01-13-2010 02:33 PM - edited 03-11-2019 09:57 AM
I am new to this, so please bear with me. I am attempting to set up an ASA 5505 witht he following configuration:
inside network on 192.168.0.0
outside network xxx.xxx.xxx.xxx
dmz 192.168.1.0 with database accesable from inside and outside.
After a few days of trying to get this running, I am understanding somethings, but still can't get it to work. So far inside can access internet, inside can access DMZ, sort of. I can access another computer on the DMZ @192.168.1.20, but not the database at 192.168.1.10.
Outside cannot access database on DMZ.
Currently outside is DHCP, but will be moved to a static address later.
Any help would be greatly appreciated
Thanks
Peter
Here is the config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname sausage
domain-name umn.edu
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd xxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name umn.edu
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3306
access-list outside_access_in_1 extended permit tcp any eq 3306 host xxx.xxx.xxx.xxx
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface 3306 192.168.1.10 3306 netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.200-192.168.0.250 inside
dhcpd dns 134.84.84.84 128.101.101.101 interface inside
dhcpd domain umn.edu interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2345f04be6a8c8cfbacc9d511d61abbb
: end
Solved! Go to Solution.
01-13-2010 07:41 PM
What is the reason for this static?
static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255
There is no need for this. By default we do not translate the hosts on the lower security interface. DMZ is sec 50 and Inside is 100.
Anyway the acl should look like this.
pls. remove these two lines
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3306
access-list outside_access_in_1 extended permit tcp any eq 3306 host xxx.xxx.xxx.xxx
and add just this one:
access-list outside_access_in extended permit tcp any interface outside eq 3306
This is the only acl that you need. This will receive the traffic on the outside interace for port 3306 and based on the static pat line it will send it to the dmz host 192.168.1.10
-KS
01-13-2010 03:20 PM
You outside ACL only allows port 3306 to host xxxx.
And also you static for the dmz is
static (dmz,outside) tcp interface 3306 192.168.1.10 3306 netmask 255.255.255.255
So you should only be able to reach xxxx on port 3306 coming from the outside give that xx is the outside interface ip address and that the internal host 192.168.1.10 is listening on 3306.
If you want to allow more communications please change you ACL and statics for out to dmz.
I hope it helps.
PK
01-13-2010 06:52 PM
Hi PK,
Thanks for the response.
--So you should only be able to reach xxxx on port 3306 coming from the outside give that xx is the outside interface ip address and that the internal host --192.168.1.10 is listening on 3306.
This is actually what I am trying to do, however it is not working. I cannot access 192.168.10 on port 3306 coming from the outside. I am guessing something is wrong with the SNAT's that I have set up, but I have tried many different variations and nothing seems to work.
Thanks
01-13-2010 07:41 PM
What is the reason for this static?
static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255
There is no need for this. By default we do not translate the hosts on the lower security interface. DMZ is sec 50 and Inside is 100.
Anyway the acl should look like this.
pls. remove these two lines
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3306
access-list outside_access_in_1 extended permit tcp any eq 3306 host xxx.xxx.xxx.xxx
and add just this one:
access-list outside_access_in extended permit tcp any interface outside eq 3306
This is the only acl that you need. This will receive the traffic on the outside interace for port 3306 and based on the static pat line it will send it to the dmz host 192.168.1.10
-KS
01-13-2010 10:09 PM
If xxx is the outside interface then your config is fine.
Pleado do "logg enable", "logg buffer-size 1000000", "logg buffered debug" and try a connection and do "sh logg" to get the logs, those could tell more..
PK
01-15-2010 10:03 AM
kusankar,
Thanks for the solution, it is now working.
you ask:
What is the reason for this static?
static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255
I was followiing, or atempting to follow, the Config for DMZ from the ASA 5505 getting started book and that is one of the statics they have you put in. I am slowly learning this stuff,
Thanks for the help
MP
Thanks also to pkampana for the help.
01-17-2010 11:55 PM
The static is in charge of mapping an external (or other
address) to an internal address based on which interfaces you specify between the parenthesis.
Like this:
static (inside, outside) ext_addr internal_addr netmask 255.255.255.255
01-18-2010 07:47 AM
I am very glad to hear that you are reading books and trying to configure. Way to Go !!
This static
static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255
Let us say DMZ is 50 level and inside is 100 level. That static above is called a D-NAT or destination NAT.
You only need to use this when you want to change the DESTINATION IP address that the inside hosts try to reach.
Like I said by default you only need to provide translation from high to low and only for the SOURCE IP. That static will look like this.
static (inside,dmz) fake_ip real_ip
Happy learning.
Thanks for rating.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide