12-26-2011 11:55 AM - edited 03-11-2019 03:06 PM
Hello, any help or insight into why I can't get this working properly would be extremely helpful.
I have a Cisco ASA 5510 connected to 2 private lans (1 for my HQ pc's{inside} and 1 for the worldwide mpls{outside})
It is also connected to the public internet at interface "public" and my dmz at "dmz" interface. I suspect I have a routing issue because packet-trace yields allow, the nat looks ok and the objects look ok at least to me but I'm the one with the non working config so.... Help, please.
Basically this is the desired flow:
1. I need all traffic from the inside to be able to flow to the outside unimpeded as they are both trusted networks. (this is ok right now as I allow everything via access-list 101.)
2. I need any host on the public internet to be able to reach a server on the dmz via the pat which I set up from the "public" interface to the "DMZ" interface. The desired flow would be that the person on the internet types in https://webserver.company.com and this is directed to the public interface ip which forwards to the webserver object on the dmz. (I cannot get this working any which way)
3. I need the dmz to be able to communicate with another server on the mpls via the "outside" interface when it recieves the request from the public it then checks with this other server on the outside via nat(translating the dmz range into the ip of the outside interface on the firewall)
I have a default route that points to the mpls or outside interface for 0.0.0.0 0.0.0.0 via 10.x.x.1 - (and although I'm not sure I suspect this could be conflicting with traffic that needs to be sent to the "public" interface .... meaning that the firewall should dump packets bound for 0.0.0.0 0.0.0.0 to the public interface - 184.x.x.194 but I'm very reluctant to change the default route as this is in production and I'm not sure how it will affect traffic).
However, I do suspect that if I changed the route from default to static as such:
route 10.0.0.0 255.0.0.0 10.x.x.1 (this would get all lan and mpls traffic to the mpls gateway)
route 0.0.0.0 0.0.0.0 184.x.x.193 (this would send everything else from public to the public internet gateway)
I think this is accurate but then I would bypassing my corporate internet proxy which is behind the mpls gateway at 10.x.x.1
Does anyone else think this is a routing issue? Is there a way to get http traffic originating from the lan (10.x.x.x) to use the mpls gateway and http traffic for the dmz to use the public internet gateway at 184.x.x.193. I don't want to start causing a flow problem for the internet nor do I want to bypass my corp internet proxy.
Either way I cannot get this to work, eventhough the logic checks out, I cannot get even a ping response when I allow icmp any any for testing.
Note: I can ping resources on each network from the firewall, not only it's own ports in the associated network but other resources on those networks as well.
Here is the running-config:
ciscoasa# sho run
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name marcjacobs.lvmh
enable password wrblOSAyPeeKhvhL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 100
ip address 10.x.x.2 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.x.x.8 255.255.254.0
!
interface Ethernet0/2
nameif public
security-level 0
ip address 184.x.x.194 255.255.255.248
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 192.168.x.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.x.1 255.255.255.0
management-only
!
boot system disk0:/asa841.bin
ftp mode passive
dns server-group DefaultDNS
domain-name marcjacobs.lvmh
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network webserver
host 192.168.x.26
object network dmz_range
range 192.168.x.1 192.168.x.254
object network OUTSIDE
subnet 10.x.y.0 255.255.255.240
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit udp any any
access-list 101 extended permit tcp any any
access-list 101 extended permit gre any any
access-list 101 extended permit esp any any
access-list 101 extended permit tcp any any eq smtp
access-list dmz_outside extended permit ip any 10.98.9.0 255.255.255.240
access-list test_ping extended permit icmp any any
access-list webserver_insidehost extended permit tcp host 192.168.x.26 host 10.x.x.45 eq https
access-list public_in extended permit tcp any host 192.168.x.26 eq https
access-list ping_test extended permit icmp any any echo
access-list ping_test extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu public 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (outside,DMZ) source static OUTSIDE OUTSIDE
!
object network webserver
nat (DMZ,public) static interface service tcp https https
access-group 101 in interface outside
access-group test_ping in interface public
route outside 0.0.0.0 0.0.0.0 10.x.x.1 1
route outside 10.x.x.91 255.255.255.255 10.x.x.1 1
route inside 10.x.x.0 255.255.255.0 10.x.x.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
telnet timeout 100
ssh scopy enable
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cseiber password 2kzsrDh0SvZ/CKV0 encrypted
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:16a704ae3f98ae986d7bc1c594c97f48
: end
ciscoasa#
Solved! Go to Solution.
01-09-2012 04:29 PM
Ok, good.
So I would configure the 5505 as I said with 3 interfaces:
Inside (192) connected to dmz switch
Outside (184) connected to internet
MPLS (10) connected to core switch vlan dedicated to dmz traffic.
Default route 0 0 184...
Route mpls 10...
Nat for dmz to public
Nat for dmz to mpls
With the appropriate access lists for both flows is this right?
Sent from my Verizon Wireless BlackBerry
01-09-2012 04:49 PM
That is correct,
That should do it.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide