ASA5505 Configuration Issues

Hi gauthierv,

In your translation static (INSIDE,dmz) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns should read
static (dmz,inside) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns
Also you have not applied your access-list dmz_to_inside to your interface dmz
access-group dmz_to_inside in interface dmz
Let's try this first and we can continue from there.

Ok.  I'm at home now, so I'll try changes first thing tomorrow morning and post the results.  Thank you.

I have made the changes as requested, but am still unable to ping from the dmz server to the inside. Also, I made changes last night that affected my ability to ping the dmz server from the inside.  Attached is the latest config.
config2.txt

Hi,
When you say "to the inside" you are referring to your your internal network, correct.
From your new config's I still don't see the dmz_to_inside access list to your dmz interface (this access list will allow you to ping the dmz network.) Also you need to add entrys to your access list to permit traffic from you dmz to your internal network.
access-list dmz_to_inside extended permit 172.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0.
Once you apply the access-group to the interface, you can continue to add to the access-list.

Hi,

I just went through the config's again and noticed (sorry didn't catch it earlier). Please add a 1 in the third octect of the ip addresses 172.168.1.0 255.255.0.0 192.168.1.0 255.255.0.0.

Yes, by "inside", I mean the internal network.
I tried this command but the firewall didn't like it:
access-list dmz_to_inside extended permit 172.168.1.0 255.255.0.0 192.168.1.0 255.255.0.0
I've been able to add an ACE that will allow me to ping internally from the dmz server. I'm also trying to allow some rules to all domain services through, but I don't think it's working yet.  Also, I need to open sqlnet between the dmz server and another internal server, but I'm not sure I've done that right either.  Here's the code:

access-list dmz_access_in extended permit icmp 192.168.0.0 255.255.0.0 any
access-list dmz_access_in extended permit icmp any 192.168.0.0 255.255.0.0
access-list dmz_access_in extended permit icmp any 192.168.0.0 255.255.0.0 echo-reply
access-list dmz_access_in extended permit tcp any eq sqlnet host ERP
access-list dmz_access_in extended permit udp 192.168.0.0 255.255.0.0 eq netbios-ns 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit udp 192.168.0.0 255.255.0.0 eq netbios-dgm 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq netbios-ssn 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq domain 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq ldap 172.168.0.0 255.255.0.0

static (dmz,outside) tcp eportal-outside www Eportal-Inside www netmask 255.255.255.255  dns
static (INSIDE,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 dns
static (dmz,INSIDE) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns
static (dmz,INSIDE) Eportal-Inside eportal-outside netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz

By other biggest problem right now is that when I connect via VPN, I cannot ping anything internally, which means I cannot connect remotely to anything either.  I have a vendor who needs to get in to drop some code for a rollout this weekend, so time is of the essence!

access-list dmz_access_in extended permit tcp host 172.168.1.10 host (your internal server) eq sqlnet
This will allow your webserver to access your internal server on port 1521 using tcp.
Here is a link from Cisco's site that might help as well;
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/traffic.html#wp1047858

Okay, that worked.  Thanks! Now I need to get the dmz server to have access to the internet and, more importantly, I need to have access to the dmz server remotely after connecting via VPN.

Regarding your vpn is your vendor connecting through a client software?
However, you do not have NAT-T  enabled.
Enter the following command to enable IPsec over NAT-T globally on the security appliance.
crypto isakmp nat-traversal natkeepalive 3600 (1hr, I think by default it's 20 seconds)

The vendor (and myself) are using the latest Cisco VPN client (5.0.05.0290).  What does "crypto isakmp nat-traversal 3600" allow?  The VPN is working, however, the vendor cannot connect to the server in the DMZ.  Currently, when the vendor connects with an IP from an internal Pool (192.168.1.70), he cannot connect or ping to anything internal.  When he connected with an IP from another Pool (192.168.4.1), he can connect and ping to the internal network.  Is there an issue with the overlap (my internal network is 192.168.0.0)?  How can I get him access to the server in the dmz (172.168.x.x)?

