Solved

cisco asa 5505 vpn tunnel *from* dmz *to* inside

Posted on 2011-02-13
3
1,063 Views
Last Modified: 2012-05-11
Before getting into the what's and why's of this config, is it possible to have  VPN tunnel originate from the dmz interface to a destination on the INSIDE interface?

I set the security level on dmz to 100 and enabled same-security inter/intra.  I enabled the isakmp policy on the inside interface, and have a route from the inside interface to the router to which the vpn should connect.

It seems that the traffic from the dmz is not considered interesting enough for the tunnel, as I get no crypto isakmp/ipsec debug info when I ping from the dmz host to the remote host.

Interestingly enough, if I ping from the remote host (see below), it will build a tunnel from the remote router to the ASA - the ping fails though (probably because the return traffic is not getting back into the tunnel on the ASA for the response).

I *can* ping from the ASA to the outside interface (192.168.100.10) on the remote router, so I know I can get traffic to/from a subnet that is different from the subnet on the inside interface.

ASA5505
inside: 192.168.1.202
dmz: 172.16.1.1
route 192.168.100.0/24 via 192.168.1.201 (another router on the inside)
crypto peer 192.168.100.10
dmz host: 172.16.1.10 (server)

Router 192.168.1.201
fa0/0: 192.168.1.201
serial1: 192.168.100.9/30 (p2p t1)

Remote Router
s1: 192.168.100.10/30
dmz. 172.16.4.1
dmz host: 172.16.4.10 (server)
0
Comment
Question by:snowdog_2112
  • 2
3 Comments
 

Author Comment

by:snowdog_2112
ID: 34884430
Update: i can confirm that traffic from dmz destined for remote host connected via the inside interface gets sent out the outside interface.  A packet-trace shows this:

packet-trace in dmz 172.16.1.10  tcp 172.6.1.10 139 172.16.4.10 139 det

.
.
.
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside


Running the same trace to a host directly connected to the inside subnet, I get:

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34885322
Do you have a route statement on the asa:

route inside 172.16.4.0 255.255.255.0 192.168.1.201

On the local router is there a route statement:
 ip route 172.16.1.0 255.255.255.0 192.168.1.202

On the remote router is there a route statement:
 ip route 172.16.1.0 255.255.255.0 192.168.100.9

Otherwise, can you post your asa config?
What you are trying to do should be possible, but is not a typical implementation scenario
0
 

Author Closing Comment

by:snowdog_2112
ID: 34889403
I actually had a post open to update with my success - but your answer is the one I discovered on my own.  You can have the points though since I did not update with my solution.

It should be noted that I do *NOT* need a route on the 192.168.1.201 router for the 172.16.x.0 subnets - the ASA only needs the route to force the traffic to the inside interface where crypto finds it "interesting" enough to tunnel.

Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now