Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA Outside Access > DMZ will not work

Reply
Thread Tools

ASA Outside Access > DMZ will not work

 
 
googlegroups@ruetsche.com
Guest
Posts: n/a
 
      06-04-2009
Hi Group

I can't see the solution in the forest.

There are some Networks on a ASA:
- Outside
- Inside
- Netfl
- DMZ

In the DMZ is a little NAS Box for WWW- and FTP Downloads. I just will
map the outside address 21.7.1.219 to the DMZ address 192.168.9.219,
but it doesn't work. I can't ping, ftp or www from outside. Here is
the config:

: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name networkcust.intra
no names

name 192.168.20.1 netfl-asafw1
name 192.168.38.1 inside-asafw1
name 192.168.38.10 inside-lsrv1
name 192.168.38.11 inside-lsrv1-console
name 192.168.38.2 inside-switch1
name 192.168.38.3 inside-switch2
name 192.168.38.12 inside-voip-server
name 192.168.2.0 wan-vpnfrm2-lan
name 192.168.7.0 wan-vpnclients
name 192.168.38.5 inside-p1-laser
name 192.168.38.6 inside-p2
name 192.168.38.7 inside-p3
name 192.168.20.5 netfl-p1-laser
name 192.168.20.6 netfl-p2
name 192.168.9.10 dmz-nas-dm
name 192.168.9.1 dmz-asafw1
name 21.7.1.218 wan-asa1
name 21.7.1.217 wan-gw1
name 21.7.1.219 wan-nas1
name 192.168.9.219 dmz-nas1
name 192.168.1.0 wan-vpn-bs
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 21.7.1.218 255.255.255.248
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.38.1 255.255.255.0
!
interface Ethernet0/1.20
vlan 20
nameif netfl
security-level 20
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 10
ip address 192.168.9.1 255.255.255.0
!
ftp mode passive

dns server-group DefaultDNS
domain-name networkcust.intra
object-group network inside-printer
network-object host 192.168.38.5
network-object host 192.168.38.6
object-group network netfl2inside-Printer
network-object host 192.168.20.5
network-object host 192.168.20.6
object-group service Printer tcp
port-object eq 9100
port-object eq lpd
object-group service dmz-nas1
service-object tcp eq ftp-data
service-object tcp eq ftp
service-object tcp eq https
service-object tcp eq www
service-object icmp

access-list outside_access_in extended permit object-group dmz-nas1
any host 21.7.1.219
access-list inside_nat0_outbound extended permit ip 192.168.38.0
255.255.255.0 192.168.7.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.38.0
255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.38.0
255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.38.0
255.255.255.0 192.168.2.0 255.255.255.0
access-list netfl_access_in extended permit tcp any object-group
netfl2inside-Printer object-group Printer
access-list netfl_access_in extended deny ip any object-group
netfl2inside-Printer
access-list netfl_access_in extended permit ip any any
access-list splitTnlTT standard permit 192.168.38.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.38.0
255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp any any

ip local pool dhcpVPNClientPool 192.168.7.10-192.168.7.30
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz

no asdm history enable
nat-control

global (outside) 1 interface
global (dmz) 1 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (netfl) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,netfl) 192.168.20.5 192.168.38.5 netmask
255.255.255.255
static (inside,netfl) 192.168.20.6 192.168.38.6 netmask
255.255.255.255
static (dmz,outside) 21.7.1.219 192.168.9.219 netmask 255.255.255.255

access-group netfl_access_in in interface netfl
access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 21.7.1.217 1
dynamic-access-policy-record DfltAccessPolicy

sysopt nodnsalias inbound
sysopt nodnsalias outbound
sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association
lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association
lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.5.21.114
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds
28800
crypto map outside_map 1 set security-association lifetime kilobytes
4608000
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 21.7.1.186
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds
28800
crypto map outside_map 20 set security-association lifetime kilobytes
4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
no crypto isakmp nat-traversal

dhcprelay server 192.168.38.10 inside
dhcprelay enable netfl
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

group-policy tnlGrpTT internal
group-policy tnlGrpTT attributes
dns-server value 192.168.38.10
vpn-tunnel-protocol IPSec
password-storage enable
group-lock value tnlGrpTT
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitTnlTT
default-domain value networkcust.intra
address-pools value dhcpVPNClientPool

username vpnUsr1 password 123123123123 privilege 0
username vpnUsr1 attributes
vpn-group-policy tnlGrpTT
service-type remote-access

tunnel-group tnlGrpTT type remote-access
tunnel-group tnlGrpTT general-attributes
address-pool dhcpVPNClientPool
default-group-policy tnlGrpTT

tunnel-group tnlGrpTT ipsec-attributes
pre-shared-key *

tunnel-group 21.7.1.186 type ipsec-l2l
tunnel-group 21.7.1.186 ipsec-attributes
pre-shared-key *

tunnel-group 12.5.21.114 type ipsec-l2l
tunnel-group 12.5.21.114 ipsec-attributes
pre-shared-key *

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global

I can ping from the inside net the NAS with 192.168.9.219.

Anybody who can give me a tip, what little thing i forget?

Thank you.

ivo
 
Reply With Quote
 
 
 
 
Andrey Tarasov
Guest
Posts: n/a
 
      06-04-2009
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Hi Group
>
> I can't see the solution in the forest.
>
> There are some Networks on a ASA:
> - Outside
> - Inside
> - Netfl
> - DMZ
>
> In the DMZ is a little NAS Box for WWW- and FTP Downloads. I just will
> map the outside address 21.7.1.219 to the DMZ address 192.168.9.219,
> but it doesn't work. I can't ping, ftp or www from outside. Here is
> the config:
>

[skip]
> name 21.7.1.218 wan-asa1
> name 21.7.1.217 wan-gw1
> name 21.7.1.219 wan-nas1
> name 192.168.9.219 dmz-nas1
> name 192.168.1.0 wan-vpn-bs

[skip]
> object-group service dmz-nas1
> service-object tcp eq ftp-data
> service-object tcp eq ftp
> service-object tcp eq https
> service-object tcp eq www
> service-object icmp
>
> access-list outside_access_in extended permit object-group dmz-nas1
> any host 21.7.1.219

[skip]
> static (dmz,outside) 21.7.1.219 192.168.9.219 netmask 255.255.255.255
>
> access-group netfl_access_in in interface netfl
> access-group dmz_access_in in interface dmz

[skip]
> I can ping from the inside net the NAS with 192.168.9.219.
>
> Anybody who can give me a tip, what little thing i forget?


First of all, there is no "access-group outside_access_in in interface
outside" command.
Second - I believe "access-list outside_access_in extended permit
object-group dmz-nas1 any host 21.7.1.219" wouldn't do what you think it
will. Post output of "show access-list outside_access_in", please.

Regards,
Andrey.
 
Reply With Quote
 
 
 
 
googlegroups@ruetsche.com
Guest
Posts: n/a
 
      06-04-2009
Thank you for the response. Sure, the "access-list outside_access_in
extended permit object-group dmz-nas1 any host 21.7.1.219" must be
there, i forget it in the copy/paste to the post, but all others are
there. Here the output from the show cmd:

ciscoasa(config)# show access-list outside_access_in
access-list outside_access_in; 5 elements
access-list outside_access_in line 1 extended permit object-group dmz-
nas1 any host 21.7.1.219
access-list outside_access_in line 1 extended permit tcp any host
21.7.1.219 eq ftp-data (hitcnt=0)
access-list outside_access_in line 1 extended permit tcp any host
21.7.1.219 eq ftp (hitcnt=0)
access-list outside_access_in line 1 extended permit tcp any host
21.7.1.219 eq https (hitcnt=0)
access-list outside_access_in line 1 extended permit tcp any host
21.7.1.219 eq www (hitcnt=0)
access-list outside_access_in line 1 extended permit icmp any host
21.7.1.219 (hitcnt=0)
ciscoasa(config)#

Thank you
ivo



On 4 Jun., 16:43, Andrey Tarasov <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > Hi Group

>
> > I can't see the solution in the forest.

>
> > There are some Networks on a ASA:
> > - Outside
> > - Inside
> > - Netfl
> > - DMZ

>
> > In the DMZ is a little NAS Box for WWW- and FTP Downloads. I just will
> > map the outside address 21.7.1.219 to the DMZ address 192.168.9.219,
> > but it doesn't work. I can't ping, ftp or www from outside. Here is
> > the config:

>
> [skip]
> > name 21.7.1.218 wan-asa1
> > name 21.7.1.217 wan-gw1
> > name 21.7.1.219 wan-nas1
> > name 192.168.9.219 dmz-nas1
> > name 192.168.1.0 wan-vpn-bs

> [skip]
> > object-group service dmz-nas1
> > *service-object tcp eq ftp-data
> > *service-object tcp eq ftp
> > *service-object tcp eq https
> > *service-object tcp eq www
> > *service-object icmp

>
> > access-list outside_access_in extended permit object-group dmz-nas1
> > any host 21.7.1.219

> [skip]
> > static (dmz,outside) 21.7.1.219 192.168.9.219 netmask 255.255.255.255

>
> > access-group netfl_access_in in interface netfl
> > access-group dmz_access_in in interface dmz

> [skip]
> > I can ping from the inside net the NAS with 192.168.9.219.

>
> > Anybody who can give me a tip, what little thing i forget?

>
> First of all, there is no "access-group outside_access_in in interface
> outside" command.
> Second - I believe "access-list outside_access_in extended permit
> object-group dmz-nas1 any host 21.7.1.219" wouldn't do what you think it
> will. Post output of "show access-list outside_access_in", please.
>
> Regards,
> Andrey.


 
Reply With Quote
 
googlegroups@ruetsche.com
Guest
Posts: n/a
 
      06-04-2009

Interessting is also, that i don't see any try's in the syslog (debug
level)...
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
site to site VPN on DMZ and outside pix/asa rel 7.x ivan@netvision Cisco 0 08-16-2007 08:17 PM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
PIX 515 with statics and ACLs blocks dmz to outside access SuperIce Cisco 2 10-01-2004 05:11 PM
Pix: DMZ has access to Inside with ACL defined for outside! wineguyatl@hotmail.com Cisco 1 11-18-2003 09:10 PM



Advertisments