I have a Cisco ASA 9.1(3) 5545 device. A request from my customer required that a few servers in DMZ be accessible from outside. The details are as follows:
Servers in DMZ: 10.20.30.40-49
Public IP used for static NAT: x.y.111.1 - 10
The DMZ interface IP: 10.20.30.1
The Outside interface IP: a.b.c.d
The customer has 2 different Public IP pools. The Outside interface is configured with an IP from one of these pools (a.b.c.*/26). While in this request the customer has asked us to use the other pool (x.y.111.1-10).
I have configured the following on the firewall
1] Static NAT:
object network 10.20.30.40
nat (any , any) static x.y.111.1
and so on upto 10.20.30.49. I am skipping those for brevity.
2] ACL for inbound traffic from DMZ
access-list Dmz_access_in extended permit tcp object int-10.20.30.40 any
(Similar policies for other DMZ IPs)
3] ACL for inbound traffic from Outside
access-list Outside_access_in extended permit tcp any object int-10.20.30.40 eq www
access-list Outside_access_in extended permit tcp any object int-10.20.30.40 eq ftp
(Similar policies for other inbound traffic on Outside interface)
This config is not working. Please suggest if I am missing something. Also could anyone explain how Proxy-ARP would work in this scenario if the firewall gets an ARP request for x.y.111.1-10 IPs from a Router?
Never do a (any,any) translation that just makes the ARP process crazy in the ASA. You got to be as clean as possible. Be specific!
Remeber that the firewall is stateful so if you were pretending to allow the replies from the DMZ server to the outside clients on the Dmz_access_in access-list this is NOT required.
Why it's not working???
Because you want to use Proxy-ARP and the behavior of this feature has changed in the versions of the ASA 8.4 and higher where the ASA not longer reply to any IP not listed in one of it's interfaces network domains.
How to Fix it?
Enable the Proxy-ARP for this IPs.
arp permit non-connected
jcarvaja CCIE 42930, 2-CCNP,JNCIS-SEC Looking for a quick remote support session? Contact us at inetworks.cr
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :