Solved: Re: outside accessing DMZ just not working

Pius Nolih · ‎10-13-2010

Hi,

Below is my configuration detail which from which I have been having difficulty access the DMZ (webserver)from the outside.

thanks

asdm image disk0:/asdm-508.bin
asdm location 192.168.1.5 255.255.255.255 DMZ
asdm location 192.168.0.0 255.255.255.255 Inside
asdm location 192.168.2.5 255.255.255.255 DMZ
asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name bfana.gov.tg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description LAN Facing Interface
speed 100
duplex full
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/1
description DMZ Facing Interface
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
description Internet Facing Interface
speed 100
duplex full
nameif Outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.3.1 255.255.255.0
management-only
!
banner exec Unauthorised Access is Prohibitted.
banner exec Violation is deemed illegal and intruders will be prosecuted
banner login Unauthorised Access is Prohibitted.
banner login Violation is deemed illegal and intruders will be prosecuted
banner motd Unauthorised Access is Prohibitted.
banner motd Violation is deemed illegal and intruders will be prosecuted
ftp mode passive
clock timezone PGT 10
dns domain-lookup Outside
dns name-server 124.240.221.33
dns name-server 202.165.192.23
access-list Outside_access_in remark Internet to Inside
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in remark Permit Internet to Web Server
access-list Outside_access_in extended permit tcp any host 124.240.203.149 eq www
access-list Inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.128
access-list Inside_access_in remark Inside accessing Internet
access-list Inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging list test level debugging
logging asdm informational
logging debug-trace
mtu Inside 1500
mtu DMZ 1500
mtu Outside 1500
mtu management 1500
ip audit attack action drop
no failover
monitor-interface Inside
monitor-interface DMZ
monitor-interface Outside
monitor-interface management
icmp permit any Inside
icmp permit any DMZ
icmp permit any Outside
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat-control
global (DMZ) 1 192.168.2.10-192.168.2.254 netmask 255.255.255.0
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.0.0 255.255.255.0
nat (DMZ) 1 192.168.2.0 255.255.255.0 dns
static (DMZ,Outside) 124.240.203.149 192.168.2.5 netmask 255.255.255.255
access-group Inside_access_in in interface Inside
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 124.240.203.229 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Infocom internal
group-policy Infocom attributes
dns-server value 124.240.221.33 202.165.192.23
default-domain value bfana.gov.tg
webvpn
username user1 password iS5o8BaNdLW4rit5 encrypted privilege 0
username user1 attributes
vpn-group-policy Infocom
webvpn
http server enable
http 192.168.3.0 255.255.255.0 management
snmp-server location 8th Floor detroit FND
snmp-server contact Liang
snmp-server community infocom
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.50-192.168.0.100 Inside
dhcpd address 192.168.3.10-192.168.3.20 management
dhcpd dns 124.240.221.33 202.165.192.23
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain bfana.gov.tg
dhcpd enable Inside
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:ac6b5d216611db0f668672790018b48e

mmandeka · ‎10-13-2010

The packet tracer command was introduced in 7.2(1).

You could upgrade the ASA to 7.2(4) and its a stable version in the 7.2 trail.

Here's more information on the command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1724426

Please collect the bidirectional captures as this gives us exact details on whats dropping the packets.

Another suggestion here:

You could also collect some syslgs on the pix in debugging level. Reproduce the issue. Then check the logs to see if you find something there.

View solution in original post

mmandeka · ‎10-13-2010

Hi,

To start with, please try the following:

1. Ping 192.168.2.5 from the firewall annd make sure its successful.

2. Try a packet tracer and check if its successful

packet-tracer input outside tcp 1025 124.240.203.149 80 detailed. Check the output to see if the pacet is getting dropped in any of the phases. If the packet is getting dropped in any of the phases, please paste the output here.

3. apply captures on the inside and the outside interface and check to see if packets are going through the firewall in both directions.Please paste the output of the capture here. Please refer to the link below for info on how to apply captures on PIX

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml#cliconfig

Regards,

Manisha Mandekar

Pius Nolih · ‎10-13-2010

My Asa version 7 and ASDM software does not support packet tracer.

If you can provide me a useful link to upgrade to versions supporting packet tracer, that would be good.

I have tried version 5.2 for ASDM on a spare ASA with similar version but could not get packet tracer loading...

I'll try googling and would appreciate your help

thanks

mmandeka · ‎10-13-2010

The packet tracer command was introduced in 7.2(1).

You could upgrade the ASA to 7.2(4) and its a stable version in the 7.2 trail.

Here's more information on the command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1724426

Please collect the bidirectional captures as this gives us exact details on whats dropping the packets.

Another suggestion here:

You could also collect some syslgs on the pix in debugging level. Reproduce the issue. Then check the logs to see if you find something there.

Pius Nolih · ‎10-14-2010

Thanks I guess upgrading wi

ll be the step in the right direction..

thanks