Network extend problem

Unanswered Question
Dec 17th, 2007

Hi all,

I am runnning an ASA5510, with interface config

Inside: 192.168.0.254/24

Outside: 123.123.123.241/28

DMZ: 123.123.123.238/28

that mean usable IP range in DMZ is 123.123.123.225-238

usable IP range in Outside is

123.123.123.241-254

123.123.123.254 is gateway IP of ISP.

The problem is,

ISP gave us 64IP 123.123.123.192-255, but we now only use 32. I wanna make use of it by change the config of existing firewall.

NEW setting as below

Inside: 192.168.0.254/24

Outside: 123.123.123.241/27

DMZ: 123.123.123.222/27

Gateway is unchanged

that mean usable IP range in DMZ now is 123.123.123.193-222

usable IP range in Outside is

123.123.123.225-254

But once I change it, server behind inside interface can surf internet,

but both server behind DMZ and outside cannot.

and ASA show followling error message

3|Dec 17 2007 17:04:04|710003: UDP access denied by ACL from 123.123.123.244/1158 to outside:202.66.92.241/53

3|Dec 17 2007 17:04:03|710003: UDP access denied by ACL from 123.123.123.244/1158 to outside:202.66.92.241/53

2|Dec 17 2007 17:03:50|106001: Inbound TCP connection denied from 123.123.123.244/1393 to 203.161.231.35/80 flags SYN on interface outside

2|Dec 17 2007 17:03:44|106001: Inbound TCP connection denied from 123.123.123.244/1393 to 203.161.231.35/80 flags SYN on interface outside

Firstly, I think it may be ACL problem , but even I use very simple config as below, same problem still occur,

: Saved

: Written by enable_15 at 08:33:46.644 UTC Fri Dec 14 2007

ASA Version 7.0(2)

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 123.123.123.241 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 80

ip address 123.123.123.222 255.255.255.224

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

enable password RNbjwrefst9AcP.4V encrypted

passwd 2KFQWcdfIdI.2KYOU encrypted

hostname CPHKASA01

domain-name xxxxxxxx.com

ftp mode passive

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

mtu dmz 1500

monitor-interface management

monitor-interface inside

monitor-interface outside

monitor-interface dmz

asdm image disk0:/asdm502.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

established tcp 80 0

route outside 0.0.0.0 0.0.0.0 123.123.123.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

smtp-server 123.123.123.203 202.76.4.36

Cryptochecksum:xxx

: end

Ay people know what is the problem and how to solve it? Thanks a lot!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Mon, 12/17/2007 - 02:51

Hi Patrick

Traffic flow from interface with higher security level to interface with lower is permit by default, and your traffic is from DMZ to outside. So this is not an ACL issue

"ISP gave us 64IP 123.123.123.192-255, but we now only use 32. I wanna make use of it by change the config of existing firewall"

"DMZ: 123.123.123.222/27 "

What I understand from above lines is, you assign public IPs from ISP directly to servers in DMZ and outside. If so, the issue is you most probably forgot to change the subnetmask of servers from 255.255.255.240 to 255.255.255.224

If it is not like as I understood, and you have private LAN IP for DMZ, then you dont have a NAT translation for them as following

nat (DMZ) 1 0 0

Regards

Actions

This Discussion