Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

dmz across tunnel to remote network

Posted on 2012-09-05
9
Medium Priority
?
1,051 Views
Last Modified: 2012-09-05
Quick question:

VPN Tunnel between ASA 5510 and 5505.
5510 - Head office
5505 - Branch

5510 has:
Int inside - 100
Int outside - 0
int DMZ - 10

5505 has:
int inside - 100
int outside - 0

My dmz setup on the 5510 is correct that locally from head office we can access the web servers on the dmz. However, recently i moved a web server from the branch office inside network to the head office dmz.

The problem now is that when resolving DNS at the branch office, it resolves to an ip address of the head office DMZ that out of the box is not routable. So i went ahead and added the required access lists for "no nat" and interesting traffic to the tunnel, on both firewalls, back and forward, but to no good results.

The dmz has an entry to allow that particular box to talk:

access-list DMZ_access_in extended permit ip host 10.16.13.21 any


So the question is: What else am i missing ? Ideas ?
0
Comment
Question by:ifred
  • 5
  • 4
9 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38368099
I assume the ip address of the server was changed to an address within the ip range of the DMZ?

The other servers in the DMZ are reachable from the branch office?
0
 

Author Comment

by:ifred
ID: 38368112
this is the first and only server on the dmz at the head office, so no, i do not have anything else i can use for test/working.

Yes the ip changed to match the dmz address scheme.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38368131
Do you also have a 'no nat' set on the DMZ interface (and a rule for interesting traffic)?
I assume that before the traffic went from inside-branch to inside-headoffice (and not to DMZ-headoffice).
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:ifred
ID: 38368198
Here is the interesting traffic and no nat statements - i have other subnets flowing on this tunnel and they are fine, however, they are reachable from inside

# Head officeside
access-list vpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
access-list Outside_1_cryptomap extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0

# branch Side
access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0

not sure i understand your last statement/question. But here is my take on it:

I have other subnets flowing through the tunnel without any problems, and i have added these statements before without any problems, the biggest difference is that this particular subnet i coming out of the head office asa interface and not through an inside gateway like in my other scenarios.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 38368248
That's what I'm aiming at. The DMZ is on a different physical interface on the ASA is it?
So you have three interfaces: inside, outside and DMZ. For the inside you should have a line like: nat (inside) 0 access-list vpnnonat
You now also need a similar setup for the DMZ interface:
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
nat (dmz) 0 access-list dmzvpnnonat


That is of course if my assumptions are correct.
0
 

Author Comment

by:ifred
ID: 38368320
Oh yes, i see what you saying, the nat is not being applied as it is coming from a different interface, in other words:

access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0

This line should be replaced with:

access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0

and the Nat applied to the correct interface.
nat (dmz) 0 access-list dmzvpnnonat

the nat on the dmz interface should only affect that particular traffic defined on the DMZ, do you see it affecting anything else ?
0
 

Author Comment

by:ifred
ID: 38368332
Bingo. Worked like a charm.
Thanks buddy.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38368357
the nat on the dmz interface should only affect that particular traffic defined on the DMZ, do you see it affecting anything else ?

No it shouldn't. Like you correctly stated: only the traffic defined in the ACL is affected and only on the interface you apply it to.

So you should remove the line from the 'nat 0' ACL on the inside interface.

I see you swapping the networks in the ACL:

access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
vs
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0

The first range you put in this line is the 'from' range (so the DMZ range) and the second is the 'to' range (so the branchoffice range).
So if in:
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
10.16.13.0 is the DMZ and 10.16.12.0 is the branchoffice, it should be ok.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38368359
Ah, you already got it. Goood :)

Thx 4 the points.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question