Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Roting and Nat asa 5505

 

I am try to make inside network communicate with DMZ server (bidirectional on two ports) but it did not work. I have Security Plus license with version 9.0 (3). Any help is appreciated
 
OUTSIDE (ISP) ====== (ASA5505) ======= inside (SWITCH) ====== ROUTER (172.16.1.X/24)
                                       + 
                                       +
                                       +
                                 (SWITCH)
                           (DMZ 172.16.0.71/24)
                          Application SERVER  (ports 7071,7072)
                          Should be accessed by inside network only and in bidirectional
Everyone's tags (1)
5 REPLIES
VIP Purple

What you have to configure on

What you have to configure on the ASA:

  1. A route to the internal network behind the router.
  2. A permit statement for the traffic on the DMZ-ACL.
  3. A permit statement for the traffic on the inside-ACL if you have an ACL applied on inside.
  4. The security-level of DMZ should be lower then the security-level of inside.
  5. There shouldn't be a nat-statement for this communication.
Community Member

Thanks, to ensure that I am

Thanks, to ensure that I am following the direction correctly, I did 

ciscoasa(config)# show firewall
Firewall mode: Router

ciscoasa(config)# show switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/5  // Security level 100. 0/1 is connected to                                                                 Et0/6, Et0/7                        //other router (dhcpd) wh ich assign IP pool
                                                
2    ouside                         down      Et0/0                              //Security level 0. Currently I donot need to use                                                                                                    //it
5    dmz                              up       Et0/4                               // The application server is connect to this                                                                                                            // interface
ciscoasa(config)#

ciscoasa(config)# show ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 172.16.1.140  255.255.255.0   CONFIG
Vlan5                    dmz                    172.16.0.1      255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 172.16.1.140  255.255.255.0   CONFIG
Vlan5                    dmz                    172.16.0.1      255.255.255.0   manual

// Now I am testing ping dmz 

ciscoasa(config)# ping 172.16.0.71   // This is real ip of Application server that connected to                                                                             //   dmz direct
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.71, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

// Tesing ping inside 

ciscoasa(config)# ping 172.16.1.134  // ip of host in inside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.134, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

 

/*

Either when host (inside) ping app server doesnot work 

*/

 

// As maybe noticed that I can not ping inside or dmz from thr asa5505

/* 

However, my problem does not end at this point, furthermore, I want hosts in inside to access the APP Server by "http://172.16.0.71:7071 or 7072

and both direction from/to dmz to inside. So I did the following: 

*/

ciscoasa(config)# object network web-server-frominside
ciscoasa(config-network-object)# host 172.16.0.71
ciscoasa(config-network-object)# nat (dmz,inside) static interface service tcp www www

ciscoasa(config-network-object)# access-list dmztoinside extended permit tcp any host 172.16.0.71 eq 7071

ciscoasa(config-network-object)# access-list dmztoinside extended permit tcp any host 172.16.0.71 eq 7072

ciscoasa(config)# access-group dmztoinside in interface inside

ciscoasa(config)# route dmz 0 0 172.16.1.1 // is the router 1900 Default Gateway for inside

This is what I tried and did not work at all, so any help is really appreciated

 

 

Community Member

Thanks for your reply.The

Thanks for your reply.

The inside subnet is managed by the router 172.16.1.1 and not by the ASA5505 which has no dhcpd for the inside network but still in route mode. 

Any Client on the inside (100 Security Level), by default, should be able to ping DMZ (50 Security level) which is not work at all for me. 

What I want to do is: typing "http://172.16.0.71" on any client in the inside subnet in order to access the web application server in DMZ. (in bidirectional way connection) 

I tried ACL, NAT, and Route based on similar topology, I used object network, but I was unable to let them talk to each other. 

I used NAT for (inside,dmz) and ACL to allow tcp 7071 & 7072 only.

 

May I made it more complex rather than what it should to be, so any help is really appreciated.

 

 

VIP Purple

OK, this time http-access:1)

OK, this time http-access:

1) Do you have a route on the ASA to your internal network?

2) For this you don't need a DMZ-ACL, so we skip that point.

3) Is the internal ACL allowing the traffic?

4) security-levels are fine with 100/inside and 50/dmz.

5) The nat for (inside, outside) should be removed as it only adds unnessasary complexity.

Please show your config to help with that.

Community Member

All TCP and UPD traffic

All TCP and UPD traffic should be accessible through the firewall without any ACL entry untill unless any implicit or explicit rule is blocking the traffic.

1) Check you have reachibility to both the networks from the firewall.  Firewall should have proper routing in place. You can test by pinging the hosts at both DMZ and Inside network

2) Both subnets (Inside and DMZ) should have route; either static or default to reach to each other.

3) NAT should not be required in your case.

Best thing which you can do is to run a packet tracer and see where its being blocked. Based on the packet trracer output you can proceed further and take the required action.

 

81
Views
0
Helpful
5
Replies
CreatePlease to create content