cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
758
Views
1
Helpful
5
Replies

public IP access

Julio Saldivar
Level 1
Level 1
I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.
2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

jusaldivar@raytel.cl

I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.

Julio

Where are you trying to access the server from ie. inside or from internet ?

Can you post your config ?

Jon

View solution in original post

Julio

There are a number of options you could use to achieve this. Have a read of this link which will explain how to configure it and if you have further questions please come back -

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

jusaldivar@raytel.cl

I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.

Julio

Where are you trying to access the server from ie. inside or from internet ?

Can you post your config ?

Jon

jon

I'm trying to access from the inside

attached configuration:

!
interface Vlan1
nameif outside
security-level 0
ip address ip_public 255.255.255.248
!
interface Vlan2
nameif gerencia
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif ventas_web
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Vlan4
nameif facturacion
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan6
nameif camaras
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan7
nameif servidorweb
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
speed 100
duplex full
!
interface Ethernet0/1
switchport trunk allowed vlan 1-7
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 7
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
access-list camaras_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.224
global (outside) 1 interface
global (facturacion) 1 interface
nat (gerencia) 0 access-list clientvpn1
nat (gerencia) 1 0.0.0.0 0.0.0.0
nat (facturacion) 0 access-list clientvpn
nat (facturacion) 1 192.168.0.0 255.255.255.0
nat (camaras) 0 access-list camaras_nat0_outbound
nat (servidorweb) 0 access-list clientvpn2
nat (servidorweb) 1 servidor_web_local 255.255.255.255
nat (ventas_web) 1 192.168.6.0 255.255.255.0
static (facturacion,gerencia) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (camaras,gerencia) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (gerencia,facturacion) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (gerencia,camaras) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (facturacion,servidorweb) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (gerencia,servidorweb) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (facturacion,ventas_web) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (ventas_web,facturacion) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (ventas_web,servidorweb) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (ventas_web,gerencia) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (gerencia,ventas_web) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (servidorweb,outside) ip_public_server servidor_web_local netmask 255.255.255.255
static (servidorweb,facturacion) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (servidorweb,gerencia) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (servidorweb,ventas_web) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group gerencia_access_in in interface gerencia
access-group facturacion_access_in in interface facturacion
access-group camaras_access_in in interface camaras
access-group servidorweb_access_in in interface servidorweb
access-group ventas_web_access_in_1 in interface ventas_web
route outside 0.0.0.0 0.0.0.0 ip_gateway 1

Julio

There are a number of options you could use to achieve this. Have a read of this link which will explain how to configure it and if you have further questions please come back -

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

Jon

jon thank you very much, use the following command to resolve the problem:

static (dmz,inside) 51.88.80.100 172.16.1.100

greetings

Hello,

By default , ASA will allow traffic from higher security-level interface to a lower one as long as you a NAT translation for it.

In your config, there are several interfaces with sec-level as 100 and DMZ (sec-level = 50) is only ONE. Please make sure that from the interface where you want to initiate traffic has a corresponding NAT for it as follows:

Users (10.1.1.0/24)-----------------in_1[ASA]dmz_1-----------server (1.1.1.1)

nat (in_1) 1  0 0

global (dmz_1) 1 interface

Now as long as you do not have any ACLs blocking the connection at in_1 and dmz_1 interface you should  not be having any issue in accessing the server.

Also, try bypassing any networking devices between clients and ASA by connecting PC directly to ASA and try to access server. This will help you to understand if ASA is actually cause of concern or not.

Another troubleshooting tip would be to try packet tracer built-in simulator in ASDM. It can be found in ASDM as Tool--->packet-tracer.

HTH

Vijaya

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: