09-12-2012 02:58 PM - edited 03-11-2019 04:53 PM
Hi guys
its been a while since ive worked on an ASA and never on 8.4
Ive set up the ASA so i can access(From my office) some devices behind the inside interface (at the DC) this works fine- so nat is working fine and ACL's are ok as well.... the problem I'm having is trying to access a server on SSH from the same Office but behind the DMZ interface. i really am finding it hard with this nat statements ... ,my config is below and any help would be appreciated.
ASA Version 8.4(3)
!
hostname FW
domain-name xx.local
names
!
interface Ethernet0/0
switchport access vlan 200
!
interface Ethernet0/1
switchport access vlan 100
!
interface Ethernet0/2
description OOBSW:F0/7
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif OOBDMZ
security-level 50
ip address 172.17.2.125 255.255.255.128
!
interface Vlan100
description INSIDE INT
nameif inside
security-level 100
ip address 172.18.1.253 255.255.255.0
!
interface Vlan200
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x
!
ftp mode passive
clock timezone GMT 1
dns server-group DefaultDNS
domain-name xx.local
object network OOBTS1
host 172.18.1.250
object network OOBTS2
host 172.18.1.251
object network OFFICE
host x.x.x.141
object network MNGMNTSRVR
host 172.17.2.73
object network MNGMNTSRVRPUBLIC
host x.x.x.x.x
object-group network SUPPLIERSIP
description SUPP IP's
network-object host 3.3.3.3
network-object host 2.2.2.2
network-object host 1.1.1.1
access-list outside_in extended permit tcp object OFFICE host 172.18.1.250 eq 2001
access-list outside_in extended permit tcp object OFFICE host 172.18.1.250 eq telnet
access-list outside_in extended permit tcp host x.x.x.x host 172.17.2.73 eq ssh
access-list outside_in extended deny ip any any
access-list dmz_in extended permit ip object MNGMNTSRVR object OFFICE
pager lines 24
logging enable
logging timestamp
logging buffer-size 91218
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu OOBDMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (OOBDMZ,outside) source dynamic MNGMNTSRVR MNGMNTSRVRPUBLIC destination static OFFICE OFFICE
!
object network OOBTS1
nat (inside,outside) static x.x.x.60
object network OOBTS2
nat (inside,outside) static x.x.x.61
object network MNGMNTSRVR
nat (OOBDMZ,outside) static x.x.x.56
access-group outside_in in interface outside
access-group dmz_in in interface OOBDMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh OFFICE 255.255.255.255 outside
ssh 172.18.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
password encryption aes
Cryptochecksum:7434b79b1af3df10cd9b3bfaa22ae40d
: end
FW#
thanks
Sol
09-12-2012 03:02 PM
Hello,
I would say this is the NAT in play:
object network MNGMNTSRVR
nat (OOBDMZ,outside) static x.x.x.56
object network MNGMNTSRVR
host 172.17.2.73
That host ip address is not on the OOBDMZ subnet as the DMZ is on the 172.18.1.0/24 subnet.
Also remember to add the ACL to allow the traffic to the right server
Any other question...Let me know.. Just remember to rate all of my answers.
Julio
09-12-2012 03:21 PM
Julio
thanks for the reply. But im lost -
you say "That host ip address is not on the OOBDMZ subnet as the DMZ is on the 172.18.1.0/24 subnet." but as far as I can see the DMZ interface is Vlan 1 and the IP is 172.17.2.125 /25
would you mind elaborating on your point.
much appreciated
Regards
Sol
09-12-2012 03:27 PM
Hello.
Got confused ( Too much work)
interface Vlan1
nameif OOBDMZ
security-level 50
ip address 172.17.2.125 255.255.255.128
NAT that involves that interface
object network MNGMNTSRVR
nat (OOBDMZ,outside) static x.x.x.56
object network MNGMNTSRVR
host 172.17.2.73
Do the following:
packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.56 21
Any other question...Let me know.. Just remember to rate all of my answers.
09-12-2012 03:32 PM
Julio
in my ACL the following line
access-list outside_in extended permit tcp host x.x.x.x host 172.17.2.73 eq ssh
where x.x.x.x is the IP of my office - should this not allow me to connect on port 22 to the remote host?
i appreciate your time and help on this
09-12-2012 03:36 PM
The ACL is okay.....
Run the packet tracer and let me know the output.
packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.56 22
Rate all the answers that help, for the community that is as important as a thanks
09-12-2012 03:48 PM
Julio
I can see this in the log which is baffling:
Inbound TCP connection denied from officeIP/35040 to x.x.x.56/22 flags SYN on interface outside
althought the ACL is ok - i also added the following line in the ACL jus to make sure but i cant see the hitcounter increase -
access-list outside_in line 10 extended permit tcp host officeip host x.x.x.56 eq ssh (hitcnt=0)
ran packet tracer as follows:
packet-tracer input outside tcp officeip 1025 x.x.x.56 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.156.0 255.255.255.192 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
09-12-2012 04:05 PM
Hello,
Add the following;
access-list outside_in extended permit tcp any host 172.17.2.73 eq ssh
Regards,
Julio
09-12-2012 04:15 PM
Julio
that entry is already there
access-list outside_in extended permit tcp host officeip host 172.17.2.73 eq ssh
do i really this statement:
nat (OOBDMZ,outside) source dynamic MNGMNTSRVR MNGMNTSRVRPUBLIC destination static OFFICE OFFICE
thanks
09-12-2012 08:40 PM
Hello Sol,
I would not think you need that.
Please removed it.
no nat (OOBDMZ,outside) source dynamic MNGMNTSRVR MNGMNTSRVRPUBLIC destination static OFFICE OFFICE
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: