Guys I'm stuck and need as much help as possible please. I'm from Guyana, South America. I have my ISP connected to one cisco 2800 series Router connected to a Cisco ASA 5520 firewall then to a dell power connect switch then 9 small networks on Cisco 881 Routers. Also from the ASA 5520 I have my servers connected as DMZ. Now What I want to accomplish is for my DMZ to have outbound and inbound access to the internet and my small networks to reach the DMZ and also the internet. Also VPN from remote networks to access the DMZ. below is my current running-config on the ASA 5520.
ASA Version 7.2(4)
ip address 100.100.100.1 255.255.255.252
ip address 10.10.10.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0
no ip address
ip address 126.96.36.199 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object-group protocol ip-allow
access-list OUTSIDE_access_in extended permit object-group ip-allow any 192.168.1.0 255.255.255.0
access-list OUTSIDE_access_in extended permit tcp any 192.168.1.0 255.255.255.0
access-list INSIDE_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list OUTSIDE_1_cryptomap extended permit ip 100.100.100.0 255.255.255.252 192.168.1.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 100.100.100.0 255.255.255.252 192.168.1.0 255.255.255.0
access-list allow_outside_connections extended permit icmp any any echo-reply
access-list allow_outside_connections extended permit icmp any any source-quench
access-list allow_outside_connections extended permit icmp any any unreachable
access-list allow_outside_connections extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 101 100.100.100.3-100.100.100.4 netmask 255.255.255.252
global (OUTSIDE) 200 interface
global (INSIDE) 1 10.10.10.2 netmask 255.0.0.0
global (DMZ) 1 192.168.1.2 netmask 255.255.255.0
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 10.10.10.0 255.255.255.0
nat (INSIDE) 101 0.0.0.0 0.0.0.0
nat (DMZ) 1 192.168.1.0 255.255.255.0 outside
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_out out interface INSIDE
I might be able to help you with part of your problem. I had a similar situation on my network the other day.
If you check your logs after one of your small networks tries to access the DMZ you might see an error about not having a translation group. I am not sure if this is the correct way of doing it but it worked for me.
You need a STATIC statement for the ASA to pass traffic from the LAN > DMZ and vice versa, without it trying to NAT. So your statement would look something like this:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :