST extended permit ip 172.25.0.0 255.255.240.0 172.29.32.0 255.255.255.0 
access-list GST extended permit ip 172.29.0.0 255.255.224.0 172.29.32.0 255.255.255.0 
access-list RUNSPRGS extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 
access-list RUNSPRGS extended permit ip 172.25.0.0 255.255.240.0 172.29.33.0 255.255.255.0 
access-list RUNSPRGS extended permit ip 172.29.0.0 255.255.224.0 172.29.33.0 255.255.255.0 
access-list inside_20_cryptomap extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 
access-list Outside_100_cryptomap extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 
access-list Outside_120_cryptomap extended permit ip host 172.29.0.0 host xxx.xxx.238.6 
access-list Outside_140_cryptomap extended permit ip host xxx.xxx.74.142 host xxx.xxx.238.6 
access-list TCT extended permit ip 192.168.100.0 255.255.255.0 172.29.34.0 255.255.255.0 
access-list TCT extended permit ip 172.25.0.0 255.255.240.0 172.29.34.0 255.255.255.0 
access-list TCT extended permit ip 172.29.0.0 255.255.224.0 172.29.34.0 255.255.255.0 
access-list TCT extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list TCT extended permit ip 172.29.0.0 255.255.224.0 10.0.0.0 255.255.255.0 
access-list TCT extended permit ip 172.25.0.0 255.255.240.0 10.0.0.0 255.255.255.0 
access-list extended extended permit ip 10.0.0.0 255.255.255.0 any 
access-list extended extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list LR extended permit ip 172.29.0.0 255.255.192.0 172.29.36.0 255.255.255.0 
access-list LR extended permit ip 172.25.0.0 255.255.240.0 172.29.36.0 255.255.255.0 
access-list LR extended permit ip 192.168.100.0 255.255.255.0 172.29.36.0 255.255.255.0 
access-list TESTNET extended permit ip 192.168.100.0 255.255.255.0 172.29.35.0 255.255.255.0 
access-list TESTNET extended permit ip 172.25.0.0 255.255.240.0 172.29.35.0 255.255.255.0 
access-list TESTNET extended permit ip 172.29.0.0 255.255.192.0 172.29.35.0 255.255.255.0 
access-list cwoffice extended permit ip 192.168.100.0 255.255.255.0 172.29.37.0 255.255.255.0 
access-list cwoffice extended permit ip 172.25.0.0 255.255.240.0 172.29.37.0 255.255.255.0 
access-list cwoffice extended permit ip 172.29.0.0 255.255.192.0 172.29.37.0 255.255.255.0 
access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.1.0 255.255.255.0 
access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.37.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging standby
logging emblem
logging console alerts
logging monitor alerts
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool Admin-VPN-Pool-1 172.29.3.1-172.29.3.254 mask 255.255.255.0
ip verify reverse-path interface Outside
no failover
failover lan unit primary
no monitor-interface Outside
no monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Outside) 1 172.29.0.0 255.255.224.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list vpntodmz
nat (dmz) 1 0.0.0.0 0.0.0.0
access-group 2010 in interface Outside
access-group 2020 out interface inside
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.238.1 1
route inside 192.168.100.0 255.255.255.0 172.29.1.9 1
route inside 172.25.0.0 255.255.240.0 172.29.1.9 1
route inside 172.29.0.0 255.255.255.0 172.29.1.9 1
route inside 172.29.1.0 255.255.255.0 172.29.1.9 1
route inside 172.29.2.0 255.255.255.0 172.29.1.9 1
route inside 172.29.3.0 255.255.255.0 172.29.1.9 1
route inside 172.29.4.0 255.255.255.0 172.29.1.9 1
route inside 172.29.5.0 255.255.255.0 172.29.1.9 1
route inside 172.29.6.0 255.255.255.0 172.29.1.9 1
route inside 172.29.7.0 255.255.255.0 172.29.1.9 1
route inside 172.29.8.0 255.255.255.0 172.29.1.9 1
route inside 172.29.9.0 255.255.255.0 172.29.1.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server xxx.xxx protocol radius
aaa-server xxx.xxx host 192.168.100.7
 key xxx.xxx
 authentication-port 1812
 accounting-port 1813
aaa-server DisSDI protocol sdi
aaa-server DisSDI host 192.168.100.7
group-policy xxx.xxx.96.248 internal
group-policy xxx.xxx.96.248 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.20.185 internal
group-policy xxx.xxx.20.185 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.198.192 internal
group-policy xxx.xxx.198.192 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.74.142 internal
group-policy xxx.xxx.74.142 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.178.83 internal
group-policy xxx.xxx.178.83 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.97.250 internal
group-policy xxx.xxx.97.250 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy xxx.xxx.106.234 internal
group-policy xxx.xxx.106.234 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy BGTEST internal
group-policy BGTEST attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy Admin-Policy internal
group-policy Admin-Policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Admin_splitTunnelAcl
group-policy xxx.xxx.89.106 internal
group-policy xxx.xxx.89.106 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
group-policy RemoteSupport internal
group-policy RemoteSupport attributes
 vpn-tunnel-protocol IPSec 
group-policy Dispatch internal
group-policy Dispatch attributes
 wins-server value 192.168.100.1 192.168.100.8
 dns-server value 192.168.100.1 192.168.100.8
 vpn-tunnel-protocol IPSec 
 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.100.0 255.255.255.0 inside
http 172.29.0.0 255.255.224.0 inside
 
