04-30-2012 09:42 AM - edited 03-11-2019 03:59 PM
Hi,
started this on friday at about 5 pm am about at the point of throwing my hands up in the air from frustration. I am trying to configure a dmz for a ip camera to be viewed from the outside. I had tried to set this config to NAT 10.1.35.5 to 2.2.2.14. Immediately after setting up the nat config all hosts on the network lose internet access. After 2 nights of no success, I tried to mimic the port forwarding setup and just forward traffic into the lan rather than trying to get the DMZ working as I could already see a few devices that were setup this way. I feel like I am missing a step while configuring NAT. It seems to me that touching any other the other public IP's tends to mess up the configuration. Is there something I need to do with the existing NATing to free up a public IP from the nat pool? (Sanitized config below)
: Saved
:
ASA Version 7.0(7)
!
hostname ASA
domain-name aaa.com
enable password Iliketurtles encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.20.10 255.255.254.0
!
interface Ethernet0/2
description Test DMZ for web4
shutdown
nameif dmz
security-level 25
ip address 10.1.35.1 255.255.255.0
!
interface Management0/0
no nameif
no security-level
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group service camera tcp-udp
description https2000
port-object range 443 443
port-object range 2000 2005
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit esp host Virginia host 2.2.2.2
access-list outside_acl extended permit ah host Virginia host 2.2.2.2
access-list outside_acl extended permit udp host Virginia eq isakmp host 2.2.2.2 eq isakmp
access-list outside_acl extended permit udp host Virginia eq 4500 host 2.2.2.2 eq 4500
access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.10
access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.11
access-list inside_acl extended permit ip 10.1.20.0 255.255.254.0 any
access-list inside_acl extended permit ip 10.1.24.0 255.255.254.0 any
access-list ltl_irvine_to_va extended permit ip 2.2.2.0 255.255.254.0 any
access-list ltl_irvine_to_va extended permit ip 10.1.24.0 255.255.254.0 any
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.250.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.5.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.7.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 172.16.31.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.250.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.5.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.7.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 172.16.31.0 255.255.255.0
access-list dmz_in extended permit icmp 10.1.35.0 255.255.255.0 any
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range netbios-ns 139
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range 135 netbios-ssn
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 eq domain
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq www
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any object-group camera
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq 990
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any range 53000 53010
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp-data
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging asdm warnings
logging facility 22
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp permit any inside
asdm image disk0:/asdm-509.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 10.1.20.0 255.255.254.0
nat (inside) 1 10.1.24.0 255.255.254.0
nat (dmz) 0 access-list no_nat
nat (dmz) 1 10.1.35.0 255.255.255.0
static (inside,outside) 2.2.2.10 10.1.20.1 netmask 255.255.255.255
static (inside,outside) 2.2.2.11 10.1.20.13 netmask 255.255.255.255
static (dmz,outside) 2.2.2.14 10.1.35.5 netmask 255.255.255.255
static (inside,dmz) 10.1.20.0 10.1.20.0 netmask 255.255.254.0
static (dmz,inside) 10.1.35.0 10.1.35.0 netmask 255.255.255.0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.1.24.0 255.255.254.0 10.1.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password blahblahblah encrypted privilege 15
http server enable
http 10.1.4.0 255.255.255.0 outside
http 10.1.5.0 255.255.255.0 outside
http 172.16.31.0 255.255.255.0 outside
http 100.100.100.0 255.255.255.0 outside
http 10.1.24.0 255.255.254.0 inside
http 10.1.20.0 255.255.254.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside 100 match address ltl_irvine_to_va
crypto map outside 100 set peer Virginia
crypto map outside 100 set transform-set ESP-3DES-SHA
crypto map outside interface outside
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group Virginia type ipsec-l2l
tunnel-group Virginia ipsec-attributes
pre-shared-key *
telnet 10.1.24.93 255.255.255.255 inside
telnet timeout 5
ssh 100.100.100.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:c6546262ff82a0b8748f0cbbb189194f
: end
04-30-2012 11:39 AM
Please add this ACL entry on the "outside_acl"
access-list outside_acl extended permit ip any host 2.2.2.14
let me know, if this helps.
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: