ASA 5510 configuration problem

Unanswered Question
May 4th, 2009

Dear All,,

I am installing ASA 5510 security + but having some problems,, i.e.. inside is unable to communicate with DMZ and outside,

DMZ is unable to communicate with Outside (internet) and inside,

Outside is unable to access DMZ and inside,

Please see attached configuration of ASA

ASA Version 7.0(7)

!

hostname XXXXX

domain-name default.domain.invalid

enable password XXXXXXXXXXX encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.74.2 255.255.255.0

!

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.1.18 255.255.255.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

<--- More --->

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.16.1 255.255.255.0

management-only

!

passwd XXXXXXXXXXXXXXXX encrypted

ftp mode passive

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

<--- More --->

nat-control

global (outside) 1 192.168.74.10-192.168.74.15 netmask 255.255.255.0

global (outside) 1 192.168.74.9 netmask 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.0.0

static (DMZ,outside) 192.168.1.0 192.168.74.0 netmask 255.255.255.0

static (outside,DMZ) 192.168.74.0 192.168.1.0 netmask 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.74.1 1

route inside 192.168.11.0 255.255.255.0 192.168.20.2 1

route inside 192.168.10.0 255.255.255.0 192.168.20.2 1

route inside 192.168.9.0 255.255.255.0 192.168.20.2 1

route inside 192.168.8.0 255.255.255.0 192.168.20.2 1

route inside 192.168.7.0 255.255.255.0 192.168.20.2 1

route inside 192.168.6.0 255.255.255.0 192.168.20.2 1

route inside 192.168.5.0 255.255.255.0 192.168.20.2 1

route inside 192.168.4.0 255.255.255.0 192.168.20.2 1

route inside 192.168.3.0 255.255.255.0 192.168.20.2 1

route inside 192.168.2.0 255.255.255.0 192.168.20.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username Junaid password GmyIgt9p0qYot/Ks encrypted

http server enable

<--- More --->

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

<--- More --->

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:4a349530616191826545b7d8e6574b48

: end

MTL-ASA#

I have a switch cisco 3560 connected with ASA ,, Vlans are configured on the switch,,so thats why i added routes for vlans 2- 11

Please check my configuration and advise if something needs to be add in configuration,,,

Regards,

Junaid

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rjaaouan Tue, 05/05/2009 - 01:38

Hi,

I'm not an expert, but I think it's a NAT issue:

nat-control

global (outside) 1 192.168.74.10-192.168.74.15 netmask 255.255.255.0

global (outside) 1 192.168.74.9 netmask 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.0.0

static (DMZ,outside) 192.168.1.0 192.168.74.0 netmask 255.255.255.0

static (outside,DMZ) 192.168.74.0 192.168.1.0 netmask 255.255.255.0

I don't see any NAT statement from Inside to outside (inside to DMZ). because with NatContol enable, this traic is denied with NAT don't allow it.

you need to review also Static command, because I think something is missing also. This output shows how a static statement is constructed. Note the order of the mapped and real IP addresses.

static (real_interface,mapped_interface) mapped_ip real_ip netmask mask

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#t12

good luck.

junshah22 Tue, 05/05/2009 - 05:06

I used these commands for inside,

route inside 192.168.11.0 255.255.255.0 192.168.20.2 1

route inside 192.168.10.0 255.255.255.0 192.168.20.2 1

route inside 192.168.9.0 255.255.255.0 192.168.20.2 1

route inside 192.168.8.0 255.255.255.0 192.168.20.2 1

route inside 192.168.7.0 255.255.255.0 192.168.20.2 1

you can see in my configurations,,,

I was trying to access outside from DMZ first,, thats why i didn't entered static commands for inside,, i.e. (inside,DMZ),, (inside,outside) etc etc..

Your referred link is looking same like my scenario, hopefully it will solve...

Thanks in advance,,,

Junaid

Actions

This Discussion