07-22-2012 03:11 PM - edited 03-11-2019 04:33 PM
Hi
We are changing ip add of our DMZ interface to new range,
So I cofigured as follows:
• Created a new vlan 22 on core switch
• Created a new sub interface(int e0/1.4) on ASA assigne vlan 22 and ip add
• Outside to incoming nat rules on ASA for 10.20.22.x range on DMZ and servers are in place,
So the new config is as follows:
interface Ethernet0/1.4
vlan 22
nameif xxx
security-level 50
ip address 10.20.22.1 255.255.255.0
nat (DMZ) 0 access-list dmz-inside
nat (DMZ) 1 10.20.22.0 255.255.255.0
static (DMZ,outside) x.x.100.24 10.20.22.60 netmask 255.255.255.255 dns
So with all this in place I cant access the sever either from lan and externally, I am able to ping the server from asa and server to dmz interface, I am not sure what i am missing here help much appreciated.
Many Thanks
Ven
Solved! Go to Solution.
07-25-2012 02:48 AM
Hi Bro
You've a very simple problem here, assuming your ACTIVE/STANDBY failover is working fine. All you've to do is as shown below;
Commands to add
=============
access-list outside-in extended line 1 permit icmp any any <-- This is just temporary
access-list inside line 1 permit ip any any
access-list new-dmz-inside line 1 permit ip 10.20.22.1 255.255.255.0 any
access-group outside-in in interface outside
access-group inside in interface inside
access-group new-dmz-inside in interface new-DMZ
Commands to remove
================
nat (inside) 0 access-list nonat
If the problem still persist, we could do a quick Teamviewer and get this resolved. This is easy :-)
07-22-2012 10:56 PM
Hi Bro
I have a strong feeling during the configuration change, the access-list XXX and access-group XXX were removed. Please ensure those lines are in. If the problem persist, please paste your latest running-config here, so that everyone can assist you.
P/S; If you think this comment is useful, please do rate them nicely :-)
07-23-2012 03:07 AM
Hi Ram
Firstly appreciate for your time and I am attaching config for your reference, so to briefly explain what we are doing is we are having dmz configured for 192.168 range atm and we want to move it 10.20 range,
Config for your reference:
ASA# sh running-config
: Saved
:
ASA Version 8.2(5)
!
hostname ASA
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.100.241 255.255.255.0 standby x.x.100.243
!
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/1.2
vlan 2
nameif DMZ
security-level 50
ip address 192.x.x.x 255.255.255.0
!
interface Ethernet0/1.4
vlan 22
nameif new-DMZ
security-level 50
ip address 10.20.22.1 255.255.255.0
!
interface Ethernet0/1.5
vlan 5
nameif inside
security-level 100
ip address 10.20.5.1 255.255.255.0
!
interface Ethernet0/2
description STATE Failover Interface
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
access-list outside-in extended permit tcp any host x.x.100.24 eq www
access-list outside-in extended permit tcp any host x.x.100.24 eq https
access-list outside-in extended permit tcp any host x.x.100.24 eq ftp
access-list outside-in extended permit tcp any host x.x.100.24 eq ssh
access-list dmz-inside extended permit ip host 192.168.2.100 192.168.0.0 255.255.0.0
access-list new-dmz-inside extended permit ip host 10.20.22.100 10.20.0.0 255.255.0.0
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu DMZ 1500
mtu new-DMZ 1500
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover mac address Ethernet0/0 001f.9e98.24d8 001f.9e2b.9e98
failover mac address Ethernet0/1 001f.9e98.24d9 001f.9e2b.9e99
failover link stateful Ethernet0/2
failover interface ip failover 192.168.255.1 255.255.255.252 standby 192.168.255.2
failover interface ip stateful 192.168.255.5 255.255.255.252 standby 192.168.255.6
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 x.x.100.126
global (outside) 2 10.16.12.1
nat (inside) 0 access-list nonat
nat (inside) 2 access-list xxxx
nat (inside) 1 10.20.0.0 255.255.0.0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (DMZ) 0 access-list dmz-inside
nat (DMZ) 1 192.168.2.0 255.255.255.0
nat (new-DMZ) 1 10.20.22.0 255.255.255.0
static (DMZ,outside) x.x.100.42 192.168.2.171 netmask 255.255.255.255 dns
static (DMZ,outside) x.x.100.41 192.168.2.172 netmask 255.255.255.255 dns
static (DMZ,outside) x.x.100.92 192.168.2.192 netmask 255.255.255.255 dns
static (DMZ,outside) x.x.100.21 192.168.2.222 netmask 255.255.255.255 dns
static (DMZ,outside) x.x.100.23 192.168.2.223 netmask 255.255.255.255 dns
static (new-DMZ,outside) x.x.100.24 10.20.22.60 netmask 255.255.255.255 dns
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.100.247 1
route inside 10.20.0.0 255.252.0.0 10.20.5.251 1
route inside 192.168.0.0 255.255.0.0 10.20.5.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto isakmp am-disable
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username xxxx password /xxxx encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect ip-options
class class-default
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a907636acf6785904a45e7293842ef86
: end
Many Thanks
Ven
07-23-2012 07:42 AM
Hi Ven,
I have the following questions for your query.
