11-18-2008 11:27 PM - edited 03-11-2019 07:15 AM
Hi, I have a problem i have a server (10.20.2.20) on the dmz1 interface of a remote site, but i can not access it from the inside interface. I have posted all the nat rules configured on the firewall asa 5510 7.2 ver. Thus remote ite is connected to our hq with site to site vpn. Hence 10.20.1.0 network must be on the nat 0 rule but how will the inside 10.20.1.0 access 10.20.2.0 network and at the same time our hq through the vpn?
Thank you...
access-list test extended permit ip any any
nat-control
global (outside) 1 interface
nat (inside) 0 access-list test
nat (inside) 1 10.20.1.0 255.255.255.0
static (inside,outside) tcp 192.168.1.2 https 10.20.1.240 https netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.2 www 10.20.1.240 www netmask 255.255.255.255
static (inside,dmz1) 10.20.1.20 10.20.1.20 netmask 255.255.255.255
static (inside,dmz1) 10.20.1.21 10.20.1.21 netmask 255.255.255.255
static (inside,dmz1) 10.20.1.22 10.20.1.22 netmask 255.255.255.255
static (inside,dmz1) 10.20.1.23 10.20.1.23 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
access-group DMZ1 in interface dmz1
11-19-2008 02:44 AM
Is the config you posted for the HQ or remote site, as you state "Hi, I have a problem i have a server (10.20.2.20) on the dmz1" but the config states "static (inside,dmz1) 10.20.1.20 10.20.1.20 netmask 255.255.255.255"
Differenet 3rd octets??
11-19-2008 03:45 AM
The config is for the remote site,
I have tried as well the statement
static (inside,dmz1) 10.20.2.20 10.20.2.20 netmask 255.255.255.255
But it does not work!!!
11-19-2008 03:48 AM
Firstly
1) You nat statements look the wrong way around, change to:-
static (dmz1,inside) 10.20.2.20 10.20.2.20 netmask 255.255.255.255
2) What is the IP subnet of the HQ site?
3) You have to make sure the remote DMZ IP subnet is in the VPN encryption domains
4) You have to make sure the remote DMZ IP subnet is in the no-nat VPN statements.
Check the above.
11-19-2008 04:11 AM
1) i did it.
2) 192.x.x.x is the ip addressing of the hq site.
3)?
4) i did that as well
it did not work.
11-19-2008 04:17 AM
Can you post the full config for review - remove sensitive information.
11-19-2008 04:37 AM
!
interface Ethernet0/0
'outside' vlan port
nameif outside
security-level 0
ip address x.x.x.1 255.255.255.0
!
interface Ethernet0/1
'inside' vlan port
nameif inside
security-level 100
ip address 10.8.1.254 255.255.255.0
!
interface Ethernet0/2
vlan port
nameif dmz1
security-level 50
ip address 10.8.2.253 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.8.10.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.8.1.0 255.255.255.0 10.8.10.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip object-group Local-Network object-group xxxxxk
access-list inside_nat0_outbound extended permit ip 10.8.1.0 255.255.255.0 10.8.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.121.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object-group SMTP-HTTPS-HTTP host 192.168.1.2
access-list outside_cryptomap_20 extended permit ip object-group Local-Network object-group xxxxx
access-list outside_cryptomap_20 extended permit ip object-group Local-Network host x.x.x.1
access-list dmz1_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound_dyn_vpn extended permit ip 10.8.1.0 255.255.255.0 10.8.10.0 255.255.255.0
access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.239
access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.240
access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.236
access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.237
access-list OUTSIDE_IN extended permit tcp any any eq smtp
access-list OUTSIDE_IN extended permit tcp any any eq https
access-list OUTSIDE_IN extended permit tcp any any eq www
access-list OUTSIDE_IN extended permit tcp any any eq 1801
access-list OUTSIDE_IN extended permit ip host x.x.x.x any
access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.236 any
access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.237 any
access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.240 any
access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.4 any
access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.156 any
access-list INSIDE_ACCESS_IN extended deny tcp any any eq smtp
access-list INSIDE_ACCESS_IN extended permit ip any any
access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.200 any
access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.239 host 10.8.2.250 log
access-list xxxxx extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap informational
logging asdm informational
logging host outside x.x.x.x
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu management 1500
icmp permit any outside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list xxxxx
nat (inside) 1 10.8.1.0 255.255.255.0
static (inside,outside) tcp 192.168.1.2 https 10.8.1.240 https netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.2 www 10.8.1.240 www netmask 255.255.255.255
static (inside,dmz1) 10.8.1.239 10.8.1.239 netmask 255.255.255.255
static (inside,dmz1) 10.8.1.240 10.8.1.240 netmask 255.255.255.255
static (inside,dmz1) 10.8.1.236 10.8.1.236 netmask 255.255.255.255
static (inside,dmz1) 10.8.1.237 10.8.1.237 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
access-group INSIDE_ACCESS_IN in interface inside
access-group DMZ1_INSIDE in interface dmz1
11-19-2008 04:53 AM
what config is this, the dmz IP range is 10.8.x.x not 10.20.x.x and there is not 192.168 ??
Which site is this?
11-19-2008 04:56 AM
This is the correct remote site before i used examples of ip addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide