Everytime I try to setup my DMZ I keep breaking the internet, can someone help

Chris Knipe · ‎04-30-2012

Hi,

started this on friday at about 5 pm am about at the point of throwing my hands up in the air from frustration. I am trying to configure a dmz for a ip camera to be viewed from the outside. I had tried to set this config to NAT 10.1.35.5 to 2.2.2.14. Immediately after setting up the nat config all hosts on the network lose internet access. After 2 nights of no success, I tried to mimic the port forwarding setup and just forward traffic into the lan rather than trying to get the DMZ working as I could already see a few devices that were setup this way. I feel like I am missing a step while configuring NAT. It seems to me that touching any other the other public IP's tends to mess up the configuration. Is there something I need to do with the existing NATing to free up a public IP from the nat pool? (Sanitized config below)

: Saved

:

ASA Version 7.0(7)

!

hostname ASA

domain-name aaa.com

enable password Iliketurtles encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 2.2.2.2 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.20.10 255.255.254.0

!

interface Ethernet0/2

description Test DMZ for web4

shutdown

nameif dmz

security-level 25

ip address 10.1.35.1 255.255.255.0

!

interface Management0/0

no nameif

no security-level

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx encrypted

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

object-group service camera tcp-udp

description https2000

port-object range 443 443

port-object range 2000 2005

access-list outside_acl extended permit icmp any any echo-reply

access-list outside_acl extended permit icmp any any time-exceeded

access-list outside_acl extended permit icmp any any unreachable

access-list outside_acl extended permit esp host Virginia host 2.2.2.2

access-list outside_acl extended permit ah host Virginia host 2.2.2.2

access-list outside_acl extended permit udp host Virginia eq isakmp host 2.2.2.2 eq isakmp

access-list outside_acl extended permit udp host Virginia eq 4500 host 2.2.2.2 eq 4500

access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.10

access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.11

access-list inside_acl extended permit ip 10.1.20.0 255.255.254.0 any

access-list inside_acl extended permit ip 10.1.24.0 255.255.254.0 any

access-list ltl_irvine_to_va extended permit ip 2.2.2.0 255.255.254.0 any

access-list ltl_irvine_to_va extended permit ip 10.1.24.0 255.255.254.0 any

access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.10.0 255.255.255.0

access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.11.0 255.255.255.0

access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.250.0 255.255.255.0

access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.4.0 255.255.255.0

access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.5.0 255.255.255.0

access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.6.0 255.255.255.0

access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.7.0 255.255.255.0

access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 172.16.31.0 255.255.255.0

access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.10.0 255.255.255.0

access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.11.0 255.255.255.0

access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.250.0 255.255.255.0

access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.4.0 255.255.255.0

access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.5.0 255.255.255.0

access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.6.0 255.255.255.0

access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.7.0 255.255.255.0

access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 172.16.31.0 255.255.255.0

access-list dmz_in extended permit icmp 10.1.35.0 255.255.255.0 any

access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range netbios-ns 139

access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range 135 netbios-ssn

access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 eq domain

access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq www

access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any object-group camera

access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0

access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0

access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp

access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq 990

access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any range 53000 53010

access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp-data

pager lines 24

logging enable

logging timestamp

logging buffered warnings

logging asdm warnings

logging facility 22

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp permit any inside

asdm image disk0:/asdm-509.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 10.1.20.0 255.255.254.0

nat (inside) 1 10.1.24.0 255.255.254.0

nat (dmz) 0 access-list no_nat

nat (dmz) 1 10.1.35.0 255.255.255.0

static (inside,outside) 2.2.2.10 10.1.20.1 netmask 255.255.255.255

static (inside,outside) 2.2.2.11 10.1.20.13 netmask 255.255.255.255

static (dmz,outside) 2.2.2.14 10.1.35.5 netmask 255.255.255.255

static (inside,dmz) 10.1.20.0 10.1.20.0 netmask 255.255.254.0

static (dmz,inside) 10.1.35.0 10.1.35.0 netmask 255.255.255.0

access-group outside_acl in interface outside

access-group inside_acl in interface inside

access-group dmz_in in interface dmz

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

route inside 10.1.24.0 255.255.254.0 10.1.20.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password blahblahblah encrypted privilege 15

http server enable

http 10.1.4.0 255.255.255.0 outside

http 10.1.5.0 255.255.255.0 outside

http 172.16.31.0 255.255.255.0 outside

http 100.100.100.0 255.255.255.0 outside

http 10.1.24.0 255.255.254.0 inside

http 10.1.20.0 255.255.254.0 inside

http 10.1.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside 100 match address ltl_irvine_to_va

crypto map outside 100 set peer Virginia

crypto map outside 100 set transform-set ESP-3DES-SHA

crypto map outside interface outside

isakmp enable outside

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group Virginia type ipsec-l2l

tunnel-group Virginia ipsec-attributes

pre-shared-key *

telnet 10.1.24.93 255.255.255.255 inside

telnet timeout 5

ssh 100.100.100.0 255.255.255.0 outside

ssh timeout 60

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:c6546262ff82a0b8748f0cbbb189194f

: end

rizwanr74 · ‎04-30-2012

Please add this ACL entry on the "outside_acl"

access-list outside_acl extended permit ip any host 2.2.2.14

let me know, if this helps.

thanks