09-20-2019 07:57 AM
Hello,
Am trying to setup a DMZ for a ASA 5506. At the moment we have 3 interfaces active on the ASA which are:
gi1/1 outside
gi1/2 inside
gi1/3 Voice
Voice has an internal ip with a pat on the outside interface with a public ip address from our range.
Now I want to setup the DMZ on gi1/4 also with a pat on the outside interface with a public ip address.
Have setup the interface with a internal ip address and connected a test pc on that interface with an ip address on the same range and as gateway the gi1/4 interface on the ASA. That should at least give me internet access. But that is not the case. Have followed a lot of configuration examples on the internet with google but all have failed to give me even internet access.
Hope you guys can help me out.
Solved! Go to Solution.
09-23-2019 07:04 AM - edited 09-23-2019 07:21 AM
Hello Keith,
Yes Access-group is configured:
fw01# sh run access-group
access-group ACL-outside in interface outside
access-group ACL-inside in interface inside
access-group ACL-voice in interface Voice
access-group ACL-dmz in interface Dmz
fw01#
09-23-2019 10:00 PM
Although, I have not looked at your updated configuration, the first configuration you post was fine as we are able to run the packet tracer successfully.
I clearly told you that you need to solve the problem at Layer 1, Layer 2 as our DMZ host is not able to reach DMZ interface on ASA. Just think about this, How could ASA do anything with the packet without receiving it.
With all due respect, to clarify some points discussed here.
By default, ASA will allow all communication (TCP/UDP) from high security level (in your case DMZ with security level 20) going out to low security level (in your case OUTSIDE with security level 0). So There is no access-list or access-group configuration required.
You already had NAT statement. This is Manual NAT statement.
nat (DMZ,outside) source dynamic any OBJ-NET-188.202.95.227
So you don't need AUTO NAT configuration.
object network DMZ subnet 192.168.17.0 255.355.255.0 nat (dmz,outside) dynamic interface
Now back to your issue.
I would urge you to not change any ASA configuration other than DMZ interface level configuration to establish layer 1, layer 2 connectivity to ASA. Our first target should be to establish communication between DMZ host and DMZ interface on ASA.
HTH
### RATE ALL HELPFUL RESPONSES ###
09-24-2019 01:03 AM - edited 09-24-2019 01:05 AM
Thanks for the reply bhargavdesai,
I will remove the auto NAT statement.
About your questions:
- Yes the ASA can ping the dmz interface
- Checked it with a server and a laptop connected directly on the interface both give the same result
- Yes on the layer 3 switch I see a mac entry for the server/laptop but the ASA interface is not visible on the switch port or in the arp table.
- Change out the cables and set the speed duplex from auto to 1000 full still no result.
09-24-2019 03:35 AM
09-24-2019 04:32 AM
Hello bhargavdesai,
No at the moment the setup is DMZ HOST/LAPTOP >>> Cisco ASA DMZ Interface
I see light on the ASA interface and on the network card of the DMZ host
The interface on the ASA is showing up and the network Card on the DMZ host is showing connected
Host and ASA share the same network without a switch between them.
At the moment I am not on location but I will be tomorrow, if you could assist remotely that would be great.
09-24-2019 04:55 AM
09-25-2019 04:51 AM
Sorry guys at this moment I have to wait a while because I am sick at home at this moment. When I am better I will contact you again.
09-25-2019 05:09 AM
09-30-2019 05:01 AM
Okay have recovered from the flue. Now looked at the configuration I have at this moment:
DMZ-Host >>Cisco L3 switch>>Cisco ASA
The host has connection to the switch and also windows is telling me he has internet access.
On the switch I only see a mac adress on the Host interface and not on the ASA interface.
ASA is not showing any arp entry for the DMZ interface/network. So I looked at the L1 connections, checked all cables and all are MDI and show up as connected. On the switch (which is a new SG250) I did a copper check to see if the cables are without any breaks and all pairs show up green without errors.
So that is the situation at the moment, on the ASA a sh arp | i Dmz show up with no entries and a sh conn gives me only connections on the Voice and inside networks.
09-30-2019 06:09 AM
Noticed another thing on the ASA, Firepower is enabled by an old admin. So I wired the management interface to the switch and now I see that this configuration is not in sync with the new configuration for the DMZ. Only problem is I have no clue on configuring Firepower. Can we disable this?
Got this version of Firepower
fw01# sh module sfr
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
sfr FirePOWER Services Software Module ASA5506 JAD220706WA
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
sfr 28ac.9e57.bcbd to 28ac.9e57.bcbd N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Up Up
fw01#
10-01-2019 01:40 AM
10-01-2019 02:13 AM
Here is the sh version output
fw01# sh version
Cisco Adaptive Security Appliance Software Version 9.6(4)8
Device Manager Version 7.9(2)152
Compiled on Wed 11-Apr-18 19:52 PDT by builders
System image file is "disk0:/asa964-8-lfbff-k8.SPA"
Config file at boot was "startup-config"
fw01 up 1 year 122 days
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1
1: Ext: GigabitEthernet1/1 : address is 28ac.9e57.bcbf, irq 255
2: Ext: GigabitEthernet1/2 : address is 28ac.9e57.bcc0, irq 255
3: Ext: GigabitEthernet1/3 : address is 28ac.9e57.bcc1, irq 255
4: Ext: GigabitEthernet1/4 : address is 28ac.9e57.bcc2, irq 255
5: Ext: GigabitEthernet1/5 : address is 28ac.9e57.bcc3, irq 255
6: Ext: GigabitEthernet1/6 : address is 28ac.9e57.bcc4, irq 255
7: Ext: GigabitEthernet1/7 : address is 28ac.9e57.bcc5, irq 255
8: Ext: GigabitEthernet1/8 : address is 28ac.9e57.bcc6, irq 255
9: Int: Internal-Data1/1 : address is 28ac.9e57.bcbe, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is 28ac.9e57.bcbe, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JAD220706WA
Running Permanent Activation Key: 0xb92af765 0xa8cd23fe 0xc05095d0 0xa0a88854 0x0a1c0f9d
Configuration register is 0x1
Image type : Release
Key Version : A
10-01-2019 02:45 AM
10-01-2019 03:19 AM
Tried another interface but that interface stays down down even after a no shut on the interface itself. I am now more and more considering that the ASA has a hardware malfunction.
10-01-2019 04:40 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: