04-25-2008 05:47 AM - edited 03-11-2019 05:36 AM
I am setting up my dmz area on my new 5520 and have the outside to dmz nat for a webserver working properly. However Im having trouble understanding what needs to be done for reaching that webserver on the inside. Reading of inside to dmz nat, identity nat, etc. below is partial config.... Im trying to access the 10.2.253.16 web server in dmz from inside thanks any advice is appreciated thanks
ASA Version 8.0(3)
!
hostname cdpasa1
domain-name xx.com
enable password xxx
names
name 10.249.48.0 Hgnwhse description Hgnwhse
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 74.x.x.2 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.2.30.13 255.255.192.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.2.253.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.3 255.255.255.0
management-only
!
passwd xxx
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cecodoor.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list cecovpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list cecovpn_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip Hgnwhse 255.255.255.0 10.2.0.0 255.255.192.0
access-list outside_1_cryptomap extended permit ip any Hgnwhse 255.255.255.0
access-list outside_in extended permit tcp any host 74.x.x.13 eq www
access-list outside_in extended permit tcp any host 74.x.x.13 eq https
access-list outside_in extended permit tcp any host 74.x.x.14 eq www
access-list outside_in extended permit esp any any
access-list outside_in extended permit udp any any eq isakmp
access-list outside_in extended permit icmp any host 74.x.x.13
access-list outside_in extended permit icmp any host 74.x.x.16
access-list outside_in extended permit tcp any host 74.x.x.16 eq www
access-list outside_in extended permit tcp any host 74.x.x.16 eq https
access-list outside_in extended deny ip any any log
access-list inside_nat0 extended permit ip any 10.2.253.0 255.255.255.0
access-list inside_nat0 extended permit ip any 10.2.23.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 20000
logging monitor informational
logging buffered informational
logging asdm informational
logging from-address asa5520@cecodoor.com
logging recipient-address chays@cecodoor.com level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu DMZ 1500
ip local pool cdppool 10.2.23.50-10.2.23.100 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 10.249.48.1 outside
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) 74.x.x.13 10.2.18.13 netmask 255.255.255.255
static (inside,DMZ) 10.2.20.0 10.2.20.0 netmask 255.255.254.0
static (DMZ,outside) 74.x.x.16 10.2.253.16 netmask 255.255.255.255
access-group outside_in in interface outside
04-25-2008 05:51 AM
Mark,
This statement is all you need as long as the inside client is part of 10.2.20.0 255.255.254.0.
static (inside,DMZ) 10.2.20.0 10.2.20.0 netmask 255.255.254.0
04-25-2008 06:04 AM
I have that statement in there already, see bottom of post. I do have the dmz in vlan 50 and the inside network on vlan 33 if that makes any difference.
04-25-2008 06:08 AM
I know you had that statement, but I was making sure the client you are coming from is part of 10.2.20.0 255.255.254.0.
How are you testing connectivity, ping, http://10.2.253.16 ?
04-25-2008 06:12 AM
oh, sorry, thought you may have missed it. I am trying from a pc with 10.2.20.219 ip, so it should be able. I cant ping or access from IE. With the identity nat, I shouldnt have to add acl's, correct?
04-25-2008 06:26 AM
For ping you would need to allow the reply in the dmz interface, but no acl needed for ie.
Are you pinging 10.2.253.16 or a hostname?
04-25-2008 06:33 AM
i am pinging 10.2.253.16, I figured I should get that working before adding a dns entry. When I do a tracert from 10.2.20.219 it hits my stack (also routing) and then times out. both vlans are on this stack so the routes for 20.x and 253.x are directly connected. stack = 10.2.0.2 with 255.255.192.0 mask tracert hits 0.2 on 1st hop, then dies
04-25-2008 11:47 AM
Instead of
nat (inside) 0 access-list inside_nat0_outbound
Use the following :
nat (inside) 0 access-list inside_nat0
It should work.
04-25-2008 12:15 PM
yea I thought that would work to, but it didnt. thanks for the try though
04-25-2008 12:25 PM
Have you allowed icmp into the dmz interface yet?
access-list dmz extended permit icmp any any
access-list dmz extended deny ip any 10.2.20.0 255.255.254.0
access-list dmz extended permit ip any any
access-group dmz in interface DMZ
04-25-2008 12:38 PM
I actually added these earlier and was able to ping 10.2.253.16 and then added and acl to permit http, but was never able to access the web page on that server, I have since removed and tried other solutions (this is the only one that I received a successful ping on)
04-25-2008 12:44 PM
You don't need to add a rule for http. Can you hit the webserver from another machine on the dmz?
04-29-2008 08:10 AM
Im still battling this. I can ping webserver in dmz from inside, but cant access website from inside to dmz. I can ping my devices on inside from webserver on dmz. Here is my current running config... any other ideas.........Ive made a few changes from original posted config thanks again
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 74.x.x.2 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.2.30.13 255.255.192.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.2.253.2 255.255.255.0
!
!
passwd BWaQlcykry5AAxTH encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cecodoor.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list cecovpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list cecovpn_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip any 10.2.253.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Hgnwhse 255.255.255.0 10.2.0.0 255.255.192.0
access-list outside_1_cryptomap extended permit ip any Hgnwhse 255.255.255.0
access-list DMZ_access_in extended permit icmp 10.2.253.0 255.255.255.0 any
access-list outside_in extended permit tcp any host 74.x.x.13 eq www
access-list outside_in extended permit tcp any host 74.x.x.13 eq https
access-list outside_in extended permit tcp any host 74.x.x.14 eq www
access-list outside_in extended permit esp any any
access-list outside_in extended permit udp any any eq isakmp
access-list outside_in extended permit icmp any host 74.x.x.13
access-list outside_in extended permit icmp any host 74.x.x.16
access-list outside_in extended permit tcp any host 74.x.x.16 eq www
access-list outside_in extended permit tcp any host 74.x.x.16 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu DMZ 1500
ip local pool cdppool 10.2.23.50-10.2.23.100 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 10.249.48.1 outside
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 10.2.253.0 255.255.255.0
static (inside,outside) 74.x.x.13 10.2.18.13 netmask 255.255.255.255
static (DMZ,outside) 74.x.x.16 10.2.253.16 netmask 255.255.255.255
static (inside,DMZ) 10.2.253.16 10.2.253.16 netmask 255.255.255.255
access-group outside_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 74.x.x.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.2 1
route inside 10.2.64.0 255.255.254.0 10.2.0.2 1
route inside 10.244.12.0 255.255.255.0 10.2.30.12 1
route outside Hgnwhse 255.255.255.0 74.x.x.1 1
route inside 172.0.0.0 255.0.0.0 10.2.30.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.2.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
**crypto's omitted due to length**
**vpn items omitted due to length**
04-25-2008 12:25 PM
Hi, delete all nat exemption rule because by default security level number of inside network is high(100) and it will access DMZ and outside network without making any rule. Thanks.
04-25-2008 12:27 PM
hi,
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip Hgnwhse 255.255.255.0 10.2.0.0 255.255.192.0
you have given wrong ip 10.2.23.0 instead of right one 10.2.253.0 check and confirm Thanks Vinay Gupta.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: