03-15-2007 03:14 AM - edited 03-11-2019 02:46 AM
Hello,
i've just started working with cisco pix firewalls. I currently have a question i need to ask regarding a client's requirement. There is a server behind the firewall with an outside address of 10.1.2.113 which resolves to 192.168.136.1 on the inside. Now he requested for them to be able to access that server from a box in another dmz (10.1.0.50). This has been done. The now is,...he claims he has a DNS server that that resolves a particular domain to 192.168.136.1, and for that reason, he's stuck. So he wants to be able to access the 192.168.136.1 address directly, rather than the 10.1.2.113. I honestly cant imagine how that can be possible, but i dont feel confident enough to tell him that. So i need for you guys to help me out here. Is it possible?
03-15-2007 06:50 AM
Hi,
Please post your config and we'll look into that.
Regards,
Kamal
03-15-2007 07:23 AM
ASA Version 7.1(2)
!
names
name 192.168.136.1 FP1
name 192.168.136.3 FP2
name 192.168.136.5 EX1
name 192.168.136.7 EX2
name 10.1.2.113 FP1-external
name 10.1.2.114 FP2-external
name 192.168.0.10 TDA-Mimesweeper
name 192.168.136.33 TDA-D-directors-printer
name 192.168.136.6 EX1-KVMoverIP
name 192.168.136.8 EX2-KVMoverIP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.2.112 255.255.255.0 standby 10.1.2.127
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.136.254 255.255.255.0 standby 192.168.136.253
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN/STATE Failover Interface
speed 100
duplex full
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd YgWfxiFVNRbXU0m1 encrypted
boot system disk0:/asa712-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name nrt.local
object-group network TDA-D-servers
network-object host EX2-external
object-group network TDA-D-servers_real
network-object EX2 255.255.255.255
object-group network TDA-domain-controllers
network-object host 10.1.0.25
network-object host 10.1.0.26
object-group network TDA-D-domain-controllers
network-object host FP1-external
network-object host FP2-external
object-group network TDA-internal-networks
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
03-15-2007 07:23 AM
access-list outside extended permit tcp host lanz object-group TDA-D-servers eq 3389
access-list outside extended permit tcp host TDA-D-MailMarshal host EX1-external eq smtp
access-list outside extended permit tcp any host EX1-external eq www
access-list outside extended permit tcp any host EX1-external eq https
access-list outside extended permit tcp host TDA-Exchange host EX1-external eq smtp
access-list outside extended permit icmp host lanz object-group TDA-D-servers
access-list outside extended permit tcp host lanz host EX1-external eq smtp
access-list outside extended permit ip host lanz host 10.1.2.117
access-list outside extended permit ip host lanz host 10.1.2.118
access-list outside extended permit tcp host TDA-Mimesweeper host FP1-external eq 3268
access-list outside extended permit udp host TDA-Mimesweeper host FP1-external eq 3268
access-list outside extended permit tcp host TDA-Mimesweeper host FP2-external eq 3268
access-list outside extended permit udp host TDA-Mimesweeper host FP2-external eq 3268
access-list outside extended permit ip host TDA-Mimesweeper host FP1-external
access-list outside extended permit ip host TDA-Mimesweeper host FP2-external
access-list outside extended permit ip host 10.1.2.10 host FP1-external
access-list outside extended permit ip host 10.1.2.10 host FP2-external
access-list outside extended permit ip object-group TDA-domain-controllers object-group TDA-D-domain
-controllers
access-list outside extended permit ip host 192.168.0.11 host FP1-external
access-list outside extended permit ip host 192.168.0.11 host FP2-external
access-list outside extended permit tcp object-group TDA-internal-networks host FP1-external eq 445
access-list outside extended permit udp object-group TDA-internal-networks host FP1-external eq 445
access-list outside extended permit ip host 10.1.0.33 host 10.1.2.119
access-list outside extended permit ip host 10.1.0.33 host 10.1.2.120
access-list outside extended permit ip host 10.1.0.33 host FP1-external
access-list outside extended permit ip host 10.1.0.33 host FP2-external
access-list outside extended permit ip host 10.1.0.50 host FP1-external
access-list outside extended permit ip host 10.1.0.50 host EX1-external
access-list inside_nat0_outbound extended permit ip 192.168.136.0 255.255.255.0 192.168.138.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.255.0 192.168.136.0 255.255.255.0
access-list TTA_NRG_TG1_splitTunnelAcl standard permit 192.168.136.0 255.255.255.0
pager lines 24
logging trap debugging
logging asdm informational
logging host inside 192.168.136.141
logging host inside FP1
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Tpool 192.168.138.1-192.168.138.254 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list
inside_nat0_outbound
nat (inside) 1 192.168.136.0 255.255.255.0
nat (inside) 1 192.168.137.0 255.255.255.0
static (inside,outside) FP1-external FP1 netmask 255.255.255.255
static (inside,outside) FP2-external FP2 netmask 255.255.255.255
static (inside,outside) EX1-external EX1 netmask 255.255.255.255
static (inside,outside) EX2-external EX2 netmask 255.255.255.255
static (inside,outside) 10.1.2.117 EX1-KVMoverIP netmask 255.255.255.255
static (inside,outside) 10.1.2.118 EX2-KVMoverIP netmask 255.255.255.255
static (inside,outside) 10.1.2.119 TDA-D-directors-printer netmask 255.255.255.255
static (inside,outside) 10.1.2.120 192.168.136.11 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.2.1 1
route outside 10.1.0.0 255.255.0.0 10.1.2.6 1
route inside 192.168.137.0 255.255.255.0 192.168.136.250 1
03-15-2007 09:41 AM
Hi there ..
Let me rephrase the requirements:
- you have a server behind PIX 192.168.136.11, which is mapped to outside as 10.1.2.120
- currently everyone from outside can access the server using 10.1.2.120 IP address
- however you need that 10.1.0.0/24 network should be able to access the server using 192.168.136.11 IP address
Let me know if I'm on the right track. We can make it work using following commands-
-> access-list inside_nat0_outbound permit ip host 192.168.136.11 10.1.0.0 255.255.255.0
-> access-list outside permit ip 10.1.0.0 255.255.255.0 192.168.136.11
-> clear xlate
Let me know if this works.
Currently I have opened IP in the following acl, but you can lock it down as per your requirements:
access-list outside permit ip 10.1.0.0 255.255.255.0 192.168.136.11
Hope that helps.
Regards,
Vibhor.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: