05-06-2016 12:28 PM - edited 03-12-2019 12:43 AM
I am fairly new to the ASA world. I ran out options, and turning to experts here for help. I have an ASA 5506-X with 4 interfaces. ASA is running OS 9.4(2) and I am using ASDM to configure everything. ASDM is version 7.6
Interface 1: Outside Network 1 Verizon
Interface 2: Inside Network
Interface 3: Outside Network Comcast
Interface 4: DMZ 192.168.1.0/24
There are two outside networks, in case one goes down, it fails over to the second one.
Aside from these interfaces, ASA is also used for VPN connectivity.
My Problem: I have an Skype for Business Edge Server that I would like people to access from outside. The server is connected to the DMZ and has 3 Private IPs Nated to Public IPs. I have created the NAT rules and the server is connected to the internet (meaning i can go on the server and surf the web). I can't for some reason ping the server or connect to it from outside using any of the 3 public IPs. I have opened the necessary ports using ACL, but still no luck. Any idea on how I could get this up and running? I really appreciate any help with this. Like I said, I have researched this a lot and I couldn't find any solutions. I apologize if this question has already been asked.
Config attached
Solved! Go to Solution.
05-09-2016 11:16 AM
Hi Doug,
ACLs are evaluated only once while creation of the connection. So while creating acls keep in mind the direction in which they are applied and evaluate packet flow based on the direction of traffic from source to destination and create appropriate acls to allow traffic.
For example; assume there are two interfaces Inside and Outside. There is an acl acess_in on inside interface in IN direction and there is a acess_out acl on outside interface in OUT direction. If traffic from in to out needs to be allowed then access_in and acess_out both should allow traffic.
So basically evaluate how your ASA is configured and accordingly allow traffic. You can also use packet tracer utility to check the cause of drop and rectify configuration.
Thanks,
RS
05-06-2016 01:59 PM
Hi,
Based on your configuration the acl applied on the Comcast interface will allow only RDP to specific hosts from the outside. You should check the Comcast_access_in all and permit traffic for Skype server.
You have mentioned that you have dual ISP and one ISP act as backup for the other, so you should add nat for backup ISP as well or else servers won't be accessible if one of the ISP is down.
Hope it helps.
Thanks,
RS
Rate if this helps in resolving your query.
05-09-2016 09:00 AM
Hi Rishabh,
I tried adding the DMZ_subnet network object to the Comcast_access_in acl and allowed any traffic. it still didn't work. The Comcast interface that is setup only includes one of the IP addresses I have. How do I add the other 4 IP addresses to the interface?
05-09-2016 10:03 AM
Hi Doug,
You can create nat rules using different public IP addresses. ASA allows only one up address on an interface. So you can identify the type of nat(static/dynamic) that is required for your network and configure it with public IP addresses.
I hope this will help you in right direction, in case my understanding of you requirement is wrong then feel free to correct me.
Thanks,
RS
Rate if the post helps.
05-09-2016 10:18 AM
I did create static NATs where I nated the private IPs to public IPs. For example, I created a network object called DMZ-Edge-Access-INT that has a private IP of 192.168.x.x then I nated that to another network object called DMZ-Edge-Access-EXT that has a public IP address.
So the configuration was created this way:
ASA-5506-ASA(config)# object network DMZ-Edge-Access-INT ASA-5506-ASA(config-network-object)# host 192.168.x.x PASA-5506-ASA(config-network-object)# nat (DMZ,COMCAST) static DMZ-Edge-Access-EXT
So in the ACL list should I create a rule like the one below?
ASA-5506-ASA(config)# access-list COMCAST_access_in extended permit tcp any object DMZ-Edge-Access-EXT eq https
05-09-2016 10:32 AM
Hi Doug,
Ensure that you are using real IP in the acl as the nat translation will happen before acl evaluation.
Thanks,
RS
05-09-2016 10:38 AM
Thank you very much for your prompt response. Should I create the same rules on the DMZ interface acl, or the comcast one will suffice?
05-09-2016 11:16 AM
Hi Doug,
ACLs are evaluated only once while creation of the connection. So while creating acls keep in mind the direction in which they are applied and evaluate packet flow based on the direction of traffic from source to destination and create appropriate acls to allow traffic.
For example; assume there are two interfaces Inside and Outside. There is an acl acess_in on inside interface in IN direction and there is a acess_out acl on outside interface in OUT direction. If traffic from in to out needs to be allowed then access_in and acess_out both should allow traffic.
So basically evaluate how your ASA is configured and accordingly allow traffic. You can also use packet tracer utility to check the cause of drop and rectify configuration.
Thanks,
RS
05-13-2016 07:28 AM
Thanks for your help sir!
05-08-2016 10:00 PM
As far as I know, access from lower security level interface(outside) to higher interface(inside) is denied by default unless ACL explicitly permission is defined.
You need to configure ACLs to permit any service which DMZ server would provide, including ICMP message to troubleshooting.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: