ASA Outside Access > DMZ will not work

Discussion in 'Cisco' started by googlegroups@ruetsche.com, Jun 4, 2009.

  1. Guest

    Hi Group

    I can't see the solution in the forest.

    There are some Networks on a ASA:
    - Outside
    - Inside
    - Netfl
    - DMZ

    In the DMZ is a little NAS Box for WWW- and FTP Downloads. I just will
    map the outside address 21.7.1.219 to the DMZ address 192.168.9.219,
    but it doesn't work. I can't ping, ftp or www from outside. Here is
    the config:

    : Saved
    :
    ASA Version 8.0(4)
    !
    hostname ciscoasa
    domain-name networkcust.intra
    no names

    name 192.168.20.1 netfl-asafw1
    name 192.168.38.1 inside-asafw1
    name 192.168.38.10 inside-lsrv1
    name 192.168.38.11 inside-lsrv1-console
    name 192.168.38.2 inside-switch1
    name 192.168.38.3 inside-switch2
    name 192.168.38.12 inside-voip-server
    name 192.168.2.0 wan-vpnfrm2-lan
    name 192.168.7.0 wan-vpnclients
    name 192.168.38.5 inside-p1-laser
    name 192.168.38.6 inside-p2
    name 192.168.38.7 inside-p3
    name 192.168.20.5 netfl-p1-laser
    name 192.168.20.6 netfl-p2
    name 192.168.9.10 dmz-nas-dm
    name 192.168.9.1 dmz-asafw1
    name 21.7.1.218 wan-asa1
    name 21.7.1.217 wan-gw1
    name 21.7.1.219 wan-nas1
    name 192.168.9.219 dmz-nas1
    name 192.168.1.0 wan-vpn-bs
    !
    interface Ethernet0/0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 21.7.1.218 255.255.255.248
    !
    interface Ethernet0/1
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.38.1 255.255.255.0
    !
    interface Ethernet0/1.20
    vlan 20
    nameif netfl
    security-level 20
    ip address 192.168.20.1 255.255.255.0
    !
    interface Ethernet0/2
    speed 100
    duplex full
    nameif dmz
    security-level 10
    ip address 192.168.9.1 255.255.255.0
    !
    ftp mode passive

    dns server-group DefaultDNS
    domain-name networkcust.intra
    object-group network inside-printer
    network-object host 192.168.38.5
    network-object host 192.168.38.6
    object-group network netfl2inside-Printer
    network-object host 192.168.20.5
    network-object host 192.168.20.6
    object-group service Printer tcp
    port-object eq 9100
    port-object eq lpd
    object-group service dmz-nas1
    service-object tcp eq ftp-data
    service-object tcp eq ftp
    service-object tcp eq https
    service-object tcp eq www
    service-object icmp

    access-list outside_access_in extended permit object-group dmz-nas1
    any host 21.7.1.219
    access-list inside_nat0_outbound extended permit ip 192.168.38.0
    255.255.255.0 192.168.7.0 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 192.168.38.0
    255.255.255.0 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.38.0
    255.255.255.0 192.168.1.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 192.168.38.0
    255.255.255.0 192.168.2.0 255.255.255.0
    access-list netfl_access_in extended permit tcp any object-group
    netfl2inside-Printer object-group Printer
    access-list netfl_access_in extended deny ip any object-group
    netfl2inside-Printer
    access-list netfl_access_in extended permit ip any any
    access-list splitTnlTT standard permit 192.168.38.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.38.0
    255.255.255.0 192.168.1.0 255.255.255.0
    access-list dmz_access_in extended permit ip any any
    access-list dmz_access_in extended permit icmp any any

    ip local pool dhcpVPNClientPool 192.168.7.10-192.168.7.30
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip verify reverse-path interface dmz

    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    icmp permit any dmz

    no asdm history enable
    nat-control

    global (outside) 1 interface
    global (dmz) 1 interface

    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (netfl) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 0.0.0.0 0.0.0.0

    static (inside,netfl) 192.168.20.5 192.168.38.5 netmask
    255.255.255.255
    static (inside,netfl) 192.168.20.6 192.168.38.6 netmask
    255.255.255.255
    static (dmz,outside) 21.7.1.219 192.168.9.219 netmask 255.255.255.255

    access-group netfl_access_in in interface netfl
    access-group dmz_access_in in interface dmz

    route outside 0.0.0.0 0.0.0.0 21.7.1.217 1
    dynamic-access-policy-record DfltAccessPolicy

    sysopt nodnsalias inbound
    sysopt nodnsalias outbound
    sysopt noproxyarp outside

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 20 set security-association
    lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 20 set security-association
    lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 12.5.21.114
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map 1 set security-association lifetime seconds
    28800
    crypto map outside_map 1 set security-association lifetime kilobytes
    4608000
    crypto map outside_map 20 match address outside_20_cryptomap
    crypto map outside_map 20 set peer 21.7.1.186
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 set security-association lifetime seconds
    28800
    crypto map outside_map 20 set security-association lifetime kilobytes
    4608000
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 3600
    no crypto isakmp nat-traversal

    dhcprelay server 192.168.38.10 inside
    dhcprelay enable netfl
    dhcprelay timeout 60

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept

    group-policy tnlGrpTT internal
    group-policy tnlGrpTT attributes
    dns-server value 192.168.38.10
    vpn-tunnel-protocol IPSec
    password-storage enable
    group-lock value tnlGrpTT
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value splitTnlTT
    default-domain value networkcust.intra
    address-pools value dhcpVPNClientPool

    username vpnUsr1 password 123123123123 privilege 0
    username vpnUsr1 attributes
    vpn-group-policy tnlGrpTT
    service-type remote-access

    tunnel-group tnlGrpTT type remote-access
    tunnel-group tnlGrpTT general-attributes
    address-pool dhcpVPNClientPool
    default-group-policy tnlGrpTT

    tunnel-group tnlGrpTT ipsec-attributes
    pre-shared-key *

    tunnel-group 21.7.1.186 type ipsec-l2l
    tunnel-group 21.7.1.186 ipsec-attributes
    pre-shared-key *

    tunnel-group 12.5.21.114 type ipsec-l2l
    tunnel-group 12.5.21.114 ipsec-attributes
    pre-shared-key *

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect pptp
    !
    service-policy global_policy global

    I can ping from the inside net the NAS with 192.168.9.219.

    Anybody who can give me a tip, what little thing i forget?

    Thank you.

    ivo
     
    , Jun 4, 2009
    #1
    1. Advertising

  2. wrote:
    > Hi Group
    >
    > I can't see the solution in the forest.
    >
    > There are some Networks on a ASA:
    > - Outside
    > - Inside
    > - Netfl
    > - DMZ
    >
    > In the DMZ is a little NAS Box for WWW- and FTP Downloads. I just will
    > map the outside address 21.7.1.219 to the DMZ address 192.168.9.219,
    > but it doesn't work. I can't ping, ftp or www from outside. Here is
    > the config:
    >

    [skip]
    > name 21.7.1.218 wan-asa1
    > name 21.7.1.217 wan-gw1
    > name 21.7.1.219 wan-nas1
    > name 192.168.9.219 dmz-nas1
    > name 192.168.1.0 wan-vpn-bs

    [skip]
    > object-group service dmz-nas1
    > service-object tcp eq ftp-data
    > service-object tcp eq ftp
    > service-object tcp eq https
    > service-object tcp eq www
    > service-object icmp
    >
    > access-list outside_access_in extended permit object-group dmz-nas1
    > any host 21.7.1.219

    [skip]
    > static (dmz,outside) 21.7.1.219 192.168.9.219 netmask 255.255.255.255
    >
    > access-group netfl_access_in in interface netfl
    > access-group dmz_access_in in interface dmz

    [skip]
    > I can ping from the inside net the NAS with 192.168.9.219.
    >
    > Anybody who can give me a tip, what little thing i forget?


    First of all, there is no "access-group outside_access_in in interface
    outside" command.
    Second - I believe "access-list outside_access_in extended permit
    object-group dmz-nas1 any host 21.7.1.219" wouldn't do what you think it
    will. Post output of "show access-list outside_access_in", please.

    Regards,
    Andrey.
     
    Andrey Tarasov, Jun 4, 2009
    #2
    1. Advertising

  3. Guest

    Thank you for the response. Sure, the "access-list outside_access_in
    extended permit object-group dmz-nas1 any host 21.7.1.219" must be
    there, i forget it in the copy/paste to the post, but all others are
    there. Here the output from the show cmd:

    ciscoasa(config)# show access-list outside_access_in
    access-list outside_access_in; 5 elements
    access-list outside_access_in line 1 extended permit object-group dmz-
    nas1 any host 21.7.1.219
    access-list outside_access_in line 1 extended permit tcp any host
    21.7.1.219 eq ftp-data (hitcnt=0)
    access-list outside_access_in line 1 extended permit tcp any host
    21.7.1.219 eq ftp (hitcnt=0)
    access-list outside_access_in line 1 extended permit tcp any host
    21.7.1.219 eq https (hitcnt=0)
    access-list outside_access_in line 1 extended permit tcp any host
    21.7.1.219 eq www (hitcnt=0)
    access-list outside_access_in line 1 extended permit icmp any host
    21.7.1.219 (hitcnt=0)
    ciscoasa(config)#

    Thank you
    ivo



    On 4 Jun., 16:43, Andrey Tarasov <> wrote:
    > wrote:
    > > Hi Group

    >
    > > I can't see the solution in the forest.

    >
    > > There are some Networks on a ASA:
    > > - Outside
    > > - Inside
    > > - Netfl
    > > - DMZ

    >
    > > In the DMZ is a little NAS Box for WWW- and FTP Downloads. I just will
    > > map the outside address 21.7.1.219 to the DMZ address 192.168.9.219,
    > > but it doesn't work. I can't ping, ftp or www from outside. Here is
    > > the config:

    >
    > [skip]
    > > name 21.7.1.218 wan-asa1
    > > name 21.7.1.217 wan-gw1
    > > name 21.7.1.219 wan-nas1
    > > name 192.168.9.219 dmz-nas1
    > > name 192.168.1.0 wan-vpn-bs

    > [skip]
    > > object-group service dmz-nas1
    > >  service-object tcp eq ftp-data
    > >  service-object tcp eq ftp
    > >  service-object tcp eq https
    > >  service-object tcp eq www
    > >  service-object icmp

    >
    > > access-list outside_access_in extended permit object-group dmz-nas1
    > > any host 21.7.1.219

    > [skip]
    > > static (dmz,outside) 21.7.1.219 192.168.9.219 netmask 255.255.255.255

    >
    > > access-group netfl_access_in in interface netfl
    > > access-group dmz_access_in in interface dmz

    > [skip]
    > > I can ping from the inside net the NAS with 192.168.9.219.

    >
    > > Anybody who can give me a tip, what little thing i forget?

    >
    > First of all, there is no "access-group outside_access_in in interface
    > outside" command.
    > Second - I believe "access-list outside_access_in extended permit
    > object-group dmz-nas1 any host 21.7.1.219" wouldn't do what you think it
    > will. Post output of "show access-list outside_access_in", please.
    >
    > Regards,
    > Andrey.
     
    , Jun 4, 2009
    #3
  4. Guest

    Interessting is also, that i don't see any try's in the syslog (debug
    level)...
     
    , Jun 4, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    1,700
  2. SuperIce
    Replies:
    2
    Views:
    1,961
    James
    Oct 1, 2004
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,978
    Walter Roberson
    Sep 25, 2005
  4. ivan@netvision
    Replies:
    0
    Views:
    1,073
    ivan@netvision
    Aug 16, 2007
  5. Jack
    Replies:
    0
    Views:
    745
Loading...

Share This Page