12-29-2009 11:47 AM - edited 03-11-2019 09:52 AM
Solved! Go to Solution.
12-29-2009 12:17 PM
I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:
LAN <---> ASA <-> Internet
|
|
DMZ
I do not see any error log, please help.
Julio
Where are you trying to access the server from ie. inside or from internet ?
Can you post your config ?
Jon
12-29-2009 01:15 PM
Julio
There are a number of options you could use to achieve this. Have a read of this link which will explain how to configure it and if you have further questions please come back -
http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html
Jon
12-29-2009 12:17 PM
I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:
LAN <---> ASA <-> Internet
|
|
DMZ
I do not see any error log, please help.
Julio
Where are you trying to access the server from ie. inside or from internet ?
Can you post your config ?
Jon
12-29-2009 01:05 PM
jon
I'm trying to access from the inside
attached configuration:
!
interface Vlan1
nameif outside
security-level 0
ip address ip_public 255.255.255.248
!
interface Vlan2
nameif gerencia
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif ventas_web
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Vlan4
nameif facturacion
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan6
nameif camaras
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan7
nameif servidorweb
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
speed 100
duplex full
!
interface Ethernet0/1
switchport trunk allowed vlan 1-7
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 7
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
access-list camaras_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.224
global (outside) 1 interface
global (facturacion) 1 interface
nat (gerencia) 0 access-list clientvpn1
nat (gerencia) 1 0.0.0.0 0.0.0.0
nat (facturacion) 0 access-list clientvpn
nat (facturacion) 1 192.168.0.0 255.255.255.0
nat (camaras) 0 access-list camaras_nat0_outbound
nat (servidorweb) 0 access-list clientvpn2
nat (servidorweb) 1 servidor_web_local 255.255.255.255
nat (ventas_web) 1 192.168.6.0 255.255.255.0
static (facturacion,gerencia) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (camaras,gerencia) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (gerencia,facturacion) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (gerencia,camaras) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (facturacion,servidorweb) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (gerencia,servidorweb) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (facturacion,ventas_web) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (ventas_web,facturacion) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (ventas_web,servidorweb) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (ventas_web,gerencia) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (gerencia,ventas_web) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (servidorweb,outside) ip_public_server servidor_web_local netmask 255.255.255.255
static (servidorweb,facturacion) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (servidorweb,gerencia) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (servidorweb,ventas_web) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group gerencia_access_in in interface gerencia
access-group facturacion_access_in in interface facturacion
access-group camaras_access_in in interface camaras
access-group servidorweb_access_in in interface servidorweb
access-group ventas_web_access_in_1 in interface ventas_web
route outside 0.0.0.0 0.0.0.0 ip_gateway 1
12-29-2009 01:15 PM
Julio
There are a number of options you could use to achieve this. Have a read of this link which will explain how to configure it and if you have further questions please come back -
http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html
Jon
01-04-2010 07:52 AM
jon thank you very much, use the following command to resolve the problem:
static (dmz,inside) 51.88.80.100 172.16.1.100
greetings
01-01-2010 01:11 PM
Hello,
By default , ASA will allow traffic from higher security-level interface to a lower one as long as you a NAT translation for it.
In your config, there are several interfaces with sec-level as 100 and DMZ (sec-level = 50) is only ONE. Please make sure that from the interface where you want to initiate traffic has a corresponding NAT for it as follows:
Users (10.1.1.0/24)-----------------in_1[ASA]dmz_1-----------server (1.1.1.1)
nat (in_1) 1 0 0
global (dmz_1) 1 interface
Now as long as you do not have any ACLs blocking the connection at in_1 and dmz_1 interface you should not be having any issue in accessing the server.
Also, try bypassing any networking devices between clients and ASA by connecting PC directly to ASA and try to access server. This will help you to understand if ASA is actually cause of concern or not.
Another troubleshooting tip would be to try packet tracer built-in simulator in ASDM. It can be found in ASDM as Tool--->packet-tracer.
HTH
Vijaya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide