dmz across tunnel to remote network
Quick question:
VPN Tunnel between ASA 5510 and 5505.
5510 - Head office
5505 - Branch
5510 has:
Int inside - 100
Int outside - 0
int DMZ - 10
5505 has:
int inside - 100
int outside - 0
My dmz setup on the 5510 is correct that locally from head office we can access the web servers on the dmz. However, recently i moved a web server from the branch office inside network to the head office dmz.
The problem now is that when resolving DNS at the branch office, it resolves to an ip address of the head office DMZ that out of the box is not routable. So i went ahead and added the required access lists for "no nat" and interesting traffic to the tunnel, on both firewalls, back and forward, but to no good results.
The dmz has an entry to allow that particular box to talk:
access-list DMZ_access_in extended permit ip host 10.16.13.21 any
So the question is: What else am i missing ? Ideas ?
VPN Tunnel between ASA 5510 and 5505.
5510 - Head office
5505 - Branch
5510 has:
Int inside - 100
Int outside - 0
int DMZ - 10
5505 has:
int inside - 100
int outside - 0
My dmz setup on the 5510 is correct that locally from head office we can access the web servers on the dmz. However, recently i moved a web server from the branch office inside network to the head office dmz.
The problem now is that when resolving DNS at the branch office, it resolves to an ip address of the head office DMZ that out of the box is not routable. So i went ahead and added the required access lists for "no nat" and interesting traffic to the tunnel, on both firewalls, back and forward, but to no good results.
The dmz has an entry to allow that particular box to talk:
access-list DMZ_access_in extended permit ip host 10.16.13.21 any
So the question is: What else am i missing ? Ideas ?
ASKER
this is the first and only server on the dmz at the head office, so no, i do not have anything else i can use for test/working.
Yes the ip changed to match the dmz address scheme.
Yes the ip changed to match the dmz address scheme.
Do you also have a 'no nat' set on the DMZ interface (and a rule for interesting traffic)?
I assume that before the traffic went from inside-branch to inside-headoffice (and not to DMZ-headoffice).
I assume that before the traffic went from inside-branch to inside-headoffice (and not to DMZ-headoffice).
ASKER
Here is the interesting traffic and no nat statements - i have other subnets flowing on this tunnel and they are fine, however, they are reachable from inside
# Head officeside
access-list vpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
access-list Outside_1_cryptomap extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
# branch Side
access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
not sure i understand your last statement/question. But here is my take on it:
I have other subnets flowing through the tunnel without any problems, and i have added these statements before without any problems, the biggest difference is that this particular subnet i coming out of the head office asa interface and not through an inside gateway like in my other scenarios.
# Head officeside
access-list vpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
access-list Outside_1_cryptomap extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
# branch Side
access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
not sure i understand your last statement/question. But here is my take on it:
I have other subnets flowing through the tunnel without any problems, and i have added these statements before without any problems, the biggest difference is that this particular subnet i coming out of the head office asa interface and not through an inside gateway like in my other scenarios.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oh yes, i see what you saying, the nat is not being applied as it is coming from a different interface, in other words:
access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
This line should be replaced with:
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
and the Nat applied to the correct interface.
nat (dmz) 0 access-list dmzvpnnonat
the nat on the dmz interface should only affect that particular traffic defined on the DMZ, do you see it affecting anything else ?
access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
This line should be replaced with:
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
and the Nat applied to the correct interface.
nat (dmz) 0 access-list dmzvpnnonat
the nat on the dmz interface should only affect that particular traffic defined on the DMZ, do you see it affecting anything else ?
ASKER
Bingo. Worked like a charm.
Thanks buddy.
Thanks buddy.
the nat on the dmz interface should only affect that particular traffic defined on the DMZ, do you see it affecting anything else ?
No it shouldn't. Like you correctly stated: only the traffic defined in the ACL is affected and only on the interface you apply it to.
So you should remove the line from the 'nat 0' ACL on the inside interface.
I see you swapping the networks in the ACL:
access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
vs
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
The first range you put in this line is the 'from' range (so the DMZ range) and the second is the 'to' range (so the branchoffice range).
So if in:
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
10.16.13.0 is the DMZ and 10.16.12.0 is the branchoffice, it should be ok.
No it shouldn't. Like you correctly stated: only the traffic defined in the ACL is affected and only on the interface you apply it to.
So you should remove the line from the 'nat 0' ACL on the inside interface.
I see you swapping the networks in the ACL:
access-list inside_nat0_outbound extended permit ip 10.16.12.0 255.255.252.0 10.16.13.0 255.255.255.0
vs
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
The first range you put in this line is the 'from' range (so the DMZ range) and the second is the 'to' range (so the branchoffice range).
So if in:
access-list dmzvpnnonat extended permit ip 10.16.13.0 255.255.255.0 10.16.12.0 255.255.252.0
10.16.13.0 is the DMZ and 10.16.12.0 is the branchoffice, it should be ok.
Ah, you already got it. Goood :)
Thx 4 the points.
Thx 4 the points.
The other servers in the DMZ are reachable from the branch office?