Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

public IP access

I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: public IP access

jusaldivar@raytel.cl

I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.

Julio

Where are you trying to access the server from ie. inside or from internet ?

Can you post your config ?

Jon

Hall of Fame Super Blue

Re: public IP access

Julio

There are a number of options you could use to achieve this. Have a read of this link which will explain how to configure it and if you have further questions please come back -

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

Jon

5 REPLIES
Hall of Fame Super Blue

Re: public IP access

jusaldivar@raytel.cl

I have the following problem, I can not access a server in the DMZ with public IP, the diagram is as follows:

LAN <---> ASA <-> Internet
                
|
                
|
              
DMZ

I do not see any error log, please help.

Julio

Where are you trying to access the server from ie. inside or from internet ?

Can you post your config ?

Jon

Community Member

Re: public IP access

jon

I'm trying to access from the inside

attached configuration:

!
interface Vlan1
nameif outside
security-level 0
ip address ip_public 255.255.255.248
!
interface Vlan2
nameif gerencia
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif ventas_web
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Vlan4
nameif facturacion
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan6
nameif camaras
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan7
nameif servidorweb
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
speed 100
duplex full
!
interface Ethernet0/1
switchport trunk allowed vlan 1-7
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 7
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
access-list camaras_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.224
global (outside) 1 interface
global (facturacion) 1 interface
nat (gerencia) 0 access-list clientvpn1
nat (gerencia) 1 0.0.0.0 0.0.0.0
nat (facturacion) 0 access-list clientvpn
nat (facturacion) 1 192.168.0.0 255.255.255.0
nat (camaras) 0 access-list camaras_nat0_outbound
nat (servidorweb) 0 access-list clientvpn2
nat (servidorweb) 1 servidor_web_local 255.255.255.255
nat (ventas_web) 1 192.168.6.0 255.255.255.0
static (facturacion,gerencia) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (camaras,gerencia) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (gerencia,facturacion) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (gerencia,camaras) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (facturacion,servidorweb) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (gerencia,servidorweb) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (facturacion,ventas_web) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (ventas_web,facturacion) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (ventas_web,servidorweb) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (ventas_web,gerencia) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (gerencia,ventas_web) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (servidorweb,outside) ip_public_server servidor_web_local netmask 255.255.255.255
static (servidorweb,facturacion) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (servidorweb,gerencia) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (servidorweb,ventas_web) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group gerencia_access_in in interface gerencia
access-group facturacion_access_in in interface facturacion
access-group camaras_access_in in interface camaras
access-group servidorweb_access_in in interface servidorweb
access-group ventas_web_access_in_1 in interface ventas_web
route outside 0.0.0.0 0.0.0.0 ip_gateway 1

Hall of Fame Super Blue

Re: public IP access

Julio

There are a number of options you could use to achieve this. Have a read of this link which will explain how to configure it and if you have further questions please come back -

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

Jon

Community Member

Re: public IP access

jon thank you very much, use the following command to resolve the problem:

static (dmz,inside) 51.88.80.100 172.16.1.100

greetings

Cisco Employee

Re: public IP access

Hello,

By default , ASA will allow traffic from higher security-level interface to a lower one as long as you a NAT translation for it.

In your config, there are several interfaces with sec-level as 100 and DMZ (sec-level = 50) is only ONE. Please make sure that from the interface where you want to initiate traffic has a corresponding NAT for it as follows:

Users (10.1.1.0/24)-----------------in_1[ASA]dmz_1-----------server (1.1.1.1)

nat (in_1) 1  0 0

global (dmz_1) 1 interface

Now as long as you do not have any ACLs blocking the connection at in_1 and dmz_1 interface you should  not be having any issue in accessing the server.

Also, try bypassing any networking devices between clients and ASA by connecting PC directly to ASA and try to access server. This will help you to understand if ASA is actually cause of concern or not.

Another troubleshooting tip would be to try packet tracer built-in simulator in ASDM. It can be found in ASDM as Tool--->packet-tracer.

HTH

Vijaya

449
Views
1
Helpful
5
Replies
CreatePlease to create content