Solved: Changing Internal IP address range for DMZ

Ven Diesel · ‎07-22-2012

Hi

We are changing ip add of our DMZ interface to new range,

So I cofigured as follows:

• Created a new vlan 22 on core switch

• Created a new sub interface(int e0/1.4) on ASA assigne vlan 22 and ip add

• Outside to incoming nat rules on ASA for 10.20.22.x range on DMZ and servers are in place,

So the new config is as follows:

interface Ethernet0/1.4

vlan 22

nameif xxx

security-level 50

ip address 10.20.22.1 255.255.255.0

nat (DMZ) 0 access-list dmz-inside

nat (DMZ) 1 10.20.22.0 255.255.255.0

static (DMZ,outside) x.x.100.24 10.20.22.60 netmask 255.255.255.255 dns

So with all this in place I cant access the sever either from lan and externally, I am able to ping the server from asa and server to dmz interface, I am not sure what i am missing here help much appreciated.

Many Thanks

Ven

Ramraj Sivagnanam Sivajanam · ‎07-25-2012

Hi Bro

You've a very simple problem here, assuming your ACTIVE/STANDBY failover is working fine. All you've to do is as shown below;

Commands to add

=============
access-list outside-in extended line 1 permit icmp any any <-- This is just temporary
access-list inside line 1 permit ip any any

access-list new-dmz-inside line 1 permit ip 10.20.22.1 255.255.255.0 any

access-group outside-in in interface outside
access-group inside in interface inside
access-group new-dmz-inside in interface new-DMZ

Commands to remove

================
nat (inside) 0 access-list nonat

If the problem still persist, we could do a quick Teamviewer and get this resolved. This is easy :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎07-22-2012

Hi Bro

I have a strong feeling during the configuration change, the access-list XXX and access-group XXX were removed. Please ensure those lines are in. If the problem persist, please paste your latest running-config here, so that everyone can assist you.

P/S; If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Ven Diesel · ‎07-23-2012

Hi Ram

Firstly appreciate for your time and I am attaching config for your reference, so to briefly explain what we are doing is we are having dmz configured for 192.168 range atm and we want to move it 10.20 range,

Config for your reference:

ASA# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ASA

names

dns-guard

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.100.241 255.255.255.0 standby x.x.100.243

!

interface Ethernet0/1

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/1.2

vlan 2

nameif DMZ

security-level 50

ip address 192.x.x.x 255.255.255.0

!

interface Ethernet0/1.4

vlan 22

nameif new-DMZ

security-level 50

ip address 10.20.22.1 255.255.255.0

!

interface Ethernet0/1.5

vlan 5

nameif inside

security-level 100

ip address 10.20.5.1 255.255.255.0

!

interface Ethernet0/2

description STATE Failover Interface

!

interface Ethernet0/3

description LAN Failover Interface

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

access-list outside-in extended permit tcp any host x.x.100.24 eq www

access-list outside-in extended permit tcp any host x.x.100.24 eq https

access-list outside-in extended permit tcp any host x.x.100.24 eq ftp

access-list outside-in extended permit tcp any host x.x.100.24 eq ssh

access-list dmz-inside extended permit ip host 192.168.2.100 192.168.0.0 255.255.0.0

access-list new-dmz-inside extended permit ip host 10.20.22.100 10.20.0.0 255.255.0.0

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu DMZ 1500

mtu new-DMZ 1500

failover

failover lan unit primary

failover lan interface failover Ethernet0/3

failover mac address Ethernet0/0 001f.9e98.24d8 001f.9e2b.9e98

failover mac address Ethernet0/1 001f.9e98.24d9 001f.9e2b.9e99

failover link stateful Ethernet0/2

failover interface ip failover 192.168.255.1 255.255.255.252 standby 192.168.255.2

failover interface ip stateful 192.168.255.5 255.255.255.252 standby 192.168.255.6

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 x.x.100.126

global (outside) 2 10.16.12.1

nat (inside) 0 access-list nonat

nat (inside) 2 access-list xxxx

nat (inside) 1 10.20.0.0 255.255.0.0

nat (inside) 1 192.168.0.0 255.255.0.0

nat (DMZ) 0 access-list dmz-inside

nat (DMZ) 1 192.168.2.0 255.255.255.0

nat (new-DMZ) 1 10.20.22.0 255.255.255.0

static (DMZ,outside) x.x.100.42 192.168.2.171 netmask 255.255.255.255 dns

static (DMZ,outside) x.x.100.41 192.168.2.172 netmask 255.255.255.255 dns

static (DMZ,outside) x.x.100.92 192.168.2.192 netmask 255.255.255.255 dns

static (DMZ,outside) x.x.100.21 192.168.2.222 netmask 255.255.255.255 dns

static (DMZ,outside) x.x.100.23 192.168.2.223 netmask 255.255.255.255 dns

static (new-DMZ,outside) x.x.100.24 10.20.22.60 netmask 255.255.255.255 dns

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.100.247 1

route inside 10.20.0.0 255.252.0.0 10.20.5.251 1

route inside 192.168.0.0 255.255.0.0 10.20.5.251 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto isakmp am-disable

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username xxxx password /xxxx encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect h323 h225

inspect h323 ras

inspect ip-options

class class-default

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a907636acf6785904a45e7293842ef86

: end

Many Thanks

Ven

nkarthikeyan · ‎07-23-2012

Hi Ven,

I have the following questions for your query.

Do you see any hits in the outside-in ACL for x.x.100.24 public Ip???

have you created no-nat for inside to dmz-new?

Have you verified the xlate table & sh nat outputs whether any NAT hits is happening through??

Please let me know with your outputs.

Please do rate if the given information helps.

By

Karthik

Ven Diesel · ‎07-23-2012

Hi

Thanks for your reply and time,

1) No hits on public ip acl

2) I didnt created a no-nat and will do

So can you please tell do I need any additional bits in the configuration below, and would much appreciate if you can give a sample config how it should look like please or what needs to be modified, because being a production network with all correct config I will apply new rules and check again

interface Ethernet0/1.4

vlan 22

nameif new-DMZ

security-level 50

ip address 10.20.22.1 255.255.255.0

!

access-list outside-in extended permit tcp any host x.x.100.24 eq www

access-list outside-in extended permit tcp any host x.x.100.24 eq https

access-list outside-in extended permit tcp any host x.x.100.24 eq ftp

access-list outside-in extended permit tcp any host x.x.100.24 eq ssh

!

access-list nonat extended permit ip 10.20.0.0 255.252.0.0 10.20.22.0 255.255.255.0

!

access-list dmz-inside extended permit ip host 192.168.2.100 192.168.0.0 255.255.0.0

access-list new-dmz-inside extended permit ip host 10.20.22.100 10.20.0.0 255.255.0.0

!

global (outside) 1 x.x.100.126

global (outside) 2 10.12.21.1

nat (inside) 0 access-list nonat

nat (inside) 2 access-list cw-NAT

nat (inside) 1 10.20.0.0 255.255.0.0

nat (inside) 1 192.168.0.0 255.255.0.0

nat (DMZ) 0 access-list dmz-inside

nat (DMZ) 1 192.168.2.0 255.255.255.0

!

static (DMZ,outside) x.x.100.24 192.168.2.60 netmask 255.255.255.255 dns

!

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 4.2.100.247 1

route inside 10.20.0.0 255.252.0.0 10.20.5.251 1

route inside 192.168.0.0 255.255.0.0 10.20.5.251 1

!

Many Thanks

Ven

Ramraj Sivagnanam Sivajanam · ‎07-25-2012

Hi Bro

You've a very simple problem here, assuming your ACTIVE/STANDBY failover is working fine. All you've to do is as shown below;

Commands to add

=============
access-list outside-in extended line 1 permit icmp any any <-- This is just temporary
access-list inside line 1 permit ip any any

access-list new-dmz-inside line 1 permit ip 10.20.22.1 255.255.255.0 any

access-group outside-in in interface outside
access-group inside in interface inside
access-group new-dmz-inside in interface new-DMZ

Commands to remove

================
nat (inside) 0 access-list nonat

If the problem still persist, we could do a quick Teamviewer and get this resolved. This is easy :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Ven Diesel · ‎07-26-2012

Hi Ram

Issue is resolved with adding the rules suggested and a route on the core,much appreciate for all your assistance.

Thanks a ton