10-16-2012 03:11 AM - edited 03-11-2019 05:09 PM
Hi,
I try to find a solution but got some problem ...
I got Two DMZ, one name "Dmz" and other "service" I can have the same security level but not a problem. I want that traffic from Dmz to service works in some TCP port to some IP and from service to Dmz same.
I v do access-list in interface service but when I apply it, the traffic outbound doesn't works.
Some one have idea ? I dont want to user NAT for traffic for traffic to/from Dmz inside and service.
ASA Version 8.2(1)
!
hostname ASA5510
domain-name xxxx.com
enable password xxxx
passwd xxxxxx
names
!
interface Ethernet0/0
description Connection to Fiber Internet / Public IP
speed 100
duplex full
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/2
description Connection DMZ;
nameif Dmz
security-level 50
ip address 172.16.254.254 255.255.255.0
!
interface Ethernet0/3
nameif service
security-level 50
ip address 172.30.20.254 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name ocea.net
object-group network DM_INLINE_NETWORK_1
network-object 192.168.100.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 172.16.254.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 172.16.254.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 192.168.100.0 255.255.255.0
network-object 172.30.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 172.30.20.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list Enter extended permit tcp any host xx.xx.xx.201 eq 3389
access-list Enter extended permit tcp any host xx.xx.xx.202 eq 3389
access-list Enter extended permit tcp any host xx.xx.xx.203 eq 8080
access-list Enter extended permit tcp any host xx.xx.xx.203 eq ftp
access-list Enter extended permit tcp any host xx.xx.xx.203 eq gopher
access-list Enter extended permit tcp any host xx.xx.xx.203 eq 63
access-list Enter extended permit tcp any host xx.xx.xx.203 eq 11438
access-list Enter extended permit tcp any host xx.xx.xx.203 eq https
access-list Enter extended permit tcp any host xx.xx.xx.203 eq www
access-list Enter extended permit tcp any host xx.xx.xx.203 eq pop3
access-list Enter extended permit tcp any host xx.xx.xx.203 eq smtp
access-list Enter extended permit tcp any host xx.xx.xx.210 eq https
access-list Enter extended permit tcp any host xx.xx.xx.210 eq www
access-list Enter extended permit tcp any host xx.xx.xx.211 eq https
access-list Enter extended permit tcp any host xx.xx.xx.211 eq www
access-list Enter extended permit tcp any host xx.xx.xx.202 eq ftp
access-list Enter extended permit tcp any host xx.xx.xx.231 eq 27000
access-list Enter extended permit tcp any host xx.xx.xx.231 eq 28001
access-list Enter extended permit tcp any host xx.xx.xx.232 eq 2800
access-list Enter extended permit icmp any any echo-reply
access-list Enter extended permit icmp any any source-quench
access-list Enter extended permit icmp any any unreachable
access-list Enter extended permit icmp any any time-exceeded
access-list Enter extended permit tcp any host xx.xx.xx.231 eq https
access-list Enter extended permit tcp any host xx.xx.xx.204 eq 8080
access-list Enter extended permit tcp any host xx.xx.xx.204 eq ftp
access-list Enter extended permit tcp any host xx.xx.xx.204 eq gopher
access-list Enter extended permit tcp any host xx.xx.xx.204 eq 63
access-list Enter extended permit tcp any host xx.xx.xx.204 eq 11438
access-list Enter extended permit tcp any host xx.xx.xx.204 eq https
access-list Enter extended permit tcp any host xx.xx.xx.204 eq www
access-list Enter extended permit tcp any host xx.xx.xx.204 eq pop3
access-list Enter extended permit tcp any host xx.xx.xx.204 eq smtp
access-list Enter extended permit tcp any host xx.xx.xx.232 eq 27000
access-list Enter extended permit tcp any host xx.xx.xx.233 eq 27000
access-list Enter extended permit tcp any host xx.xx.xx.234 eq 27000
access-list Enter extended permit tcp any host xx.xx.xx.235 eq 27000
access-list Enter extended permit tcp any host xx.xx.xx.232 eq 29000
access-list Enter extended permit tcp any host xx.xx.xx.233 eq 29000
access-list Enter extended permit tcp any host xx.xx.xx.234 eq 29000