To get the dmz server to access the internet apply this
Static (dmz,outside) outside ip 172.168.1.10 netmask 255.255.0.0
Can you ping the dmz server from your internal network?  Your address pool is 192.168.1.70-79 which is your internal network ip so it should work. If your address pool was different (i.e. 10.0.0.0 then you would need an access list allowing that subnet to access any other subnet)

can you please post your running configs again

If you can send me the 192.168.4.1 address pool then we can Add nonat config for the DMZ interface which should allow you to access the dmz zone. If the VPN Client can communicate to inside hosts but not to hosts on the DMZ zone then nat needs to be disabled on the DMZ interface.

Here is the latest running config.  

Ooops ... forgot to attach it!  

Ok, let's try this again!
config3.txt

sorry I meant 192.168.4.0

Thanks!  That worked.  Now I can connect to my dmz servers through VPN.  One other question ... I have split-tunneling enabled on the VPN connection, but I still cannot access the internet when I am connected via VPN.  What am I missing?

Great, good stuff!
Now can you connect through the VPN and right click the lock in the tray and go to Statistics, "Route Details" it should have your work network in the secured routes list. If you don't see that can you enable logging on the device as well.

Will test it tonight and post results.  The good news is that my vendor was able to connect and complete the code drop for our weekend implementation.

Great, glad to hear.
I'm off work tomorrow, heading to a client site. I'll check this weekend for your post and hopefully we can resolve this. Can you access the device remotely through ssh or telnet?

Hi Gauthierv,

I have not heard back from you, I hope everything is working out for you!

Hi kimjc,

I thought I had posted the Route Details.  Only the DMZ network was available.  The internal network was not in the route details.  The two issues I still have are getting the DMZ server access to the internet, and being able to access the internet once connected via VPN.

When you connected through remote access could you only ping the dmz network? If so, it sounds like remote access is set to the dmz interface, considering there so no internet access from the dmz network out. I have your config's, I'll have a look at them and will post my findings.

By the way, gauthierv what is your objective here? Do you want remote access to the dmz interface only and be able to access the internet as well? or do want access to the interal network as well the dmz network via remote access? I just want to be clear before I start posting the commands.

Thanks

While connected via VPN, I can ping the internal network and access everything in the internal network. I just expected to see the internal network listed in the route details.  The way VPN works now is perfect with the exception of being able to access the internet.  I have split tunneling enabled, but that doesn't seem to be doing what I expected.  The only other thing that is important is getting my dmz server connected to the internet.

Hi Gauthierv,

Can your external users access your dmzserver on port 80? I came across something interesting, which I haven't seen before, your ISP assigned you a /29 subnet, which indicates 8 usable IP's. 1st IP is usually the network block, a second ip is the default gateway then you have 6 IP's to play with. Your default route is 75.149.137.246 and your external ip address is 75.149.xxx.xxx which is fine but I noticed that the IP of your dmzserver is 75.149.137.242, this could be different in your case as I have not seen this before. Can you confirm with your ISP the block that they have assigned for you? if this is correct, did yo add dzm to the global interface?

Sorry for the delay in responding.  No, external users cannot access the dmz server on port 80.  The block of IPs from our ISP is correct, with .246 being the gateway.  What is the command for adding the dmz to the global interface?

Hi Gauthierv,
No worries for the delay. The command is  global (dmz) 1 interface
I noticed that your access-list "access-list outside_access_in extended permit tcp any eq www host dmzserver-outside " can you change this to point to dmz-inside. You already have the access-group on the outside interface. After making these changes, let me know if users can access your webserver.

Unfortunately, the dmz server is still not accessible after these changes.

Can you please post your updated config's, I need to look at it in detail, I know I'm missing something and it's driving me crazy. I just want to confirm as it stands right now;
1) The internal network has access to the dmz
2) The dmz zone has access to the internal network
3) You can vpn in and access the internal network and the dmz zone
Issues
1) Dmz has no internet access
2) External users can not access webserver in dmz zone on port 80
3) VPN users do not have internet access.

Thanks,

Yes, your summary is correct.  Attached is the updated config.
config4.txt

Hi kimjc,
I haven't heard anything since the last config was posted.  Have you been able to look at it?

Is there anyone available to assist me with the remaining issues?  I need to get my web server in the dmz to have internet access.  

Hi Gauthierv,

I'm sorry I was away just got back yesterday. If you can give me until Monday, everything here at my office will be back to normal and I can dedicate my time to the outstanding issue.
Again I apologize.

no problem.  I certainly appreciate the help!

I will be on vacation next week, but am still looking forward to your assistance.

Still have some outstanding issues that have not been resolved.