Question : ASA 5510 VPN DMZ

Greetings all,

I've looked around and have not found an answer. So please help :)

I have an ASA 5510 with IOS 8.2
It has 3 interfaces which I'm using : External, Internal, DMZ

All's working fine now, with local LAN behind Internal, browsing, ftp, etc. Local LAN has 192.168.1.0

I'm using the ASA for a Site-to-Site VPN: also working. This VPN allows the remote site to connect to our segment behind the DMZ int.

Also, the ASA is our RA box, with users VPN-ing into it to get access to the LAN behind the Internal int.

I'm tasked with adding another VPN access - this time cisco VPN clients are required to access one server behind the DMZ int.

Have worked with http://www.petenetlive.com/KB/Article/0000071.htm as a guide. Step by step instructions were followed, and yet I couldn't get access to that server.

At first I got the "Reverse-path verify failed" error on packet-tracer, which I've temporarily rectified by removing the "ip verify reverse-path interface DMZ" line

Right now I'm getting the "Flow is denied by configured rule". Checking which access rule is dropping the packets, its the DMZ implicit rule which denies packets coming from source any to destination any with ip service.

I have the proper route command, the proper nat0 config set, and yet I run into this issue.

Please help.

Relevant config is attached. And, thanks for looking

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:



interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0

interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 172.16.2.1 255.255.255.0

access-list dmz_nat0_outbound extended permit ip host 192.168.9.1 172.16.200.0 255.255.255.0

access-list Client1 standard permit host 192.168.9.1

ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.254 mask 255.255.255.0

nat-control

nat (dmz) 0 access-list dmz_nat0_outbound
route dmz 192.168.9.1 255.255.255.255 172.16.2.2 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

group-policy Client1 internal
group-policy Client1 attributes
 dns-server value 192.168.1.2 192.168.1.6
 vpn-filter value Client1
 vpn-tunnel-protocol IPSec
 default-domain value company.prv

username Client1 password xxxxxxxxx encrypted privilege 0
username Client1 attributes
 vpn-group-policy Client1
 service-type remote-access

tunnel-group Client1 type remote-access
tunnel-group Client1 general-attributes
 address-pool Restricted_VPN_IP_Pool
 default-group-policy Client1
tunnel-group Client1 ipsec-attributes
 pre-shared-key *

Answer : ASA 5510 VPN DMZ

normaly policy nat is using from higher sec level interface to low . that is waht you are getting that warning.

what i can see our policy nat is not taking efect . coz of that your server is not responding back ,since it doesn't have route to 172.16.200.0/24.
better correct your route .

Question : ASA 5510 VPN DMZ

Answer : ASA 5510 VPN DMZ

normaly policy nat is using from higher sec level interface to low . that is waht you are getting that warning. what i can see our policy nat is not taking efect . coz of that your server is not responding back ,since it doesn't have route to 172.16.200.0/24.better correct your route .

normaly policy nat is using from higher sec level interface to low . that is waht you are getting that warning.

what i can see our policy nat is not taking efect . coz of that your server is not responding back ,since it doesn't have route to 172.16.200.0/24.
better correct your route .