ASA5505 Configuration Issues

I'm having some difficulty in being able to access the internal network from a server in my dmz. From inside, I can ping and connect remotely to dmz server, but from dmz server, I cannot ping internally. I have tried opening icmp traffic, to no avail.  I'm also looking to open a sqlnet port between the dmz server and an internal server.   This is an ASA5505, Version 8.0(2), with a Security Plus license (20 VLANs, DMZ unrestricted, unlimited inside hosts). Also, when connecting via VPN, I can't ping or connect to anything internally or in the dmz. My configuration is attached.
config.txt
gauthiervAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Noyan GonulsenCommented:
Hi gauthierv,

In your translation static (INSIDE,dmz) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns should read
static (dmz,inside) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns
Also you have not applied your access-list dmz_to_inside to your interface dmz
access-group dmz_to_inside in interface dmz
Let's try this first and we can continue from there.
0
gauthiervAuthor Commented:
Ok.  I'm at home now, so I'll try changes first thing tomorrow morning and post the results.  Thank you.
0
gauthiervAuthor Commented:
I have made the changes as requested, but am still unable to ping from the dmz server to the inside. Also, I made changes last night that affected my ability to ping the dmz server from the inside.  Attached is the latest config.
config2.txt
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

Noyan GonulsenCommented:
Hi,
When you say "to the inside" you are referring to your your internal network, correct.
From your new config's I still don't see the dmz_to_inside access list to your dmz interface (this access list will allow you to ping the dmz network.) Also you need to add entrys to your access list to permit traffic from you dmz to your internal network.
access-list dmz_to_inside extended permit 172.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0.
Once you apply the access-group to the interface, you can continue to add to the access-list.
0
Noyan GonulsenCommented:
Hi,

I just went through the config's again and noticed (sorry didn't catch it earlier). Please add a 1 in the third octect of the ip addresses 172.168.1.0 255.255.0.0 192.168.1.0 255.255.0.0.


0
gauthiervAuthor Commented:
Yes, by "inside", I mean the internal network.
I tried this command but the firewall didn't like it:
access-list dmz_to_inside extended permit 172.168.1.0 255.255.0.0 192.168.1.0 255.255.0.0
I've been able to add an ACE that will allow me to ping internally from the dmz server. I'm also trying to allow some rules to all domain services through, but I don't think it's working yet.  Also, I need to open sqlnet between the dmz server and another internal server, but I'm not sure I've done that right either.  Here's the code:

access-list dmz_access_in extended permit icmp 192.168.0.0 255.255.0.0 any
access-list dmz_access_in extended permit icmp any 192.168.0.0 255.255.0.0
access-list dmz_access_in extended permit icmp any 192.168.0.0 255.255.0.0 echo-reply
access-list dmz_access_in extended permit tcp any eq sqlnet host ERP
access-list dmz_access_in extended permit udp 192.168.0.0 255.255.0.0 eq netbios-ns 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit udp 192.168.0.0 255.255.0.0 eq netbios-dgm 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq netbios-ssn 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq domain 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq ldap 172.168.0.0 255.255.0.0

static (dmz,outside) tcp eportal-outside www Eportal-Inside www netmask 255.255.255.255  dns
static (INSIDE,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 dns
static (dmz,INSIDE) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns
static (dmz,INSIDE) Eportal-Inside eportal-outside netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz


0
gauthiervAuthor Commented:
By other biggest problem right now is that when I connect via VPN, I cannot ping anything internally, which means I cannot connect remotely to anything either.  I have a vendor who needs to get in to drop some code for a rollout this weekend, so time is of the essence!
0
Noyan GonulsenCommented:
access-list dmz_access_in extended permit tcp host 172.168.1.10 host (your internal server) eq sqlnet
This will allow your webserver to access your internal server on port 1521 using tcp.
Here is a link from Cisco's site that might help as well;
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/traffic.html#wp1047858

0
gauthiervAuthor Commented:
Okay, that worked.  Thanks! Now I need to get the dmz server to have access to the internet and, more importantly, I need to have access to the dmz server remotely after connecting via VPN.
0
Noyan GonulsenCommented:
Regarding your vpn is your vendor connecting through a client software?
However, you do not have NAT-T  enabled.
Enter the following command to enable IPsec over NAT-T globally on the security appliance.
crypto isakmp nat-traversal natkeepalive 3600 (1hr, I think by default it's 20 seconds)
0
gauthiervAuthor Commented:
The vendor (and myself) are using the latest Cisco VPN client (5.0.05.0290).  What does "crypto isakmp nat-traversal 3600" allow?  The VPN is working, however, the vendor cannot connect to the server in the DMZ.  Currently, when the vendor connects with an IP from an internal Pool (192.168.1.70), he cannot connect or ping to anything internal.  When he connected with an IP from another Pool (192.168.4.1), he can connect and ping to the internal network.  Is there an issue with the overlap (my internal network is 192.168.0.0)?  How can I get him access to the server in the dmz (172.168.x.x)?
0
Noyan GonulsenCommented:
To get the dmz server to access the internet apply this
Static (dmz,outside) outside ip 172.168.1.10 netmask 255.255.0.0
Can you ping the dmz server from your internal network?  Your address pool is 192.168.1.70-79 which is your internal network ip so it should work. If your address pool was different (i.e. 10.0.0.0 then you would need an access list allowing that subnet to access any other subnet)
0
Noyan GonulsenCommented:
"NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary. This feature is disabled by default.
With the exception of the home zone on the Cisco ASA 5505, the security appliance can simultaneously support standard IPsec, IPsec over TCP, NAT-T, and IPsec over UDP, depending on the client with which it is exchanging data. When both NAT-T and IPsec over UDP are enabled, NAT-T takes precedence. IPsec over TCP, if enabled, takes precedence over all other connection methods.
When you enable NAT-T, the security appliance automatically opens port 4500 on all IPsec enabled interfaces." as per cisco.
How is he connecting with that pool 192.168.4.1 I don't see that pool configured within your configs.
You can add an access list with that allows that traffic to hit your server;  192.168.4.0 to 172.168.1.10
0
Noyan GonulsenCommented:
can you please post your running configs again
0
Noyan GonulsenCommented:
If you can send me the 192.168.4.1 address pool then we can Add nonat config for the DMZ interface which should allow you to access the dmz zone. If the VPN Client can communicate to inside hosts but not to hosts on the DMZ zone then nat needs to be disabled on the DMZ interface.
0
gauthiervAuthor Commented:
Here is the latest running config.  
0
gauthiervAuthor Commented:
Ooops ... forgot to attach it!  
0
gauthiervAuthor Commented:
Ok, let's try this again!
config3.txt
0
Noyan GonulsenCommented:


access-list split_tunnel name permit ip 172.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
nat (dmz) 0 access-list split_tunnel name
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Noyan GonulsenCommented:
sorry I meant 192.168.4.0
0
gauthiervAuthor Commented:
Thanks!  That worked.  Now I can connect to my dmz servers through VPN.  One other question ... I have split-tunneling enabled on the VPN connection, but I still cannot access the internet when I am connected via VPN.  What am I missing?
0
Noyan GonulsenCommented:
Great, good stuff!
Now can you connect through the VPN and right click the lock in the tray and go to Statistics, "Route Details" it should have your work network in the secured routes list. If you don't see that can you enable logging on the device as well.
0
gauthiervAuthor Commented:
Will test it tonight and post results.  The good news is that my vendor was able to connect and complete the code drop for our weekend implementation.
0
Noyan GonulsenCommented:
Great, glad to hear.
I'm off work tomorrow, heading to a client site. I'll check this weekend for your post and hopefully we can resolve this. Can you access the device remotely through ssh or telnet?
0
Noyan GonulsenCommented:
Hi Gauthierv,

I have not heard back from you, I hope everything is working out for you!
0
gauthiervAuthor Commented:
Hi kimjc,

I thought I had posted the Route Details.  Only the DMZ network was available.  The internal network was not in the route details.  The two issues I still have are getting the DMZ server access to the internet, and being able to access the internet once connected via VPN.
0
Noyan GonulsenCommented:
When you connected through remote access could you only ping the dmz network? If so, it sounds like remote access is set to the dmz interface, considering there so no internet access from the dmz network out. I have your config's, I'll have a look at them and will post my findings.
0
Noyan GonulsenCommented:
By the way, gauthierv what is your objective here? Do you want remote access to the dmz interface only and be able to access the internet as well? or do want access to the interal network as well the dmz network via remote access? I just want to be clear before I start posting the commands.

Thanks
0
gauthiervAuthor Commented:
While connected via VPN, I can ping the internal network and access everything in the internal network. I just expected to see the internal network listed in the route details.  The way VPN works now is perfect with the exception of being able to access the internet.  I have split tunneling enabled, but that doesn't seem to be doing what I expected.  The only other thing that is important is getting my dmz server connected to the internet.
0
Noyan GonulsenCommented:
Hi Gauthierv,

Can your external users access your dmzserver on port 80? I came across something interesting, which I haven't seen before, your ISP assigned you a /29 subnet, which indicates 8 usable IP's. 1st IP is usually the network block, a second ip is the default gateway then you have 6 IP's to play with. Your default route is 75.149.137.246 and your external ip address is 75.149.xxx.xxx which is fine but I noticed that the IP of your dmzserver is 75.149.137.242, this could be different in your case as I have not seen this before. Can you confirm with your ISP the block that they have assigned for you? if this is correct, did yo add dzm to the global interface?
0
gauthiervAuthor Commented:
Sorry for the delay in responding.  No, external users cannot access the dmz server on port 80.  The block of IPs from our ISP is correct, with .246 being the gateway.  What is the command for adding the dmz to the global interface?
0
Noyan GonulsenCommented:
Hi Gauthierv,
No worries for the delay. The command is  global (dmz) 1 interface
I noticed that your access-list "access-list outside_access_in extended permit tcp any eq www host dmzserver-outside " can you change this to point to dmz-inside. You already have the access-group on the outside interface. After making these changes, let me know if users can access your webserver.
0
gauthiervAuthor Commented:
Unfortunately, the dmz server is still not accessible after these changes.
0
Noyan GonulsenCommented:
Can you please post your updated config's, I need to look at it in detail, I know I'm missing something and it's driving me crazy. I just want to confirm as it stands right now;
1) The internal network has access to the dmz
2) The dmz zone has access to the internal network
3) You can vpn in and access the internal network and the dmz zone
Issues
1) Dmz has no internet access
2) External users can not access webserver in dmz zone on port 80
3) VPN users do not have internet access.

Thanks,
0
gauthiervAuthor Commented:
Yes, your summary is correct.  Attached is the updated config.
config4.txt
0
gauthiervAuthor Commented:
Hi kimjc,
I haven't heard anything since the last config was posted.  Have you been able to look at it?
0
gauthiervAuthor Commented:
Is there anyone available to assist me with the remaining issues?  I need to get my web server in the dmz to have internet access.  
0
Noyan GonulsenCommented:
Hi Gauthierv,

I'm sorry I was away just got back yesterday. If you can give me until Monday, everything here at my office will be back to normal and I can dedicate my time to the outstanding issue.
Again I apologize.
0
gauthiervAuthor Commented:
no problem.  I certainly appreciate the help!
0
gauthiervAuthor Commented:
I will be on vacation next week, but am still looking forward to your assistance.
0
gauthiervAuthor Commented:
Still have some outstanding issues that have not been resolved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.