Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Access from Guest Wlan to DMZ servers

Hi ...

 

We have a guestwlan that goes out over the asa (8.6 versiion) firewall, and it works as intended to reach the Internet.

We also have a DMZ, but when I try to reach the url for one of our servers in the DMZ it doens't connect, i dont det the page.

Been trying a lot of diiferent configurations I have found on the net, but no luck getting traffic out and in to DMZ..

Any hints to solve this issue would be greatly appriciated... 

  • Firewalling
2 REPLIES
New Member

Can you please post your

Can you please post your config for us, this will make it much much easier to assist you.

 

 

New Member

Hi.... Sorry for late

Hi....

 

Sorry for late response...here is the config...

 


interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 196.179.169.135 255.255.255.240 
!
interface GigabitEthernet0/1
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 10.230.100.7 255.255.255.0 
!
interface GigabitEthernet0/1.90
 description Subinterface DMZ Vlan90
 shutdown
<--- More --->
              
 vlan 90
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Interface  for Guest VLAN
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2.70
 description Guest Interface  Wlan
 vlan 70
 nameif Guestwlan
 security-level 100
 ip address 172.16.20.1 255.255.255.0 
!
interface GigabitEthernet0/3
 description Interface for DMZ net
 nameif DMZ
 security-level 50
 ip address 192.168.75.1 255.255.255.0 
!
<--- More --->
              
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 speed 100
 duplex full
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
<--- More --->
              
 domain-name tidax.se
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network App1
 host 196.157.213.163
object network Draget-FW
 host 10.230.100.34
object network Fin-GW
 host 10.230.100.60
object network GW
 host 196.179.169.129
object network NETWORK_OBJ_192.168.190.0_25
 subnet 192.168.190.0 255.255.255.128
object network nat-wlan
 host 196.179.169.130
object network net-guestwlan
 subnet 172.16.20.0 255.255.255.0
object network VPNAccessHTTP
 subnet 192.168.190.0 255.255.255.0
object network VPN_Mail_Access
 subnet 192.168.190.0 255.255.255.0
object network dmz-subnet
 subnet 192.168.75.0 255.255.255.0
object network lime-external-ip
<--- More --->
              
 host 196.179.169.140
object network owncloud-external-ip
 host 196.179.169.141
object network limeserver
 host 192.168.75.10
object network owncloudserver
 host 192.168.75.11
object network dns-server
 host 10.230.100.12
object service DNS
 service tcp destination eq domain 
object network Inside_access_dmz
 subnet 10.230.100.0 255.255.255.0
object network ESXI-Lime
 host 192.168.75.2
object network Uppsala_GW
 host 10.230.100.2
object network Uppsala_network
 subnet 192.168.10.0 255.255.255.0
object network Access_DMZ_https
 subnet 10.230.100.0 255.255.255.0
object network Insida_dmz_https
 subnet 10.230.100.0 255.255.255.0
object network GuestWlan-DMZ
<--- More --->
              
 subnet 172.16.20.0 255.255.255.0
object network inside_identity_dmz_nat
object network inside_nat
 subnet 172.16.20.0 255.255.255.0
object network DMZ_Ping
 subnet 10.230.100.0 255.255.255.0
object network Acces-LimeEsxi
 host 192.168.75.2
object network DMZ-Guestwlan
 host 196.179.169.140
object-group service RDP tcp
 port-object eq 3389
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object udp destination eq domain 
 service-object tcp destination eq 993 
 service-object tcp destination eq smtp 
 service-object tcp destination eq 5001 
 service-object tcp destination eq 9091 
 service-object tcp destination eq 995 
 service-object tcp destination eq 465 
 service-object tcp destination range 6245 6246 
 service-object tcp destination eq 6351 
<--- More --->
              
object-group service DM_INLINE_TCP_1 tcp
 group-object RDP
 port-object eq echo
 port-object eq www
 port-object eq https
 port-object eq ssh
 port-object eq 903
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_2
 service-object tcp-udp destination eq domain 
 service-object tcp destination eq echo 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq 6351 
 service-object tcp destination eq ldap 
object-group service VMware_Vsphere_client udp
 description Vsphere access
 port-object eq 427
object-group service DM_INLINE_SERVICE_3
 service-object tcp destination eq https 
 service-object tcp-udp destination eq 902 
 service-object tcp destination eq 903 
<--- More --->
              
 service-object tcp destination eq echo 
object-group service Vmware_902 tcp-udp
 port-object eq 902
object-group service Vmware_903 tcp
 port-object eq 903
object-group service Lime-Mobility-Server tcp
 port-object eq 6351
object-group service DM_INLINE_TCP_3 tcp
 port-object range 6245 6246
 port-object eq 6351
 port-object eq www
 port-object eq https
object-group service Lime_access_6245-6246 tcp
 port-object range 6245 6246
object-group service DM_INLINE_SERVICE_4
 service-object ip 
 service-object tcp destination range 6245 6246 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
access-list inside_access_in extended permit tcp 10.230.100.0 255.255.255.0 any eq www 
access-list inside_access_in extended permit tcp 10.230.100.0 255.255.255.0 any eq https 
access-list inside_access_in extended permit ip 10.230.100.0 255.255.255.0 any 
access-list inside_access_in extended permit tcp 10.230.100.0 255.255.255.0 any object-group RDP 
access-list inside_access_in extended permit tcp 10.230.100.0 255.255.255.0 192.168.75.0 255.255.255.0 eq https inactive 
<--- More --->
              
access-list Guestwlan_access_in extended permit object-group DM_INLINE_SERVICE_1 object net-guestwlan any 
access-list Guestwlan_access_in extended permit object-group DM_INLINE_SERVICE_4 172.16.20.0 255.255.255.0 any 
access-list DMZ_access_in extended permit tcp interface inside 192.168.75.0 255.255.255.0 object-group DM_INLINE_TCP_1 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.75.0 255.255.255.0 10.230.100.0 255.255.255.0 
access-list DMZ_access_in extended permit tcp 192.168.75.0 255.255.255.0 any object-group DM_INLINE_TCP_2 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 10.230.100.0 255.255.255.0 any 
access-list DMZ_access_in extended permit tcp 172.16.20.0 255.255.255.0 host 196.179.169.140 object-group DM_INLINE_TCP_3 
access-list dmz_acl extended permit udp 192.168.75.0 255.255.255.0 object dns-server eq domain 
access-list OUTSIDE-IN extended permit tcp any host 192.168.75.10 eq https 
access-list OUTSIDE-IN extended permit tcp any host 192.168.75.11 eq www 
access-list OUTSIDE-IN extended permit tcp any host 192.168.75.11 eq https 
access-list NO-NAT extended permit ip 172.16.20.0 255.255.255.0 192.169.75.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Guestwlan 1500
mtu management 1500
mtu DMZ 1500
ip local pool ai-Pool 192.168.190.10-192.168.190.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
<--- More --->
              
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.190.0_25 NETWORK_OBJ_192.168.190.0_25 no-proxy-arp route-lookup
!
object network net-guestwlan
 nat (Guestwlan,DMZ) static 196.179.169.140
object network VPNAccessHTTP
 nat (any,outside) dynamic interface
object network VPN_Mail_Access
 nat (any,inside) dynamic interface
object network dmz-subnet
 nat (DMZ,outside) dynamic interface
object network limeserver
 nat (DMZ,outside) static 196.179.169.140
object network owncloudserver
 nat (DMZ,outside) static 196.179.169.141
object network DMZ-Guestwlan
 nat (DMZ,Guestwlan) dynamic limeserver
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE-IN in interface outside
access-group inside_access_in in interface inside
access-group Guestwlan_access_in in interface Guestwlan
<--- More --->
              
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 196.179.169.129 1
route inside 10.230.101.0 255.255.255.0 10.230.100.34 1
route inside 192.168.5.0 255.255.255.0 10.230.100.2 1
route inside 192.168.10.0 255.255.255.0 10.230.100.2 1
route inside 196.157.213.161 255.255.255.255 10.230.100.60 1
route inside 196.157.213.162 255.255.255.255 10.230.100.60 1
route inside 196.157.213.164 255.255.255.255 10.230.100.60 1
route inside 196.157.213.179 255.255.255.255 10.230.100.60 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.230.100.0 255.255.255.0 inside
no snmp-server location
<--- More --->
              

              

56
Views
0
Helpful
2
Replies