ASA DMZ to VPN site

[neufuse Veteran]

I'm "trying" to learn networking... coming up with some scenarios that I can't seem to lab test, a nudge in the right direction would be nice

 

I'm trying to set up a lab where I have a Cisco ASA which has a DMZ and behind the DMZ is a reverse proxy which talks to the web servers inside the network. That part is working correctly.

 

ASA port Ge0/5 has the DMZ set up as with an IP of 10.190.190.1  subnet 255.255.255.248, Security level 50

Ge0/1 is the internal network with IP 10.200.200.241 subnet 255.255.255.0

Ge0/0 is the WAN (just connected to a cable modem network for testing)

 

I have Ge0/5 only responding on ports 80 and 443 to the WAN interface and only talking to the internal interface limited to the web servers IP's on port 443 / 80.

 

This should create a reverse proxy where the WAN can only talk to internal through the DMZ on those ports. (I think, did I do this right? It seems to work at least)

 

but the problem is I need to back up that reverse proxy system daily say for log retention or something else

 

The ASA has a site to site VPN link set up to a remote site which houses the test backup server to do this.. it's on a complete different network range (192.168.100.3 is the backup server IP). The VPN tunnel has ACL's set up to limit who can talk to it, the reverse proxy IP is already on the list in both ends, along with other test systems in the internal site.

 

From internal port connected systems I can talk to 192.168.100.3 fine. From the reverse proxy server if I try to talk to 192.168.100.3 it goes out the default gateway to the internet. Which sounds like a route is missing. If I add in a route for 192.168.100.3 to use our internal gateway it still goes out the default gateway. So I think I went the wrong way with that? Default gateway in this set up is 10.9.100.100

 

How do I get traffic to route from the reverse proxy through the ASA and out the VPN link and to the remote server site?

 

I'm not looking for full answers, just what I'm doing wrong so I can figure this test case out.

 

 

** NOTE THIS IS ALL LAB WORK, NOT REAL SYSTEMS **

[sc302 Veteran]

You want to allow the vpn link access to the dmz.  I would think it is an acl issue not a routing issue. 

[neufuse Veteran]

  On 13/12/2016 at 15:58, sc302 said:

You want to allow the vpn link access to the dmz.  I would think it is an acl issue not a routing issue. 

Expand  

I can't seem to get it to work through ACL's though and I'm seeing nothing in the sys log that points to denied access attempts from the DMZ interface to talk to the VPN link IP, would a missing ALC cause it to try to take the default route out the internet on the Reverse proxy server?

[sc302 Veteran]

you can route in and out, correct?  you have basic communications, right?

You can't get access, correct? 

 

This all points to ACL not routing.  If you are VPN'd in, can you access port 80 and 443?  If you can, it most certainly is ACL.    Being that you have 80 and 443 working internally, try to get it working through the vpn then troubleshoot further with backups.

[+John Teacake MVC]

This may be an Asymmetrical Routing Issue. So think that traffic is using the same interface i.e You have a VPN and an Internet Connection on say your "Outside" interface. 

 

https://supportforums.cisco.com/discussion/11503206/asa-5510-deny-tcp-no-connection-syn-ack

 

Check the logs see if you are getting that Error Message "Deny TCP xxx" message.

 

 

[sc302 Veteran]

also start capturing traffic to see exactly what is going on. 

 

 

[+BudMan MVC]

  On 13/12/2016 at 15:39, neufuse said:

From the reverse proxy server if I try to talk to 192.168.100.3 it goes out the default gateway to the internet

Expand  

So it is using your asa as its default gateway, which if its getting sent out the internet, then you asa is the routing problem.  Your asa has to allow the reverse proxy network to talk out the vpn to your backup server, and it has to know how to route that traffic there.  Which if its connected you would have to assume it knows how to route there..  So when you do a traceroute from you reverse proxy it hits your asa and then next hop is internet?  That is a problem with your asa then.

 

If it routes to the backup server, what is the backup servers default route?  If not coming back to the asa, then it needs a route that says hey you want to get to the reverse proxy network talk to the asa.  Or you could source nat the traffic so traffic from reverse proxy looks like is coming from the asa interface in your ipsec network.

[neufuse Veteran]

  On 13/12/2016 at 18:40, BudMan said:

So it is using your asa as its default gateway, which if its getting sent out the internet, then you asa is the routing problem.  Your asa has to allow the reverse proxy network to talk out the vpn to your backup server, and it has to know how to route that traffic there.  Which if its connected you would have to assume it knows how to route there..  So when you do a traceroute from you reverse proxy it hits your asa and then next hop is internet?  That is a problem with your asa then.

 

If it routes to the backup server, what is the backup servers default route?  If not coming back to the asa, then it needs a route that says hey you want to get to the reverse proxy network talk to the asa.  Or you could source nat the traffic so traffic from reverse proxy looks like is coming from the asa interface in your ipsec network.

Expand  

thank you, didn't think of source nat, that did it, after that it would give the the correct trace route... then after that it was just put in the correct acl's

Edited December 14, 2016 by neufuse