09-27-2012 10:06 AM - edited 03-11-2019 05:00 PM
I'm having trouble configuring an ASA into a network solution. We have a 501 with the outside interface on 10.24.10.1, the inside interface as 172.18.10.1, and a DMZ on 192.168.1.1. in the DMZ there is a HTTP/FTP/TFTP server connected to 192.168.1.2 on a virtual machine. When on a machine configured to 172.18.10.10 I can ping to the outside interface but not the DMZ. When I am in the DMZ the PIX does block traffic to the inside, but I can't reach the outside interface. When on the outside I am blocked from the inside, but also blocked from the DMZ. I will post the config file below. Any thoughts?
Group10(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname Group10
enable password 8zN2iKai1VxwjKWN encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 10.24.10.2 255.255.255.0
!
interface Ethernet1
no nameif
security-level 0
no ip address
!
interface Ethernet1.1
description DMZ
vlan 100
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1.2
description INSIDE
vlan 200
nameif INSIDE
security-level 100
ip address 172.18.10.1 255.255.255.0
!
interface Ethernet2
no nameif
security-level 50
no ip address
!
ftp mode passive
object-group service webservices tcp
port-object eq www
port-object eq https
port-object eq ftp
access-list external extended permit tcp 10.0.0.0 255.0.0.0 any eq ftp
access-list external extended permit tcp 10.0.0.0 255.0.0.0 any eq www
access-list internal extended permit ip any any
access-list internal extended permit udp host 172.18.10.1 any eq tftp
access-list dmz extended permit ip any any
no pager
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any DMZ
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
static (DMZ,OUTSIDE) 10.24.10.3 192.168.1.2 netmask 255.255.255.255
access-group external in interface OUTSIDE
access-group internal out interface OUTSIDE
access-group dmz in interface DMZ
access-group internal in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.24.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access INSIDE
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:774c3a24ef1b4127f4c630cc8fee1c1c
: end
09-28-2012 03:00 PM
If you add this nat, then all your DMZ should b able to access internet:
nat (DMZ) 2 192.168.1.0 255.255.255.0
global (outside) 2 interface
N also please remove the access-group:
access-group internal out interface OUTSIDE
It doesn't make sense to me.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-28-2012 03:11 PM
Varun,
I removed the line as you instructed, but still no connectivity. As I explained below I gave the client an address of 192.168.1.10/24 with a gateway of 192.168.1.1. This should put me on the DMZ interface of the PIX, or should the gateway be 192.168.1.2, since that is where the SNAT is from the outside?
09-28-2012 02:57 PM
Harish,
I'm not sure what else to try as far as protocols. HTTP is not getting to the DMZ, because when I did give the test machine a 192.168.1.10 address I cannot get to the internet.
09-28-2012 03:27 PM
Just for a logical analysis: I configured a test machine at 172.18.10.10, with a default gateway of 172.18.10.1 (the inside of the ASA) Since I have internet connectivity on this machine HTTP is going through the DMZ, since it is not coming directly from the outside interface; however, when I connect a device in the DMZ and give it an IP of 192.168.1.10 and a gateway of 192.168.1.1 I have no internet connectivity. Am I missing something?
09-29-2012 12:01 AM
Hello Eric,
I have just simulated your scenario, and please find the following working configuration
Please remove all other acls and NAT
I am able to access
1. Inside to DMZ
2. DMZ-Inside
3.Inside- internet (pc connected outside)
4.DMZ-internet (pc connected outside)
------------------------------------------------
fixup protocol icmp
interface Ethernet1.2
description INSIDE
vlan 200
nameif INSIDE
security-level 100
ip address 172.18.10.1 255.255.255.0
!
interface Ethernet1.1
description DMZ
vlan 100
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 10.24.10.2 255.255.255.0
!
global (outside) 1 interface
nat (inside) 1 172.18.10.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,dmz) 172.18.10.0 172.18.10.0 netmask 255.255.255.0
access-list dmz-in extended permit ip any any
access-group dmz-in in interface DMZ
--------------------------------------------------------------
regards
Harish.
10-02-2012 04:02 PM
Harish,
I applied this config to the ASA. I have connectivity from the inside interface to the outside, but have temporarily lost internet connectivity. I cannot access the outside of the ASA from the DMZ. I'm not sure what else to try at this point.
10-02-2012 10:42 PM
Hello Eric,
You meant so say, you are not able to access outside interface of the ASA or outside world ? You will not be able to ping outside interface of the ASA from DMZ/Inside but you should be able to access internet,, Please do post your latest config so that I can check if we have missed out anything !
regards
Harish.
10-03-2012 11:52 AM
Harish,
This is the updated config:
: Saved
:
PIX Version 8.0(4)
!
hostname Group10
domain-name Group10.com
enable password 8zN2iKai1VxwjKWN encrypted
passwd 8zN2iKai1VxwjKWN encrypted
names
!
interface Ethernet0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 10.24.10.2 255.255.255.0
!
interface Ethernet1
no nameif
security-level 0
no ip address
!
interface Ethernet1.1
description DMZ
vlan 100
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1.2
description INSIDE
vlan 200
nameif INSIDE
security-level 100
ip address 172.18.10.1 255.255.255.0
!
interface Ethernet2
no nameif
security-level 50
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name Group10.com
object-group service webservices tcp
port-object eq www
port-object eq https
port-object eq ftp
access-list dmz-in extended permit ip any any
no pager
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any DMZ
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (DMZ) 1 192.168.1.0 255.255.255.0
nat (INSIDE) 1 172.18.10.0 255.255.255.0
static (INSIDE,DMZ) 172.18.10.0 172.18.10.0 netmask 255.255.255.0
access-group dmz-in in interface DMZ
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.24.10.0 255.255.255.0 INSIDE
telnet timeout 5
ssh 10.24.10.0 255.255.255.0 INSIDE
ssh timeout 5
console timeout 0
management-access INSIDE
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:774c3a24ef1b4127f4c630cc8fee1c1c
: end
With this configuration I gave my laptop a 172.18.10.10 address and I can get out through the outside interface but cannot access DNS or internet anymore. I also cannot ICMP to the DMZ. When giving the laptop a 192.168.1.10 address I cannot ICMP the server in the DMZ (192.168.1.2) or the outside interface 10.24.10.1. On the ASA I can ping each interface (INSIDE, OUTSIDE, DMZ). Again, there is a server on a vm in the DMZ and it cannot get out as well. There is also another firewall located internally on the 172.18.10.0 network, but I want to address one piece at a time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide