02-03-2014 10:51 AM - edited 03-04-2019 10:14 PM
Hello, need help with a asa 5520 that has old asa 8.0. Trying to confgiure a public server located on a DMZ. have followed several diffent sets of instruction but nothing is working. am able to make WAN ip work with server on inside network and able to communicated with server on DMZ from inside but not able to get traffic to flow from WAN to DMZ host. Belive the issue is related to the older ASA version and missing a step or config. below is current config with IPs modified.
thank you in advance for any help offered.
:
ASA Version 8.0(4)
!
hostname Camden-ASA5520
domain-name camden.org
names
name 192.168.168.100 Eye_RT description Eye Rt on DMZ
name 192.168.168.10 Eye_DMZ_Interface
name 65.65.65.32 Eye_1to1_Outside
dns-guard
!
interface GigabitEthernet0/0
description
speed 100
duplex full
nameif inside
security-level 100
ip address 172.16.20.1 255.255.255.0
!
interface GigabitEthernet0/1
description
speed 1000
duplex full
nameif outside
security-level 0
ip address 65.66.66.74 255.255.255.248
!
interface GigabitEthernet0/2
description
speed 100
duplex full
nameif DMZ
security-level 0
ip address 192.168.3.2 255.255.255.0
!
interface GigabitEthernet0/3
description *DMZ to Eye Router*
nameif Eye_DMZ
security-level 0
ip address 192.168.168.10 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server myn
domain-name camden.org
same-security-traffic permit intra-interface
object-group service Eye_Test tcp
port-object eq 5453
access-list inside-out extended permit icmp any any
access-list inside-out extended permit ip any any
access-list outside_in extended permit icmp any host 65.65.65.74
access-list outside_in extended permit ip any host Eye_1to1_Outside
access-list outside_in extended permit icmp any host Eye_1to1_Outside
access-list Eye_DMZ_access_in extended permit ip any any
access-list Eye_DMZ_access_in extended permit icmp any any
pager lines 35
logging enable
logging buffer-size 65536
logging asdm debugging
logging debug-trace
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu Eye_DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any DMZ
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (Eye_DMZ) 1 192.168.168.11-192.168.168.254 netmask 255.255.255.0
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
static (Eye_DMZ,outside) Eye_1to1_Outside 192.168.168.110 netmask 255.255.255.255
access-group inside-out in interface inside
access-group outside_in in interface outside
access-group dmz_out in interface DMZ
access-group Eye_DMZ_access_in in interface Eye_DMZ
route outside 0.0.0.0 0.0.0.0 65.65.65.73 1
timeout xlate 8:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
: end
asdm image disk0:/asdm-613.bin
asdm location Eye_RT 255.255.255.255 inside
asdm location Eye_DMZ_Interface 255.255.255.255 inside
no asdm history enable
Solved! Go to Solution.
02-03-2014 11:39 AM
Alfred,
It looks like both interfaces have a security-level of 0, which will allow them to not communicate with each other by default.
I do see you have the following configuration.
same-security-traffic permit intra-interface
You will also need 'same-security-traffic permit inter-interface' for this to work as well. Or you will need to change the security levels of one of these two.
*** Edit ***
Also, like Jon suggested make sure your routing is setup correctly. So if you have static configuration, which most ASAs do.
route Eye_DMZ 192.168.168.0 255.255.255.0
And I'm assuming you have a default route configured?
02-03-2014 11:10 AM
Alfred
Can you clarify which DMZ as you have more than one ie. is it meant to be this -
static (Eye_DMZ,outside) Eye_1to1_Outside 192.168.168.110 netmask 255.255.255.255
or something else ?
Jon
02-03-2014 11:28 AM
Jon,
sorry about that. you are correct the Eye_DMZ. TY
02-03-2014 11:36 AM
Alfred
Then what you have should work ie. you have a static and you are allowing traffic to the public IP in your acl applied to the outside interface.
Is the public IP you are using out of the same range as the outside interface IP ?
If not are you sure the address block from which the public IP is from is being routed to your ASA ?
Jon
02-03-2014 11:39 AM
Alfred,
It looks like both interfaces have a security-level of 0, which will allow them to not communicate with each other by default.
I do see you have the following configuration.
same-security-traffic permit intra-interface
You will also need 'same-security-traffic permit inter-interface' for this to work as well. Or you will need to change the security levels of one of these two.
*** Edit ***
Also, like Jon suggested make sure your routing is setup correctly. So if you have static configuration, which most ASAs do.
route Eye_DMZ 192.168.168.0 255.255.255.0
And I'm assuming you have a default route configured?
02-03-2014 12:35 PM
John,
adding this line worked.
same-security-traffic permit intra-interface
Both,
Thank you for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide