ASA Basic setup and testing: Static Route/ACLs not working.

chrisbicm — Fri, 21 Feb 2020 08:58:52 GMT

This is my current setup. I have put a server on the Outside66 Interface and am trying to access a default IIS Website on a server on the DMZ. I am not sure why but it wont allow me to access it through the firewall. I have included my config as well as a show nat command (there are translations happening its just not going anywhere after the translation I think).

icm-xxxx(config)# show run

: Saved

ASA Version 7.0(4)

hostname icm-xxxxx

domain-name xxxxxxxx.com

enable password xxxxxxxxx encrypted

names

interface GigabitEthernet0/0

nameif Outside66

security-level 0

ip address 66.38.xxx.xxx 255.255.255.224 standby 66.38.xxx.xxx

interface GigabitEthernet0/1

nameif DMZ

security-level 100

ip address 10.10.x.x 255.255.255.0 standby 10.10.x.x

interface GigabitEthernet0/2

nameif Private

security-level 40

ip address 192.168.x.x 255.255.255.0

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

interface Management0/0

description Outside64 Interface

nameif Outside64

security-level 100

ip address 64.187.x.x 255.255.255.224 standby 64.187.x.x

passwd 16ZH0HY6cUga4at6 encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list out extended permit tcp any host 66.38.x.x eq www

access-list out extended permit tcp any host 66.38.x.x

access-list out extended permit tcp host 66.38.x.x any

access-list out extended permit tcp host 66.38.x.x any eq www

access-list dmz extended permit tcp host 10.10.x.x any eq www

access-list dmz extended permit tcp host 10.10.x.x any

access-list dmz extended permit tcp 10.10.x.x 255.255.255.0 any eq domain

access-list dmz extended permit udp 10.10.x.x 255.255.255.0 any eq domain

access-list dmz extended permit tcp any host 10.10.x.x

access-list dmz extended permit tcp any host 10.10.x.x eq www

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu Outside66 1500

mtu Outside64 1500

mtu DMZ 1500

mtu Private 1500

failover

failover lan unit primary

failover lan interface FoInt GigabitEthernet0/3

failover replication http

failover link FoInt GigabitEthernet0/3

failover interface ip FoInt 192.168.x.x 255.255.255.0 standby 192.168.x.x

asdm image disk0:/asdm504.bin

no asdm history enable

arp timeout 14400

global (Outside66) 1 66.38.x.x

static (DMZ,Outside66) 66.38.x.x 10.10.x.x netmask 255.255.255.255

static (Outside66,DMZ) 10.10.x.x 66.38.x.x netmask 255.255.255.255

access-group out in interface Outside66

access-group dmz out interface DMZ

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

telnet 192.x.x.x 255.255.255.0 Private

telnet timeout 30

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect ils

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect esmtp

inspect sqlnet

service-policy global_policy global

: end

icm-asa01(config)# show nat

NAT policies on Interface Outside66:

match ip Outside66 host 66.38.x.x DMZ any

static translation to 10.10.x.x

translate_hits = 12, untranslate_hits = 0

NAT policies on Interface DMZ:

match ip DMZ host 10.10.x.x Outside66 any

static translation to 66.38.x.x

translate_hits = 10, untranslate_hits = 0

I have no idea why I cant get from one end to the other?? I have actually tried from DMZ -> Outside66 and the other way around. I know the ACLs seem a little bit of over kill... I was just trying to make it work so I made the "opposite" of all the ones I already had... with no luck of course! Any help would be very appreciated

Thanks for your time,

Chris

Re: ASA Basic setup and testing: Static Route/ACLs not working.

imanl — Mon, 19 Jun 2006 18:06:32 GMT

Your config looks fine. Add a default route on the ASA and see what happens.

route outside 0.0.0.0 0.0.0.0 x.x.x.x

Re: ASA Basic setup and testing: Static Route/ACLs not working.

chrisbicm — Tue, 20 Jun 2006 11:02:34 GMT

Hello,

I have actually tried a few different default routes without any luck. Do you think that is my major problem?

topic ASA Basic setup and testing: Static Route/ACLs not working. in Network Security

ASA Basic setup and testing: Static Route/ACLs not working.

Re: ASA Basic setup and testing: Static Route/ACLs not working.

Re: ASA Basic setup and testing: Static Route/ACLs not working.