03-25-2014 02:44 PM - edited 03-11-2019 08:59 PM
Guys,
I've built a lab in gns3, one router and one ASA, the ASA has an inside, DMZ (with a small network behind it with just 1 server up and running at present) and an outside interface whilst the router has 3 interfaces on 3 subnets that connect a PC in each of the subnets using VMWare.
I have attached a screenshot of my topology so that you better understand what I have done and included the config files. https://www.dropbox.com/s/zjag2pt2dgper9p/topology.png
Basically, what I am trying to achieve is be able to connect through a pc in say the HR subnet through to the webserver in the DMZ, the webserver is LAMP, which is a pre-built VMWare appliance that runs webservices and it's mainly to just test.
I'm obviously missing out somethign simple as I can see it trying to connect through the ASDM log messages. I have changed the firewall rules to reflect this but still no avail.
I would appreciate some assistance if someone could spare 5 mins, I would really appreciate it.
Thanks
Thomas.
03-25-2014 08:32 PM
Hi Thomas,
Your R1 config is incomplete, so I'm basing this entirely on the ASA config. I would remove the global_access ACL and change the inside_access_in ACL to permit ip any any. Also make sure that the webserver has a default gateway of 192.168.70.10.
Make sure that R1 has the necessary routes to get to 192.168.100.0/24 subnet.
Also keep in mind that I've seen strange behavior with the ASA in GNS3. It sometimes won't pass traffic like it's supposed to.
Regards,
Mike
03-26-2014 02:01 AM
Thanks for the reply Mike, I had put static routes from R1 pointing to the ASA and to the correct subnet...I will update the config later, but I am getting deny messages from the ASA basically saying it cannot see the route, as if it's trying to go out the outside interface...I believe it is something that I am doing wrong rather than GNS3.
I will try your suggestion tonight as I did notice last night that GNS3 wouldn't let me launch ASDM until the ASA was reloaded.
Thanks again,
Thomas.
03-26-2014 01:42 PM
Here is an update, I'm still confused to what I could be doing wrong:
I am chucking everything from the router over to the ASA with the static route below
R1#sh run | in ip route
ip route 0.0.0.0 0.0.0.0 192.168.100.1
Below is the interfaces on the ASA.
interface GigabitEthernet0
nameif outside
security-level 100
ip address 192.168.0.100 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.252
!
interface GigabitEthernet2
nameif DMZ
security-level 100
ip address 192.168.70.10 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group global_access global
Static routes pointing over to the subnet via the DMZ gateway IP (I've also tried 192.168.70.1 with same issues)
route inside 192.168.10.0 255.255.255.0 192.168.70.10 1
route inside 192.168.20.0 255.255.255.0 192.168.70.10 1
route inside 192.168.30.0 255.255.255.0 192.168.70.10 1
I can ping the correct places directly from the ASA CLI without issues but when I try it from the ASDM on any interface it returns the dreaded ?????
ciscoasa# ping 192.168.70.128
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.128, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1#ping 192.168.70.128
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.128, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
And here is the pictures to ASDM, I have configured the ACL's in that way to prove that all interfaces allow EVERYTHING, I have also tried many other ACL methods but still no luck.
https://www.dropbox.com/s/feacsynralx68ok/ASAIssues.png
Thanks for all the help so far everyone but if anyone else can assist I would really appreciate it.
Thanks,
Thomas.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide