cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
0
Helpful
1
Replies

ASA DMZ config issues

gentleps
Level 1
Level 1

Hi--

First time poster so please go easy... I'm having what I think is an issue with my ASA config. I'm trying to add a DMZ and its not working.

My network is somewhat unique in that I have a requirement to use all public IPs for all interfaces. so no private internal addresses on the interface side. I have both static and nat 0 items and I'm afraid this may be my problem. I'm not sure if this is correct. To add to the mix of interesting things I am setting the new interface for the DMZ up using a sub interface for the first time. I don't have access into the 6500 that feeds the DMZ vlan but I am told the port is in trunk mode with the vlan in question not set to the native vlan. I am setting it up this way as I will need to add some additional networks in the near future which this will allow me to do.

here are the basics of my config. I'm leaving out ACLs at this time for simplicity. IPs are changed all interfaces use public IPs the RFC 1918 networks you see are for a few L2L tunnels I have. It is in routed mode. I can post the whole thing if needed.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.130 255.255.255.224

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 2.2.2.1 255.255.254.0

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

interface GigabitEthernet0/2.22

description VLAN 22 DMZ network

vlan 22

nameif DMZ

security-level 50

ip address 3.3.3.161 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 2.2.2.224 255.255.255.224

access-list inside_nat0_outbound extended permit ip 2.2.2.0 255.255.254.0 2.2.2.0 255.255.254.0

access-list inside_nat0_outbound extended permit ip 2.2.2.0 255.255.254.0 172.16.170.144 255.255.255.240

access-list inside_nat0_outbound extended permit ip host 2.2.2.63 65.44.68.208 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 10.10.24.0 255.255.255.128

access-list dmz_nat0_outbound extended permit ip 3.3.3.160 255.255.255.224 3.3.3.160 255.255.255.224

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 2.2.2.0 255.255.254.0

nat (DMZ) 0 access-list dmz_nat0_outbound

nat (DMZ) 0 3.3.3.160 255.255.255.224

static (inside,outside) 2.2.2.0 2.2.2.0 netmask 255.255.254.0

static (DMZ,outside) 3.3.3.160 3.3.3.160 netmask 255.255.255.224

static (inside,DMZ) 2.2.2.0 2.2.2.0 netmask 255.255.254.0

access-group 101 in interface outside

access-group internal in interface inside

route outside 0.0.0.0 0.0.0.0 1.1.1.129 1

The inside interface works no problem. The DMZ interface however doesn't seem to have any traffic when I show int DMZ. I have a box in that network. I try to go out to the outside and nothing works. I try to go from inside to DMZ nothing. Part of me wonders if the 6500 is configured correctly, but everything I'm told says it is. I can't help but think my nat statements are messed up.

Please help.

1 Reply 1

ricardo.gamboa
Level 1
Level 1

Hello,

I think you have a problem at the access-list dmz_nat0_outbound, the source and dest networks are equal.

And I'm not sure why do you use nat exemption in the DMZ interface. It must be fine with static only.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: