ASA 5510 configuration problem

Unanswered Question
May 4th, 2009

Dear All,,


I am installing ASA 5510 security + but having some problems,, i.e.. inside is unable to communicate with DMZ and outside,


DMZ is unable to communicate with Outside (internet) and inside,


Outside is unable to access DMZ and inside,


Please see attached configuration of ASA


ASA Version 7.0(7)


!


hostname XXXXX


domain-name default.domain.invalid


enable password XXXXXXXXXXX encrypted


names


dns-guard


!


interface Ethernet0/0


nameif outside


security-level 0


ip address 192.168.74.2 255.255.255.0


!


interface Ethernet0/1


nameif DMZ


security-level 50


ip address 192.168.1.18 255.255.255.0


!


interface Ethernet0/2


nameif inside


security-level 100


ip address 192.168.20.1 255.255.255.0


!


<--- More --->

interface Ethernet0/3


shutdown


no nameif


no security-level


no ip address


!


interface Management0/0


nameif management


security-level 100


ip address 192.168.16.1 255.255.255.0


management-only


!


passwd XXXXXXXXXXXXXXXX encrypted


ftp mode passive


pager lines 24


logging asdm informational


mtu management 1500


mtu outside 1500


mtu DMZ 1500


mtu inside 1500


no failover


asdm image disk0:/asdm-507.bin


no asdm history enable


arp timeout 14400


<--- More --->

nat-control


global (outside) 1 192.168.74.10-192.168.74.15 netmask 255.255.255.0


global (outside) 1 192.168.74.9 netmask 255.255.255.0


nat (inside) 1 192.168.0.0 255.255.0.0


static (DMZ,outside) 192.168.1.0 192.168.74.0 netmask 255.255.255.0


static (outside,DMZ) 192.168.74.0 192.168.1.0 netmask 255.255.255.0


route outside 0.0.0.0 0.0.0.0 192.168.74.1 1


route inside 192.168.11.0 255.255.255.0 192.168.20.2 1


route inside 192.168.10.0 255.255.255.0 192.168.20.2 1


route inside 192.168.9.0 255.255.255.0 192.168.20.2 1


route inside 192.168.8.0 255.255.255.0 192.168.20.2 1


route inside 192.168.7.0 255.255.255.0 192.168.20.2 1


route inside 192.168.6.0 255.255.255.0 192.168.20.2 1


route inside 192.168.5.0 255.255.255.0 192.168.20.2 1


route inside 192.168.4.0 255.255.255.0 192.168.20.2 1


route inside 192.168.3.0 255.255.255.0 192.168.20.2 1


route inside 192.168.2.0 255.255.255.0 192.168.20.2 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00


timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00


timeout uauth 0:05:00 absolute


username Junaid password GmyIgt9p0qYot/Ks encrypted


http server enable


<--- More --->

http 192.168.1.0 255.255.255.0 management


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


telnet timeout 5


ssh timeout 5


console timeout 0


dhcpd lease 3600


dhcpd ping_timeout 50


!


class-map inspection_default


match default-inspection-traffic


!


!


policy-map global_policy


class inspection_default


inspect dns maximum-length 512


inspect ftp


inspect h323 h225


inspect h323 ras


inspect rsh


inspect rtsp


inspect esmtp


inspect sqlnet


<--- More --->

inspect skinny


inspect sunrpc


inspect xdmcp


inspect sip


inspect netbios


inspect tftp


!


service-policy global_policy global


Cryptochecksum:4a349530616191826545b7d8e6574b48


: end



MTL-ASA#



I have a switch cisco 3560 connected with ASA ,, Vlans are configured on the switch,,so thats why i added routes for vlans 2- 11


Please check my configuration and advise if something needs to be add in configuration,,,


Regards,


Junaid

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rjaaouan Tue, 05/05/2009 - 01:38

Hi,


I'm not an expert, but I think it's a NAT issue:

nat-control


global (outside) 1 192.168.74.10-192.168.74.15 netmask 255.255.255.0


global (outside) 1 192.168.74.9 netmask 255.255.255.0


nat (inside) 1 192.168.0.0 255.255.0.0


static (DMZ,outside) 192.168.1.0 192.168.74.0 netmask 255.255.255.0


static (outside,DMZ) 192.168.74.0 192.168.1.0 netmask 255.255.255.0


I don't see any NAT statement from Inside to outside (inside to DMZ). because with NatContol enable, this traic is denied with NAT don't allow it.


you need to review also Static command, because I think something is missing also. This output shows how a static statement is constructed. Note the order of the mapped and real IP addresses.


static (real_interface,mapped_interface) mapped_ip real_ip netmask mask


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#t12


good luck.


junshah22 Tue, 05/05/2009 - 05:06

I used these commands for inside,


route inside 192.168.11.0 255.255.255.0 192.168.20.2 1

route inside 192.168.10.0 255.255.255.0 192.168.20.2 1

route inside 192.168.9.0 255.255.255.0 192.168.20.2 1

route inside 192.168.8.0 255.255.255.0 192.168.20.2 1

route inside 192.168.7.0 255.255.255.0 192.168.20.2 1


you can see in my configurations,,,


I was trying to access outside from DMZ first,, thats why i didn't entered static commands for inside,, i.e. (inside,DMZ),, (inside,outside) etc etc..


Your referred link is looking same like my scenario, hopefully it will solve...


Thanks in advance,,,


Junaid

Actions

This Discussion