Cisco ASA 5505 DMZ not working and site-to-site VPN not working

Chris Collins
Chris Collins used Ask the Experts™
on
Hi again everyone -

So sorry to be a pest. Now that I have my ASA 5505 up and running with successful Internet access by devices on my LAN, I can't seem to get my DMZ to gain internet access. Nor can I get a simple IPSec site-to-site VPN to work.  This is really frustrating as the ASA on the other side already participates in another separate site-to-site VPN (setup by me) which works just fine.

I have looked at NAT rules and access rules and can't seem to find the difference. The only thing I did differently on this VPN was try Diffe-Hellman Group 1 as group 2 settings didn't work.

Below is the sanitized config of the ASA that has a working DMZ and a working VPN as well as the non-working VPN.  I have replaced my static public IP with xx.xx.xx.xx and the peer IPs in the VPNs are vv.vv.vv.vv for the one that works and ng.ng.ng.ng for the one that doesn't work.

I will return to this post momentarily and add a comment with the running configuration of the ASA at the other site.

Thanks in advance for any help.

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password /zzzzzzzzz encrypted
passwd zzzzzzz.zzzz encrypted
names
name 192.168.1.0 dmz_outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa825-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
object-group network obj_any
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service TCP-RDP tcp
 description For Remote Desktop
 port-object eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 3909
access-list outside_access_in extended permit tcp any interface outside eq 18004
access-list outside_access_in extended permit tcp any interface outside eq 9000
access-list outside_access_in extended permit tcp any interface outside eq 9001
access-list outside_access_in extended permit udp any interface outside eq 18004
access-list outside_access_in extended permit udp any interface outside eq 9000
access-list outside_access_in extended permit udp any interface outside eq 9001
access-list outside_access_in extended permit tcp any interface outside eq 3910
access-list outside_access_in extended permit tcp any interface outside eq 3920
access-list outside_access_in extended permit tcp any interface outside eq 37777
access-list outside_access_in extended permit udp any interface outside eq 37778
access-list outside_access_in extended permit tcp any interface outside eq 3980
access-list NAT-EXEMPT extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list CBC-VPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.10.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.10.0 255.255.255.0
access-list CBCColo_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool CBC-IP-Pool 192.168.10.100-192.168.10.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3909 10.0.0.250 3909 netmask 255.255.255.255
static (inside,outside) tcp interface 37777 10.0.0.201 37777 netmask 255.255.255.255
static (inside,outside) udp interface 37778 10.0.0.201 37778 netmask 255.255.255.255
static (inside,outside) tcp interface 9000 10.0.0.201 9000 netmask 255.255.255.255
static (inside,outside) udp interface 9000 10.0.0.201 9000 netmask 255.255.255.255
static (inside,outside) tcp interface 9001 10.0.0.201 9001 netmask 255.255.255.255
static (inside,outside) udp interface 9001 10.0.0.201 9001 netmask 255.255.255.255
static (inside,outside) tcp interface 3910 10.0.0.240 3910 netmask 255.255.255.255
static (inside,outside) tcp interface 3920 10.0.0.205 3920 netmask 255.255.255.255
static (inside,outside) tcp interface 3980 10.0.0.40 3980 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 108.58.161.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http dmz_outside 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer vv.vv.vv.vv
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer ng.ng.ng.ng
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 keypair CBC-VPN
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31a50357
    308201cf 30820138 a0030201 02020431 a5035730 0d06092a 864886f7 0d010104
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
    86f70d01 09021608 63697363 6f617361 301e170d 31363034 30353131 34343439
    5a170d32 36303430 33313134 3434395a 302c3111 300f0603 55040313 08636973
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100be f0c1daab
    2fa656a0 bbe74eae b9707813 a05185e0 f49c0655 e8e894ed 0ad170c2 3175a5b6
    fd9ac176 0c3a98ca 559f3087 2aa97ad5 f06fdde8 d9e0022b 5abec8cd 7f2b8531
    ac860478 ee0bb22c 9da96115 01f70cf4 1e797625 8bb8119c 75205ab1 89f6767a
    1110c17a 262c508f 9540fef7 c48fb098 75a5eff0 9dd46a00 ce610902 03010001
    300d0609 2a864886 f70d0101 04050003 8181005d ee000c0a a2242a92 6aa84135
    aac94ec2 7240d17c e8803878 b2cd39b5 3e5e2472 a80dd685 a00c9b44 02588176
    5ad7dbbc aafa88ce b8f63c23 421402ff ea9dc087 fe3226ee 37885058 0a1c0cb7
    62a1a99d 9b75ca06 b2c5347c 5bbd6263 1db54799 a7af8a5b 4d96d5b3 88a3286b
    4cdad74f d5d94cd3 f7bd31bf 38bf6335 510ff2
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd dns 167.206.112.138 167.206.7.4 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.25-192.168.1.125 dmz
dhcpd dns 167.206.112.138 167.206.7.4 interface dmz
dhcpd lease 86400 interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc enable
group-policy CBCColo internal
group-policy CBCColo attributes
 dns-server value 167.206.112.138 167.206.7.4
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CBCColo_splitTunnelAcl
group-policy CBC-VPN internal
group-policy CBC-VPN attributes
 dns-server value 167.206.112.138 4.2.2.2
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CBC-VPN_splitTunnelAcl
username Knick password 8fU15clIKy2LMdDA encrypted
username Knick attributes
 vpn-group-policy CBC-VPN
username Karen password eZXo.kyQ86Z8Q0M1 encrypted
username Karen attributes
 vpn-group-policy CBC-VPN
username Chris password WaHJvjGgsU52H0ec encrypted privilege 0
username Chris attributes
 vpn-group-policy CBC-VPN
tunnel-group CBC-VPN type remote-access
tunnel-group CBC-VPN general-attributes
 address-pool CBC-IP-Pool
 default-group-policy CBC-VPN
tunnel-group CBC-VPN ipsec-attributes
 pre-shared-key *
tunnel-group vv.vv.vv.vv type ipsec-l2l
tunnel-group vv.vv.vv.vv ipsec-attributes
 pre-shared-key *
tunnel-group CBCColo type remote-access
tunnel-group CBCColo general-attributes
 address-pool CBC-IP-Pool
 default-group-policy CBCColo
tunnel-group CBCColo ipsec-attributes
 pre-shared-key *
tunnel-group ng.ng.ng.ng type ipsec-l2l
tunnel-group ng.ng.ng.ng ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:edb66806680478ec55d3c521d584b277
: end

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
As promised above, here is the (sanitized) running config of the ASA on the other side of the non-working VPN. Its DMZ also doesn't allow Internet access.

The static public IP is denoted as xx.xx.xx.xx and the non funtional peer IP for the VPN is ng.ng.ng.ng

Thanks.


Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname CBCTechASA02
enable password zzzzzzzz encrypted
passwd zzzzzz.zzz encrypted
names
!
interface Vlan1
 description INSIDE
 nameif inside
 security-level 100
 ip address 10.0.10.1 255.255.255.0
!
interface Vlan2
 description OUTSIDE
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
access-list outside_1_cryptomap extended permit ip 10.0.10.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 23.24.87.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer ng.ng.ng.ng
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75
dhcpd auto_config outside
!
dhcpd address 10.0.10.50-10.0.10.99 inside
dhcpd dns 75.75.75.75 interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.50-192.168.10.69 dmz
dhcpd dns 75.75.75.75 75.75.76.76 interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group ng.ng.ng.ng type ipsec-l2l
tunnel-group ng.ng.ng.ng ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d09b50a4e712c0f0f1a799cca05383f7
: end
Distinguished Expert 2017

Commented:
What system is supposed to be in the DMZ? You do not have a single access-list that deals with allowing traffic to the dmz section 192.168.1.0/24

Nor do you seem to have access-list that are permitted to access the DNS, nor what resources the DNS position system/s can connect.
You gave ethernet0/5,0/6,0/7 set to be in the dmz vlan, what is connected there? IP address?


Which config is valid for the question! 192.168.1,0/24 from the original or 192.168.10.0/24 from the second.

Defining a vlan, assigning it to an interface is just a step in many, you have set the rule are you using PAT or NAT dedicate an external IP to one DMZ system, or have multiple rules external ip:port to internal_system:service_port
......
Distinguished Expert 2017

Commented:
The other issue is you might have ip overlap as 192.168.1.0/24 seems to exist as a segment on both ASAs.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hi Arnold -

One of my ASAs (the first one whose configuration I listed) has a DMZ that works perfectly well. There is a wireless access point and a couple of PCs in that DMZ and they all have internet access. That is the one whose address range is 192.168.1.xxx.

The other ASA was set up in a similar fashion with a DMZ on VLAN 3, assigned to interfaces 5, 6, and 7 with an IP address range of 192.168.10.xxx. there is a wireless access point connected there which does not work and cannot gain internet access.

In addition, I have tried to set up a site-to-site VPN between these two ASAs, and that is not working.

Hope this helps to clarify things.
Distinguished Expert 2017
Commented:
You are missing the equivalent entry from the first on the second

nat (dmz) 101 0.0.0.0 0.0.0.0

Author

Commented:
That was it! Thank you very much.

I think you were also correct about IP overlap - I realized when analyzing my configuration more closely that the Cisco-AnyConnect VPN on the other side was using the same IP range that I was trying to use on this side in my DMZ. Once I rectified that, the site-to-site VPN also started working.

Thank you. Your help is greatly appreciated.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial