Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
6
Replies

Return traffic on DMZ not working.

victorrodrigues
Level 1
Level 1

‎03-18-2006 05:56 AM - edited ‎03-09-2019 02:18 PM

Hi Guys,

I have the following config

Mail server – Internal 192.168.0.5 External x.y.z.77 (static for smtp,pop3 and Webaccess services)

ISA server – Internal 192.168.0.6 External x.y.z.75 (pat)

I got my mail server to work fine, I had a problem with internal users accessing the WebAccess since the Real IP for the mail server is on the outside interface of the router so I’m guessing it was not sending the packets out and hence giving a Request Timeout.

Now my problem.

I have branches over DSL (data links) with ips

Branch A - 192.168.1.0

Branch A - 192.168.10.0

Branch A - 192.168.11.0

Branch A - 192.168.12.0

I want to put them on my DMZ(or any interface) and hence I configured the HO DSL Ethernet interface 172.16.0.1 and subsequently the DMZ interface as 172.16.0.15.

I added the routes accordingly.

On the ASA

route Outside 0.0.0.0 0.0.0.0 x.y.z.73 1

route DMZ 192.168.12.0 255.255.255.0 172.16.0.1 1

route DMZ 192.168.11.0 255.255.255.0 172.16.0.1 1

route DMZ 192.168.10.0 255.255.255.0 172.16.0.1 1

route DMZ 192.168.1.0 255.255.255.0 172.16.0.1 1

on the HO DSL

route 192.168.0.0 255.255.255.0 172.16.0.15

route 0.0.0.0 0.0.0.0 dialer0

on the DSL backbone( at ISP )

route 192.168.0.0 255.255.255.0 172.16.0.1

route 192.168.1.0 255.255.255.0 192.168.1.1

route 192.168.10.0 255.255.255.0 192.168.10.1

route 192.168.11.0 255.255.255.0 192.168.11.1

route 192.168.12.0 255.255.255.0 192.168.12.1

when I tested, I can get across from inside to the DMZ and vice versa works fine too

the only problem is that I cannot get to the mail and web ( isa) servers from the DMZ , I guess its because I have the static nats for those as below

static (Inside,Outside) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255 dns

static (Inside,Outside) tcp interface pop3 192.168.0.5 pop3 netmask 255.255.255.255 dns

static (Inside,Outside) tcp interface www 192.168.0.5 www netmask 255.255.255.255

where am I going wrong ?

any suggestions ?

My config is attached

Labels:
Preview file
4 KB
0 Helpful
6 Replies 6

froggy3132000
Level 3
Level 3

‎03-18-2006 07:32 AM

Can you maybe post a diagram of your topology?

I am a little confused on where things are. You say that you can get to and from DMZ-inside just fine. If your mail and web servers are inside then I don't see the problem.

0 Helpful

victorrodrigues
Level 1
Level 1
In response to froggy3132000

‎03-18-2006 09:15 PM

Hi

Alright I posted a ppt with the slide showing my network layout,kindly note that I have not mentioned the Statics in the layout since I ran outta space , but I think its the major factor for the issue I am having where I cannot get to the Mail and ISA server from the branches. Sorry if my question was confusing. DMZ to Inside is fine, just DMZ to these specific servers Mail and ISA which are already having Statics to go out are not reachable from the DMZ.

Thanks and Regards,

Victor Rodrigues

Preview file
83 KB
0 Helpful

froggy3132000
Level 3
Level 3
In response to victorrodrigues

‎03-19-2006 04:07 AM

I would try putting a static NAT from DMZ to inside.

static (inside,dmz) 192.168.0.10 192.168.0.10 netmask 255.255.255.0

0 Helpful

victorrodrigues
Level 1
Level 1
In response to froggy3132000

‎03-20-2006 04:36 AM

hi

thanks for the input, not really at liberty to test too much, i had previously tried Identity nat for the mail and isa servers, didnt work , what you are suggesting is to identity nat the inside interface? is that even allowed?? what will happen to the outbound traffic ( traffic to the outside interface) ?

0 Helpful

veruscorp
Level 1
Level 1
In response to victorrodrigues

‎03-20-2006 04:52 AM

The (inside,dmz) statement affects only traffic between the inside an dmz - not to outside. This is a common translation technique. Often, I see it as a translation for the entire internal subnet rather than just to a host. You still need a valid access list to permit traffic from the dmz to inside. The static statement tells pix not to nat traffic between inside and dmz - in your case only to that one internal host. I would imagine that almost every pix person wondered about this one when they first saw it.

0 Helpful

victorrodrigues
Level 1
Level 1
In response to veruscorp

‎03-25-2006 06:46 AM

hi veruscorp,

sorry for the delay , i guess u still didnt get my query, as u can see from my config, im not natting between inside and dmz .. and yet all clients in dmz can see the hosts on inside. just the 2 hosts that are the mail server and isa cannot be contacted..

i assumed the inside,outside nat to be the issue since thats the only thing that they have diff ??

anybody else any ideas.. am sure am just missin something small in my config

thankx.

will rate tom

vic

0 Helpful
Customers Also Viewed These Support Documents