public IP access

Answered Question
Dec 29th, 2009
User Badges:

I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.
Correct Answer by Jon Marshall about 7 years 6 months ago

Julio


There are a number of options you could use to achieve this. Have a read of this link which will explain how to configure it and if you have further questions please come back -


http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html


Jon

Correct Answer by Jon Marshall about 7 years 6 months ago

[email protected]



I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

ASA<-->Internet">LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.


Julio


Where are you trying to access the server from ie. inside or from internet ?


Can you post your config ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 12/29/2009 - 12:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]



I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

ASA<-->Internet">LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.


Julio


Where are you trying to access the server from ie. inside or from internet ?


Can you post your config ?


Jon

Julio Saldivar Tue, 12/29/2009 - 13:05
User Badges:

jon

I'm trying to access from the inside

attached configuration:



!
interface Vlan1
nameif outside
security-level 0
ip address ip_public 255.255.255.248
!
interface Vlan2
nameif gerencia
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif ventas_web
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Vlan4
nameif facturacion
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan6
nameif camaras
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan7
nameif servidorweb
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
speed 100
duplex full
!
interface Ethernet0/1
switchport trunk allowed vlan 1-7
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 7
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
access-list camaras_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.224
global (outside) 1 interface
global (facturacion) 1 interface
nat (gerencia) 0 access-list clientvpn1
nat (gerencia) 1 0.0.0.0 0.0.0.0
nat (facturacion) 0 access-list clientvpn
nat (facturacion) 1 192.168.0.0 255.255.255.0
nat (camaras) 0 access-list camaras_nat0_outbound
nat (servidorweb) 0 access-list clientvpn2
nat (servidorweb) 1 servidor_web_local 255.255.255.255
nat (ventas_web) 1 192.168.6.0 255.255.255.0
static (facturacion,gerencia) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (camaras,gerencia) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (gerencia,facturacion) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (gerencia,camaras) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (facturacion,servidorweb) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (gerencia,servidorweb) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (facturacion,ventas_web) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (ventas_web,facturacion) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (ventas_web,servidorweb) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (ventas_web,gerencia) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (gerencia,ventas_web) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (servidorweb,outside) ip_public_server servidor_web_local netmask 255.255.255.255
static (servidorweb,facturacion) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (servidorweb,gerencia) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (servidorweb,ventas_web) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group gerencia_access_in in interface gerencia
access-group facturacion_access_in in interface facturacion
access-group camaras_access_in in interface camaras
access-group servidorweb_access_in in interface servidorweb
access-group ventas_web_access_in_1 in interface ventas_web
route outside 0.0.0.0 0.0.0.0 ip_gateway 1

Correct Answer
Jon Marshall Tue, 12/29/2009 - 13:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Julio


There are a number of options you could use to achieve this. Have a read of this link which will explain how to configure it and if you have further questions please come back -


http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html


Jon

Julio Saldivar Mon, 01/04/2010 - 07:52
User Badges:

jon thank you very much, use the following command to resolve the problem:


static (dmz,inside) 51.88.80.100 172.16.1.100


greetings

vilaxmi Fri, 01/01/2010 - 13:11
User Badges:
  • Cisco Employee,

Hello,


By default , ASA will allow traffic from higher security-level interface to a lower one as long as you a NAT translation for it.


In your config, there are several interfaces with sec-level as 100 and DMZ (sec-level = 50) is only ONE. Please make sure that from the interface where you want to initiate traffic has a corresponding NAT for it as follows:


Users (10.1.1.0/24)-----------------in_1[ASA]dmz_1-----------server (1.1.1.1)


nat (in_1) 1  0 0

global (dmz_1) 1 interface


Now as long as you do not have any ACLs blocking the connection at in_1 and dmz_1 interface you should  not be having any issue in accessing the server.


Also, try bypassing any networking devices between clients and ASA by connecting PC directly to ASA and try to access server. This will help you to understand if ASA is actually cause of concern or not.


Another troubleshooting tip would be to try packet tracer built-in simulator in ASDM. It can be found in ASDM as Tool--->packet-tracer.


HTH


Vijaya

Actions

This Discussion