Do you see any hits in the outside-in ACL for x.x.100.24 public Ip???
have you created no-nat for inside to dmz-new?
Have you verified the xlate table & sh nat outputs whether any NAT hits is happening through??
Please let me know with your outputs.
Please do rate if the given information helps.
By
Karthik
07-23-2012 09:11 AM
Hi
Thanks for your reply and time,
1) No hits on public ip acl
2) I didnt created a no-nat and will do
So can you please tell do I need any additional bits in the configuration below, and would much appreciate if you can give a sample config how it should look like please or what needs to be modified, because being a production network with all correct config I will apply new rules and check again
interface Ethernet0/1.4
vlan 22
nameif new-DMZ
security-level 50
ip address 10.20.22.1 255.255.255.0
!
access-list outside-in extended permit tcp any host x.x.100.24 eq www
access-list outside-in extended permit tcp any host x.x.100.24 eq https
access-list outside-in extended permit tcp any host x.x.100.24 eq ftp
access-list outside-in extended permit tcp any host x.x.100.24 eq ssh
!
access-list nonat extended permit ip 10.20.0.0 255.252.0.0 10.20.22.0 255.255.255.0
!
access-list dmz-inside extended permit ip host 192.168.2.100 192.168.0.0 255.255.0.0
access-list new-dmz-inside extended permit ip host 10.20.22.100 10.20.0.0 255.255.0.0
!
global (outside) 1 x.x.100.126
global (outside) 2 10.12.21.1
nat (inside) 0 access-list nonat
nat (inside) 2 access-list cw-NAT
nat (inside) 1 10.20.0.0 255.255.0.0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (DMZ) 0 access-list dmz-inside
nat (DMZ) 1 192.168.2.0 255.255.255.0
!
static (DMZ,outside) x.x.100.24 192.168.2.60 netmask 255.255.255.255 dns
!
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 4.2.100.247 1
route inside 10.20.0.0 255.252.0.0 10.20.5.251 1
route inside 192.168.0.0 255.255.0.0 10.20.5.251 1
!
Many Thanks
Ven
07-25-2012 02:48 AM
Hi Bro
You've a very simple problem here, assuming your ACTIVE/STANDBY failover is working fine. All you've to do is as shown below;
Commands to add
=============
access-list outside-in extended line 1 permit icmp any any <-- This is just temporary
access-list inside line 1 permit ip any any
access-list new-dmz-inside line 1 permit ip 10.20.22.1 255.255.255.0 any
access-group outside-in in interface outside
access-group inside in interface inside
access-group new-dmz-inside in interface new-DMZ
Commands to remove
================
nat (inside) 0 access-list nonat
If the problem still persist, we could do a quick Teamviewer and get this resolved. This is easy :-)
07-26-2012 03:20 AM
Hi Ram
Issue is resolved with adding the rules suggested and a route on the core,much appreciate for all your assistance.
Thanks a ton
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide