07-16-2008 09:22 PM - edited 03-11-2019 06:15 AM
Hi all,
Help for a newbie please.
I have a problem with the inside network accessing web servers in the DMZ. I am getting portmap translation fail errors, however I need help with the command to allow all inside hosts access to the DMZ. It's a new firewall and I donot have to configure these often so my skills are limited.
I think I need to add the following commands:
nat (dmz) 1 192.168.200.0 255.255.255.0
access-group dmz_access_in in interface dmz
...and then appropriate ACLs
Current config as follows (some of the config suppressed):
ASA Version 7.1(2)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 222.222.222.74 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.203.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.200.1 255.255.255.0
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq smtp
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq https
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq pop3
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq imap4
access-list outside_access_in extended permit tcp any host 222.222.222.78 eq www
access-list outside_access_in extended permit tcp any host 222.222.222.78 eq ftp
access-list outside_access_in extended permit tcp any host 222.222.222.77 eq www
access-list outside_access_in extended permit tcp any host 222.222.222.77 eq ftp
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq www
access-list outside_access_in extended permit udp any host 222.222.222.78 eq domain
access-list outside_access_in extended permit tcp any host 222.222.222.78 eq domain
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.203.0 255.255.255.0
static (inside,outside) tcp 222.222.222.75 smtp 192.168.203.21 smtp netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.75 https 192.168.203.21 https netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.75 imap4 192.168.203.21 imap4 netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.75 pop3 192.168.203.21 pop3 netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.78 www 192.168.203.2 www netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.78 ftp 192.168.203.2 ftp netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.75 www 192.168.203.201 www netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.77 www 192.168.203.200 www netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.77 ftp 192.168.203.200 ftp netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.78 domain 192.168.203.200 domain netmask 255.255.255.255
static (inside,outside) udp 222.222.222.78 domain 192.168.203.200 domain netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 222.222.222.73 1
07-16-2008 09:52 PM
Hi,
Is there any specific reason you are using "nat-control" because by default it should be "no nat-control".
if you do "no nat-control" you can access your DMZ without any other NAT statements.
07-16-2008 09:54 PM
To be honest I am not sure what nat-control does exactly so no there is no specific reason for using nat-control.
What are the implications removing this command?
07-16-2008 10:03 PM
What nat-control does is, it will work as old PIX systems , it specifies that all traffic passing through the firewall must have a specific NAT entry.
Read more here :-
-- In your case I dont see any problems if you do "no nat-control".
07-16-2008 10:37 PM
Thanks for your help, I have changed the config as per below. I have a host at address 192.168.200.2/24 in the dmz.
For it to access inside addresses do I need to add individual nat entries for each server it accesses?
Also the inside network can not access this host even after the changes?
interface Ethernet0/0
nameif outside
security-level 0
ip address 222.222.222.74 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.203.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.200.1 255.255.255.0
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq smtp
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq https
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq pop3
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq imap4
access-list outside_access_in extended permit tcp any host 222.222.222.78 eq www
access-list outside_access_in extended permit tcp any host 222.222.222.78 eq ftp
access-list outside_access_in extended permit tcp any host 222.222.222.77 eq www
access-list outside_access_in extended permit tcp any host 222.222.222.77 eq ftp
access-list outside_access_in extended permit tcp any host 222.222.222.75 eq www
access-list outside_access_in extended permit udp any host 222.222.222.78 eq domain
access-list outside_access_in extended permit tcp any host 222.222.222.78 eq domain
access-list dmz_access_in extended permit tcp any any
access-list dmz_access_in extended permit udp any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.203.0 255.255.255.0
static (inside,outside) tcp 222.222.222.75 smtp 192.168.203.21 smtp netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.75 https 192.168.203.21 https netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.75 imap4 192.168.203.21 imap4 netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.75 pop3 192.168.203.21 pop3 netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.78 www 192.168.203.2 www netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.78 ftp 192.168.203.2 ftp netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.75 www 192.168.203.201 www netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.77 www 192.168.203.200 www netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.77 ftp 192.168.203.200 ftp netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.78 domain 192.168.203.200 domain netmask 255.255.255.255
static (inside,outside) udp 222.222.222.78 domain 192.168.203.200 domain netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 222.222.222.73 1
07-17-2008 01:28 AM
have a host at address 192.168.200.2/24 in the dmz.
For it to access inside addresses do I need to add individual nat entries for each server it accesses?
You have to have ACL that permits traffic from your DMZ server to inside.
07-17-2008 01:30 AM
Is that not covered by the rules:
access-list dmz_access_in extended permit tcp any any
access-list dmz_access_in extended permit udp any any
access-group dmz_access_in in interface dmz
09-09-2008 04:11 PM
Hi all,
I have not yet resolved my NAT issues from the DMZ to the inside network, been working on other projects but would like to have my DMZ functional so I can roll back the loose security policy I have.
I would like to enable all DMZ hosts to be able to access all INSIDE hosts, and set appropraite ALCs to control acecss. At present I have the following relevant configuration options:
interface Ethernet0/0
nameif outside
security-level 0
ip address 220.157.70.74 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.203.1 255.255.255.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.200.1 255.255.255.0
interface Management0/0
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp any any
access-list dmz_access_in extended permit udp any any
access-list dmz_access_in extended permit icmp any any
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.203.0 255.255.255.0
nat (dmz) 0 192.168.200.0 255.255.255.0 outside
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
DMZ hosts cannot contact inside hosts at present. Sorry for my ignorance but there is probably a NAT rule that I have incorrectly configured, but I don't do much firewall stuff day to day and not really sure of the command needed.
Please help:)
09-11-2008 02:04 AM
Hi,
Include the routes for ur inside as well as dmz interface as u have route for ur ouside interface.
route inside ---------------
route dmz ------------------
Also include this command:-
nat (dmz) 0 192.168.200.0 255.255.255.0
Regards
Mukesh.P
09-11-2008 07:10 AM
hi,
first of all , if u don't use VPN or private network (192.168.200.0) in your company toward outside , you have to delete [nat (inside) 0 access-list inside_nat0_outbound] command. it is no used command line
. easy command is static!
1.
no nat (dmz) 0 192.168.200.0 255.255.255.0
nat (dmz) 1 192.168.200.0 255.255.255.0
global (outside) 1 interface
static (inside,dmz) 192.168.203.0 192.168.203.0 netmask 255.255.255.0 0 0
Also you want map dmz address to public address , you can use static command what you want! like this~
static (dmz,outside) tcp 22.222.222.78 www 192.168.200.x 8080 netmask 255.255.255.255
09-11-2008 07:57 AM
..
09-11-2008 03:22 PM
Thats it! Thanks, all solved :)
Have a great day!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide