07-19-2009 03:30 AM - edited 03-11-2019 08:56 AM
************************
Kindly look on the configuration and guide me please.
************************
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www
access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777
access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080
access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777
access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any
access-list DMZ_access_in extended permit ip host 192.168.100.0 192.168.0.0 255.255.255.0
access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any
access-list traffic_for_ips extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface Inside
failover
failover lan unit primary
failover lan interface failovetr-int GigabitEthernet0/3
failover replication http
failover interface ip failovetr-int 10.250.250.1 255.255.255.252 standby 10.250.250.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
asdm history enable
arp timeout 14400
nat (Inside) 0 access-list nonat
nat (DMZ) 0 access-list nonatDMZ
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
07-19-2009 05:07 AM
Pls. provide the output of "sh run policy-map" make sure there inspect icmp is enabled.
example:
policy-map global_policy
class inspection_default
inspect ftp
.
.
.
inspect icmp
service-policy global_policy global
07-19-2009 05:26 AM
**********************
Kindly look at my configuration and guide me how i can solve my problem,
1.Im able to ping 192.168.100.215 server in DMZ from outside source ip 192.168.255.1 how? it is possible without apply access list to DMZ interface.2. when im applying access list to DMZ inerface then from outside im not able to ping DMZ server 192.168.100.215.why?
3. I want to access to DMZ network from Inside network. if any thing wrong pleae guide me.my complete ASA configuration as following.
******************************************* ASA Version 8.0(4)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.100.1 255.255.255.0
interface GigabitEthernet0/3
description LAN Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www
access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777
access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080
access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777
access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any
access-list DMZ_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list DMZ_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0
access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any
access-list traffic_for_ips extended permit ip any any
nat (Inside) 0 access-list nonat
nat (DMZ) 0 access-list nonatDMZ
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
dynamic-access-policy-record DfltAccessPolicy
class-map inspection_default
match default-inspection-traffic
class-map ips_class_map
match access-list traffic_for_ips
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_2
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class ips_class_map
ips inline fail-open
: end
ASA#
07-19-2009 08:38 AM
Answering your question "1.Im able to ping 192.168.100.215 server in DMZ from outside source ip 192.168.255.1 how?"...because of following rule:
!
access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0
!
When you allow ip access... you are allowing mostly anything from Internet. Make note that ICMP & IGMP operate on top of IP but do not transport data like UDP or TCP.... Also, not taking too much time...the following is wrong as well:
!
access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0
!
Why? Because if your DMZ is only 192.168.100.x...then you should always see 192.168.100.x after your permit + protocol and not 192.168.255.x
!
If 192.168.255.x is coming from outside & you wanted to give 100% access to your DMZ (which no one does), the correct statement would be (as you have):
!
access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0
!
Via above command, you are giving Internet users on 192.168.255.x segment total access to any 192.168.0.0 no matter what interface (inside or DMZ).
!
Note: Make sure you have the following as well
!
Access-list inside_access_all permit ip any any
!
access-group inside_access_all in interface inside
!
access-list DMZ_access_all permit icmp any any
!
also add your other dmz servers accessing inside or outside after this line
!
access-group DMZ_access_all in interface DMZ
!
Note: why am I, calling this DMZ_access_all and not DMZ_access_inâ¦because sooner or later, your DMZ servers need to access http, ftp, https outside and you can only have 2 access group only depending on direction of traffic⦠Most FW admin config call for one access group per interface. Also, more recent codes require you to have a access group on inside interface... however its a godd idea to have this, in case later you have an inside host attacking outside, you can block that inside host by placing an access list on top of permit ip an any... I hope this helps and good luck... Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: