cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1543
Views
10
Helpful
24
Replies

DMZ to other DMZ cannot discuss

o.fulbert
Level 1
Level 1

Hi,

     I try to find a solution but got some problem ...

     I got Two DMZ, one name "Dmz" and other "service" I can have the same security level but not a problem. I want that traffic from Dmz to service works in some TCP port to some IP and from service to Dmz same.

     I v do access-list in interface service but when I apply it, the traffic outbound doesn't works.

     Some one have idea ? I dont want to user NAT for traffic for traffic to/from Dmz inside and service.

ASA Version 8.2(1)

!

hostname ASA5510

domain-name xxxx.com

enable password xxxx

passwd xxxxxx

names

!

interface Ethernet0/0

description Connection to Fiber Internet / Public IP

speed 100

duplex full

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.100.254 255.255.255.0

!

interface Ethernet0/2

description Connection DMZ;

nameif Dmz  

security-level 50

ip address 172.16.254.254 255.255.255.0

!

interface Ethernet0/3

nameif service

security-level 50

ip address 172.30.20.254 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name ocea.net

object-group network DM_INLINE_NETWORK_1

network-object 192.168.100.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 172.16.254.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object 172.16.254.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 192.168.100.0 255.255.255.0

network-object 172.30.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_5

network-object 172.30.20.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

access-list Enter extended permit tcp any host xx.xx.xx.201 eq 3389

access-list Enter extended permit tcp any host xx.xx.xx.202 eq 3389

access-list Enter extended permit tcp any host xx.xx.xx.203 eq 8080

access-list Enter extended permit tcp any host xx.xx.xx.203 eq ftp

access-list Enter extended permit tcp any host xx.xx.xx.203 eq gopher

access-list Enter extended permit tcp any host xx.xx.xx.203 eq 63

access-list Enter extended permit tcp any host xx.xx.xx.203 eq 11438

access-list Enter extended permit tcp any host xx.xx.xx.203 eq https

access-list Enter extended permit tcp any host xx.xx.xx.203 eq www

access-list Enter extended permit tcp any host xx.xx.xx.203 eq pop3

access-list Enter extended permit tcp any host xx.xx.xx.203 eq smtp

access-list Enter extended permit tcp any host xx.xx.xx.210 eq https

access-list Enter extended permit tcp any host xx.xx.xx.210 eq www

access-list Enter extended permit tcp any host xx.xx.xx.211 eq https

access-list Enter extended permit tcp any host xx.xx.xx.211 eq www

access-list Enter extended permit tcp any host xx.xx.xx.202 eq ftp

access-list Enter extended permit tcp any host xx.xx.xx.231 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.231 eq 28001

access-list Enter extended permit tcp any host xx.xx.xx.232 eq 2800

access-list Enter extended permit icmp any any echo-reply

access-list Enter extended permit icmp any any source-quench

access-list Enter extended permit icmp any any unreachable

access-list Enter extended permit icmp any any time-exceeded

access-list Enter extended permit tcp any host xx.xx.xx.231 eq https

access-list Enter extended permit tcp any host xx.xx.xx.204 eq 8080

access-list Enter extended permit tcp any host xx.xx.xx.204 eq ftp

access-list Enter extended permit tcp any host xx.xx.xx.204 eq gopher

access-list Enter extended permit tcp any host xx.xx.xx.204 eq 63

access-list Enter extended permit tcp any host xx.xx.xx.204 eq 11438

access-list Enter extended permit tcp any host xx.xx.xx.204 eq https

access-list Enter extended permit tcp any host xx.xx.xx.204 eq www

access-list Enter extended permit tcp any host xx.xx.xx.204 eq pop3

access-list Enter extended permit tcp any host xx.xx.xx.204 eq smtp

access-list Enter extended permit tcp any host xx.xx.xx.232 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.233 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.234 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.235 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.232 eq 29000

access-list Enter extended permit tcp any host xx.xx.xx.233 eq 29000

access-list Enter extended permit tcp any host xx.xx.xx.234 eq 29000

access-list Enter extended permit tcp any host xx.xx.xx.235 eq 29000

access-list Enter extended permit tcp any host xx.xx.xx.231 eq 29000

access-list ocea-groupe_splitTunnelAcl standard permit 172.16.254.0 255.255.255.0

access-list ocea-groupe_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list ocea-groupe_splitTunnelAcl standard permit 172.30.20.0 255.255.255.0

access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_1 10.254.254.0 255.255.255.192

access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_2 192.1.1.0 255.255.255.0

access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.105.0 255.255.255.0

access-list inside-nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 10.254.254.0 255.255.255.192

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 10.253.253.0 255.255.255.192

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.168.182.0 255.255.255.0

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.1.1.0 255.255.255.0

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.168.105.0 255.255.255.0

access-list dmz-groupe_splitTunnelAcl standard permit 172.16.254.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 192.1.1.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 192.168.105.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 172.16.254.0 255.255.255.0 192.168.182.0 255.255.255.0

access-list Enter-DMZ extended permit icmp any any echo-reply

access-list Enter-DMZ extended permit icmp any any source-quench

access-list Enter-DMZ extended permit icmp any any unreachable

access-list Enter-DMZ extended permit icmp any any time-exceeded

access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 172.16.254.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 192.168.99.0 255.255.255.0

access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 10.254.254.0 255.255.255.192

access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 10.253.253.0 255.255.255.192

access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list UMCPG-CRYPTOMAP extended permit ip object-group DM_INLINE_NETWORK_5 192.168.99.0 255.255.255.0

access-list UMCPG-CRYPTOMAP extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0

ip local pool pool1remoteuser 10.254.254.1-10.254.254.50 mask 255.255.255.0

ip local pool pool2remoteuser 10.253.253.1-10.253.253.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 2 xx.xx.xx.254

global (outside) 1 xx.xx.xx.253

nat (inside) 0 access-list inside-nat0

nat (inside) 1 192.168.100.0 255.255.255.0

nat (Dmz) 0 access-list dmz-nat0

nat (Dmz) 2 172.16.254.0 255.255.255.0

nat (service) 0 access-list service-nat0

nat (service) 2 172.30.20.0 255.255.255.0

static (inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Dmz,outside) xx.xx.xx.201 172.16.254.1 netmask 255.255.255.255

static (Dmz,outside) xx.xx.xx.xx 172.16.254.2 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.210 192.168.100.200 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.211 192.168.100.201 netmask 255.255.255.255

static (inside,service) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (service,outside) xx.xx.xx.232 172.30.20.2 netmask 255.255.255.255

static (service,outside) xx.xx.xx.231 172.30.20.1 netmask 255.255.255.255

static (service,outside) xx.xx.xx.233 172.30.20.3 netmask 255.255.255.255

static (service,outside) xx.xx.xx.234 172.30.20.4 netmask 255.255.255.255

static (service,outside) xx.xx.xx.235 172.30.20.5 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.203 192.168.100.45 netmask 255.255.255.255

static (Dmz,outside) xx.xx.xx.204 172.16.254.246 netmask 255.255.255.255

static (Dmz,service) 172.16.254.0 172.16.254.0 netmask 255.255.255.0

access-group Enter in interface outside

access-group service-Enter in interface service

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.193 1

1 Accepted Solution

Accepted Solutions

No, there is no restriction for multiple VPN lan-to-lan.

Is this a new tunnel, or part of the existing VPN tunnel?

Looks like the destination 192.168.99.0/24 is part of ACL "UMCPG-CRYPTOMAP".

If it is, then you would need to add it to this ACL. Also, you would have to configure the remote end to also have your subnet included in their crypto ACL and NAT exemption.

View solution in original post

24 Replies 24

Jennifer Halim
Cisco Employee
Cisco Employee

You would also need to configure:

same-security-traffic permit inter-interface

I ve apply this but not works

Can you pls advise what exactly you are testing with?

source IP, destination IP and protocol and ports would be a good start.

Also try with packet tracer to see if that works fine.

Assuming that without access-list applied to the service interface, the traffic flow is OK?

I try to ping or access http  from 172.16.254.1 to 172.30.20.1. after I need to access from 172.30.20.1 to 172.16.254.1 to tcp port 26001.

When I get out access-list service, I just can have access to outside webserver and inside to service. But cannot have service to inside ping and have access to specify port.

Thanks. Can you pls share the whole config.

For ping, do you have "inspect icmp" under the global policy-map?

I assume that both hosts have default gateway configured to be the respective ASA interfaces, right?

Also, the host only have 1 NIC?

Lastly, is there any firewall on the host that might prevent inbound access from different subnet?

Yes One Gw on all host. No Fw between and 1 nic.

Yes for inspect icmp on global policy

Fw on the host itself i mean. What OS is the host?

No Firewall. Just Windows 2003 Srv.

Sorry, just want to be sure, what about the default Windows Firewall?

Also, have you tried packet tracer on the ASA to simulate your traffic and see if it passes through OK.

I ve re check. Fw is disable on two host.

I discover this command !

ASA5510# packet-tracer input service tcp 172.30.20.1 www 172.16.254.1$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd9194760, priority=1, domain=permit, deny=false

        hits=109622866, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (Dmz,service) 172.16.254.0 172.16.254.0 netmask 255.255.255.0

  match ip Dmz 172.16.254.0 255.255.255.0 service any

    static translation to 172.16.254.0

    translate_hits = 21, untranslate_hits = 68

Additional Information:

NAT divert to egress interface Dmz

Untranslate 172.16.254.0/0 to 172.16.254.0/0 using netmask 255.255.255.0

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group service-Enter in interface service

access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 172.16.254.0 255.255.255.0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd9b21ba0, priority=12, domain=permit, deny=false

        hits=0, user_data=0xd67d6800, cs_id=0x0, flags=0x0, protocol=0

        src ip=172.30.20.0, mask=255.255.255.0, port=0

        dst ip=172.16.254.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 5     

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd9010368, priority=0, domain=permit-ip-option, deny=true

        hits=100675, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (service,outside) xx.xx.xx.xx 172.30.20.1 netmask 255.255.255.255

  match ip service host 172.30.20.1 outside any

    static translation to xx.xx.xx.xx

    translate_hits = 1554, untranslate_hits = 24401

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd9a1a430, priority=5, domain=host, deny=false

        hits=115779, user_data=0xd7ad1318, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=172.30.20.1, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (service) 2 172.30.20.0 255.255.255.0

  match ip service 172.30.20.0 255.255.255.0 Dmz any

    dynamic translation to pool 2 (No matching global)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd9b21568, priority=1, domain=nat, deny=false

        hits=0, user_data=0xd9b214a8, cs_id=0x0, flags=0x0, protocol=0

        src ip=172.30.20.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: service

input-status: up

input-line-status: up

output-interface: Dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA5510#  

Have you "clear xlate" after the static NAT configuration?

Can you please issue "clear xlate" and test again.

I v do now but cannot arrive to ping from 172.16.254.1 to 172.30.20.1

Does it work the other way round?

Can you ping from 172.30.20.1 to 172.16.254.1?

Can you try to ping other hosts?

Doesn t works. I ve try with my own laptop.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: