Solved: ASA 8.0 WAN IP to host in DMZ

achesney3 · ‎02-03-2014

Hello, need help with a asa 5520 that has old asa 8.0. Trying to confgiure a public server located on a DMZ. have followed several diffent sets of instruction but nothing is working. am able to make WAN ip work with server on inside network and able to communicated with server on DMZ from inside but not able to get traffic to flow from WAN to DMZ host. Belive the issue is related to the older ASA version and missing a step or config. below is current config with IPs modified.

thank you in advance for any help offered.

:

ASA Version 8.0(4)

!

hostname Camden-ASA5520

domain-name camden.org

names

name 192.168.168.100 Eye_RT description Eye Rt on DMZ

name 192.168.168.10 Eye_DMZ_Interface

name 65.65.65.32 Eye_1to1_Outside

dns-guard

!

interface GigabitEthernet0/0

description

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.20.1 255.255.255.0

!

interface GigabitEthernet0/1

description

speed 1000

duplex full

nameif outside

security-level 0

ip address 65.66.66.74 255.255.255.248

!

interface GigabitEthernet0/2

description

speed 100

duplex full

nameif DMZ

security-level 0

ip address 192.168.3.2 255.255.255.0

!

interface GigabitEthernet0/3

description *DMZ to Eye Router*

nameif Eye_DMZ

security-level 0

ip address 192.168.168.10 255.255.255.0

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server myn

domain-name camden.org

same-security-traffic permit intra-interface

object-group service Eye_Test tcp

port-object eq 5453

access-list inside-out extended permit icmp any any

access-list inside-out extended permit ip any any

access-list outside_in extended permit icmp any host 65.65.65.74

access-list outside_in extended permit ip any host Eye_1to1_Outside

access-list outside_in extended permit icmp any host Eye_1to1_Outside

access-list Eye_DMZ_access_in extended permit ip any any

access-list Eye_DMZ_access_in extended permit icmp any any

pager lines 35

logging enable

logging buffer-size 65536

logging asdm debugging

logging debug-trace

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

mtu Eye_DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any DMZ

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (Eye_DMZ) 1 192.168.168.11-192.168.168.254 netmask 255.255.255.0

nat (inside) 0 access-list VPN

nat (inside) 1 0.0.0.0 0.0.0.0

static (Eye_DMZ,outside) Eye_1to1_Outside 192.168.168.110 netmask 255.255.255.255

access-group inside-out in interface inside

access-group outside_in in interface outside

access-group dmz_out in interface DMZ

access-group Eye_DMZ_access_in in interface Eye_DMZ

route outside 0.0.0.0 0.0.0.0 65.65.65.73 1

timeout xlate 8:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

: end

asdm image disk0:/asdm-613.bin

asdm location Eye_RT 255.255.255.255 inside

asdm location Eye_DMZ_Interface 255.255.255.255 inside

no asdm history enable

JohnTylerPearce · ‎02-03-2014

Alfred,

It looks like both interfaces have a security-level of 0, which will allow them to not communicate with each other by default.

I do see you have the following configuration.

same-security-traffic permit intra-interface

You will also need 'same-security-traffic permit inter-interface' for this to work as well. Or you will need to change the security levels of one of these two.

*** Edit ***

Also, like Jon suggested make sure your routing is setup correctly. So if you have static configuration, which most ASAs do.

route Eye_DMZ 192.168.168.0 255.255.255.0

And I'm assuming you have a default route configured?

View solution in original post

Jon Marshall · ‎02-03-2014

Alfred

Can you clarify which DMZ as you have more than one ie. is it meant to be this -

static (Eye_DMZ,outside) Eye_1to1_Outside 192.168.168.110 netmask 255.255.255.255

or something else ?

Jon

achesney3 · ‎02-03-2014

Jon,

sorry about that. you are correct the Eye_DMZ. TY

Jon Marshall · ‎02-03-2014

Alfred

Then what you have should work ie. you have a static and you are allowing traffic to the public IP in your acl applied to the outside interface.

Is the public IP you are using out of the same range as the outside interface IP ?

If not are you sure the address block from which the public IP is from is being routed to your ASA ?

Jon

JohnTylerPearce · ‎02-03-2014

Alfred,

It looks like both interfaces have a security-level of 0, which will allow them to not communicate with each other by default.

I do see you have the following configuration.

same-security-traffic permit intra-interface

You will also need 'same-security-traffic permit inter-interface' for this to work as well. Or you will need to change the security levels of one of these two.

*** Edit ***

Also, like Jon suggested make sure your routing is setup correctly. So if you have static configuration, which most ASAs do.

route Eye_DMZ 192.168.168.0 255.255.255.0

And I'm assuming you have a default route configured?

achesney3 · ‎02-03-2014

John,

adding this line worked.

same-security-traffic permit intra-interface

Both,

Thank you for your help.