no snmp-server location
no snmp-server contact
snmp-server community xxx.xxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set pfs 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set pfs 
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set pfs 
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map Outside_map 40 match address BREA
crypto map Outside_map 40 set peer xxx.xxx.106.234 
crypto map Outside_map 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 50 match address GST-LA
crypto map Outside_map 50 set peer xxx.xxx.89.106 
crypto map Outside_map 50 set transform-set ESP-3DES-SHA
crypto map Outside_map 60 match address GST
crypto map Outside_map 60 set peer xxx.xxx.74.142 
crypto map Outside_map 60 set transform-set ESP-3DES-SHA
crypto map Outside_map 70 match address GST-LA
crypto map Outside_map 70 set peer xxx.xxx.178.83 
crypto map Outside_map 70 set transform-set ESP-3DES-SHA
crypto map Outside_map 80 match address RUNSPRGS
crypto map Outside_map 80 set peer xxx.xxx.96.248 
crypto map Outside_map 80 set transform-set ESP-3DES-SHA
crypto map Outside_map 100 match address Outside_100_cryptomap
crypto map Outside_map 100 set pfs 
crypto map Outside_map 100 set peer xxx.xxx.178.83 
crypto map Outside_map 100 set transform-set ESP-3DES-SHA
crypto map Outside_map 120 match address Outside_120_cryptomap
crypto map Outside_map 120 set pfs 
crypto map Outside_map 120 set peer xxx.xxx.238.6 
crypto map Outside_map 120 set transform-set ESP-3DES-SHA
crypto map Outside_map 140 match address Outside_140_cryptomap
crypto map Outside_map 140 set pfs 
crypto map Outside_map 140 set peer xxx.xxx.74.142 
crypto map Outside_map 140 set transform-set ESP-3DES-SHA
crypto map Outside_map 150 match address TCT
crypto map Outside_map 150 set peer xxx.xxx.97.250 
crypto map Outside_map 150 set transform-set ESP-3DES-SHA
crypto map Outside_map 160 match address TESTNET
crypto map Outside_map 160 set peer xxx.xxx.89.106 
crypto map Outside_map 160 set transform-set ESP-3DES-SHA
crypto map Outside_map 170 match address LR
crypto map Outside_map 170 set peer xxx.xxx.198.192 
crypto map Outside_map 170 set transform-set ESP-3DES-SHA
crypto map Outside_map 180 match address cwoffice
crypto map Outside_map 180 set peer xxx.xxx.20.185 
crypto map Outside_map 180 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map inside_map 20 match address inside_20_cryptomap
crypto map inside_map 20 set pfs 
crypto map inside_map 20 set peer xxx.xxx.238.6 
crypto map inside_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group xxx.xxx.74.142 type ipsec-l2l
tunnel-group xxx.xxx.74.142 general-attributes
 default-group-policy xxx.xxx.74.142
tunnel-group xxx.xxx.74.142 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group Admin type ipsec-ra
tunnel-group Admin general-attributes
 address-pool Admin-VPN-Pool-1
 default-group-policy Admin-Policy
tunnel-group Admin ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.106.234 type ipsec-l2l
tunnel-group xxx.xxx.106.234 general-attributes
 default-group-policy xxx.xxx.106.234
tunnel-group xxx.xxx.106.234 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx type ipsec-ra
tunnel-group xxx.xxx general-attributes
 address-pool Admin-VPN-Pool-1
 authentication-server-group DisSDI
 default-group-policy xxx.xxx
tunnel-group Dispatch ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.89.106 type ipsec-l2l
tunnel-group xxx.xxx.89.106 general-attributes
 default-group-policy xxx.xxx.89.106
tunnel-group xxx.xxx.89.106 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.96.248 type ipsec-l2l
tunnel-group xxx.xxx.96.248 general-attributes
 default-group-policy xxx.xxx.96.248
tunnel-group xxx.xxx.96.248 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group RemoteSupport type ipsec-ra
tunnel-group RemoteSupport general-attributes
 address-pool Admin-VPN-Pool-1
 default-group-policy RemoteSupport
tunnel-group RemoteSupport ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.238.6 type ipsec-l2l
tunnel-group xxx.xxx.238.6 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.178.83 type ipsec-l2l
tunnel-group xxx.xxx.178.83 general-attributes
 default-group-policy xxx.xxx.96.248
tunnel-group xxx.xxx.178.83 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.97.250 type ipsec-l2l
tunnel-group xxx.xxx.97.250 general-attributes
 default-group-policy xxx.xxx.97.250
tunnel-group xxx.xxx.97.250 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.198.192 type ipsec-l2l
tunnel-group xxx.xxx.198.192 general-attributes
 default-group-policy xxx.xxx.198.192
tunnel-group xxx.xxx.198.192 ipsec-attributes
 pre-shared-key xxx.xxx
tunnel-group xxx.xxx.20.185 type ipsec-l2l
tunnel-group xxx.xxx.20.185 general-attributes
 default-group-policy xxx.xxx.20.185
tunnel-group xxx.xxx.20.185 ipsec-attributes
 pre-shared-key xxx.xxx
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 172.29.0.0 255.255.224.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 15
ssh version 2
console timeout 60
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
ntp authenticate
prompt hostname context 
: end

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608302
So the way it's setup is that the VPN ASA and the Firewall ASA don't connect to the DMZ through the same line? I guess they both go into a DMZ switch or something?
I don't usually see things setup this way... Most of the time all VPN and firewall functions are handled on the same ASA or a failover team. Back when the separate VPN Concentrators were used, that was the proper topology, but now that the PIX and VPN contentrator are a unifies platform (ASA), I'm not exactly sure it should be setup that way.
If this is not possible let me know - but I think you should consider putting the ASAs in a failover team (A/A) and unify previously separate functions (VPN and FW) with that team.
Having two ASAs separated like that is no longer considered best practice.
 
0
 

Author Comment

by:Swarley
ID: 22608724
That is correct. They both lead into a switch used only for that DMZ.

I do agree with you that the same device should have been used for both purposes but that was implemented beforeI arrived and I don't believe changing that right now is an option.

We already have the Firewall ASA in an Active/Passive scenario with another ASA as a failover.  Again I would love to unify both of these or just move the VPN over to the firewall but I won't be able to do that right now.

Do you see any possibilites to this scenario?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608839
Hmmm... as far as allowing traffic into the DMZ let me do some quick snooping of your configs and I'll let you know.
0
 

Accepted Solution

by:
Swarley earned 0 total points
ID: 25684837
Since there hasn't been a response in quite some time I will close it.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question