access-list Enter extended permit tcp any host xx.xx.xx.235 eq 29000
access-list Enter extended permit tcp any host xx.xx.xx.231 eq 29000
access-list ocea-groupe_splitTunnelAcl standard permit 172.16.254.0 255.255.255.0
access-list ocea-groupe_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list ocea-groupe_splitTunnelAcl standard permit 172.30.20.0 255.255.255.0
access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_1 10.254.254.0 255.255.255.192
access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_2 192.1.1.0 255.255.255.0
access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.105.0 255.255.255.0
access-list inside-nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 10.254.254.0 255.255.255.192
access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 10.253.253.0 255.255.255.192
access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.168.182.0 255.255.255.0
access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.168.105.0 255.255.255.0
access-list dmz-groupe_splitTunnelAcl standard permit 172.16.254.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 192.1.1.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 192.168.105.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.16.254.0 255.255.255.0 192.168.182.0 255.255.255.0
access-list Enter-DMZ extended permit icmp any any echo-reply
access-list Enter-DMZ extended permit icmp any any source-quench
access-list Enter-DMZ extended permit icmp any any unreachable
access-list Enter-DMZ extended permit icmp any any time-exceeded
access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 192.168.99.0 255.255.255.0
access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 10.254.254.0 255.255.255.192
access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 10.253.253.0 255.255.255.192
access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list UMCPG-CRYPTOMAP extended permit ip object-group DM_INLINE_NETWORK_5 192.168.99.0 255.255.255.0
access-list UMCPG-CRYPTOMAP extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0
ip local pool pool1remoteuser 10.254.254.1-10.254.254.50 mask 255.255.255.0
ip local pool pool2remoteuser 10.253.253.1-10.253.253.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 2 xx.xx.xx.254
global (outside) 1 xx.xx.xx.253
nat (inside) 0 access-list inside-nat0
nat (inside) 1 192.168.100.0 255.255.255.0
nat (Dmz) 0 access-list dmz-nat0
nat (Dmz) 2 172.16.254.0 255.255.255.0
nat (service) 0 access-list service-nat0
nat (service) 2 172.30.20.0 255.255.255.0
static (inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Dmz,outside) xx.xx.xx.201 172.16.254.1 netmask 255.255.255.255
static (Dmz,outside) xx.xx.xx.xx 172.16.254.2 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.210 192.168.100.200 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.211 192.168.100.201 netmask 255.255.255.255
static (inside,service) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (service,outside) xx.xx.xx.232 172.30.20.2 netmask 255.255.255.255
static (service,outside) xx.xx.xx.231 172.30.20.1 netmask 255.255.255.255
static (service,outside) xx.xx.xx.233 172.30.20.3 netmask 255.255.255.255
static (service,outside) xx.xx.xx.234 172.30.20.4 netmask 255.255.255.255
static (service,outside) xx.xx.xx.235 172.30.20.5 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.203 192.168.100.45 netmask 255.255.255.255
static (Dmz,outside) xx.xx.xx.204 172.16.254.246 netmask 255.255.255.255
static (Dmz,service) 172.16.254.0 172.16.254.0 netmask 255.255.255.0
access-group Enter in interface outside
access-group service-Enter in interface service
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.193 1
Solved! Go to Solution.
10-18-2012 02:22 AM
No, there is no restriction for multiple VPN lan-to-lan.
Is this a new tunnel, or part of the existing VPN tunnel?
Looks like the destination 192.168.99.0/24 is part of ACL "UMCPG-CRYPTOMAP".
If it is, then you would need to add it to this ACL. Also, you would have to configure the remote end to also have your subnet included in their crypto ACL and NAT exemption.
10-16-2012 03:23 AM
You would also need to configure:
same-security-traffic permit inter-interface
10-16-2012 03:29 AM
I ve apply this but not works
10-16-2012 03:32 AM
Can you pls advise what exactly you are testing with?
source IP, destination IP and protocol and ports would be a good start.
Also try with packet tracer to see if that works fine.
Assuming that without access-list applied to the service interface, the traffic flow is OK?
10-16-2012 03:39 AM
I try to ping or access http from 172.16.254.1 to 172.30.20.1. after I need to access from 172.30.20.1 to 172.16.254.1 to tcp port 26001.
When I get out access-list service, I just can have access to outside webserver and inside to service. But cannot have service to inside ping and have access to specify port.
10-16-2012 03:42 AM
Thanks. Can you pls share the whole config.
For ping, do you have "inspect icmp" under the global policy-map?
I assume that both hosts have default gateway configured to be the respective ASA interfaces, right?
Also, the host only have 1 NIC?
Lastly, is there any firewall on the host that might prevent inbound access from different subnet?
10-16-2012 03:46 AM
Yes One Gw on all host. No Fw between and 1 nic.
Yes for inspect icmp on global policy
10-16-2012 03:47 AM
Fw on the host itself i mean. What OS is the host?
10-16-2012 04:50 AM
No Firewall. Just Windows 2003 Srv.
10-16-2012 04:53 AM
Sorry, just want to be sure, what about the default Windows Firewall?
Also, have you tried packet tracer on the ASA to simulate your traffic and see if it passes through OK.
10-16-2012 05:01 AM
I ve re check. Fw is disable on two host.
I discover this command !
ASA5510# packet-tracer input service tcp 172.30.20.1 www 172.16.254.1$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9194760, priority=1, domain=permit, deny=false
hits=109622866, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Dmz,service) 172.16.254.0 172.16.254.0 netmask 255.255.255.0
match ip Dmz 172.16.254.0 255.255.255.0 service any
static translation to 172.16.254.0
translate_hits = 21, untranslate_hits = 68
Additional Information:
NAT divert to egress interface Dmz
Untranslate 172.16.254.0/0 to 172.16.254.0/0 using netmask 255.255.255.0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group service-Enter in interface service
access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 172.16.254.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9b21ba0, priority=12, domain=permit, deny=false
hits=0, user_data=0xd67d6800, cs_id=0x0, flags=0x0, protocol=0
src ip=172.30.20.0, mask=255.255.255.0, port=0
dst ip=172.16.254.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9010368, priority=0, domain=permit-ip-option, deny=true
hits=100675, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (service,outside) xx.xx.xx.xx 172.30.20.1 netmask 255.255.255.255
match ip service host 172.30.20.1 outside any
static translation to xx.xx.xx.xx
translate_hits = 1554, untranslate_hits = 24401
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9a1a430, priority=5, domain=host, deny=false
hits=115779, user_data=0xd7ad1318, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.30.20.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (service) 2 172.30.20.0 255.255.255.0
match ip service 172.30.20.0 255.255.255.0 Dmz any
dynamic translation to pool 2 (No matching global)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9b21568, priority=1, domain=nat, deny=false
hits=0, user_data=0xd9b214a8, cs_id=0x0, flags=0x0, protocol=0
src ip=172.30.20.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: service
input-status: up
input-line-status: up
output-interface: Dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA5510#
10-16-2012 05:11 AM
Have you "clear xlate" after the static NAT configuration?
Can you please issue "clear xlate" and test again.
10-16-2012 05:14 AM
I v do now but cannot arrive to ping from 172.16.254.1 to 172.30.20.1
10-16-2012 05:17 AM
Does it work the other way round?
Can you ping from 172.30.20.1 to 172.16.254.1?
Can you try to ping other hosts?
10-16-2012 05:23 AM
Doesn t works. I ve try with my own laptop.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: