Access from Guest Wlan to DMZ servers

Kenneth Bergholm · ‎10-04-2014

Hi ...

We have a guestwlan that goes out over the asa (8.6 versiion) firewall, and it works as intended to reach the Internet.

We also have a DMZ, but when I try to reach the url for one of our servers in the DMZ it doens't connect, i dont det the page.

Been trying a lot of diiferent configurations I have found on the net, but no luck getting traffic out and in to DMZ..

Any hints to solve this issue would be greatly appriciated...

david-swope · ‎10-04-2014

Can you please post your config for us, this will make it much much easier to assist you.

Kenneth Bergholm · ‎10-07-2014

Hi....

Sorry for late response...here is the config...

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 196.179.169.135 255.255.255.240
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.230.100.7 255.255.255.0
!
interface GigabitEthernet0/1.90
description Subinterface DMZ Vlan90
shutdown
<--- More --->

vlan 90
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Interface for Guest VLAN
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.70
description Guest Interface Wlan
vlan 70
nameif Guestwlan
security-level 100
ip address 172.16.20.1 255.255.255.0
!
interface GigabitEthernet0/3
description Interface for DMZ net
nameif DMZ
security-level 50
ip address 192.168.75.1 255.255.255.0
!
<--- More --->

interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
<--- More --->

domain-name tidax.se
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network App1
host 196.157.213.163
object network Draget-FW
host 10.230.100.34
object network Fin-GW
host 10.230.100.60
object network GW
host 196.179.169.129
object network NETWORK_OBJ_192.168.190.0_25
subnet 192.168.190.0 255.255.255.128
object network nat-wlan
host 196.179.169.130
object network net-guestwlan
subnet 172.16.20.0 255.255.255.0
object network VPNAccessHTTP
subnet 192.168.190.0 255.255.255.0
object network VPN_Mail_Access
subnet 192.168.190.0 255.255.255.0
object network dmz-subnet
subnet 192.168.75.0 255.255.255.0
object network lime-external-ip
<--- More --->

host 196.179.169.140
object network owncloud-external-ip
host 196.179.169.141
object network limeserver
host 192.168.75.10
object network owncloudserver
host 192.168.75.11
object network dns-server
host 10.230.100.12
object service DNS
service tcp destination eq domain
object network Inside_access_dmz
subnet 10.230.100.0 255.255.255.0
object network ESXI-Lime
host 192.168.75.2
object network Uppsala_GW
host 10.230.100.2
object network Uppsala_network
subnet 192.168.10.0 255.255.255.0
object network Access_DMZ_https
subnet 10.230.100.0 255.255.255.0
object network Insida_dmz_https
subnet 10.230.100.0 255.255.255.0
object network GuestWlan-DMZ
<--- More --->

subnet 172.16.20.0 255.255.255.0
object network inside_identity_dmz_nat
object network inside_nat
subnet 172.16.20.0 255.255.255.0
object network DMZ_Ping
subnet 10.230.100.0 255.255.255.0
object network Acces-LimeEsxi
host 192.168.75.2
object network DMZ-Guestwlan
host 196.179.169.140
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object tcp destination eq 993
service-object tcp destination eq smtp
service-object tcp destination eq 5001
service-object tcp destination eq 9091
service-object tcp destination eq 995
service-object tcp destination eq 465
service-object tcp destination range 6245 6246
service-object tcp destination eq 6351
<--- More --->

object-group service DM_INLINE_TCP_1 tcp
group-object RDP
port-object eq echo
port-object eq www
port-object eq https
port-object eq ssh
port-object eq 903
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq domain
service-object tcp destination eq echo
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 6351
service-object tcp destination eq ldap
object-group service VMware_Vsphere_client udp
description Vsphere access
port-object eq 427
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq https
service-object tcp-udp destination eq 902
service-object tcp destination eq 903
<--- More --->

service-object tcp destination eq echo
object-group service Vmware_902 tcp-udp
port-object eq 902
object-group service Vmware_903 tcp
port-object eq 903
object-group service Lime-Mobility-Server tcp
port-object eq 6351
object-group service DM_INLINE_TCP_3 tcp
port-object range 6245 6246
port-object eq 6351
port-object eq www
port-object eq https
object-group service Lime_access_6245-6246 tcp
port-object range 6245 6246
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object tcp destination range 6245 6246
service-object tcp destination eq www
service-object tcp destination eq https
access-list inside_access_in extended permit tcp 10.230.100.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 10.230.100.0 255.255.255.0 any eq https
access-list inside_access_in extended permit ip 10.230.100.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 10.230.100.0 255.255.255.0 any object-group RDP
access-list inside_access_in extended permit tcp 10.230.100.0 255.255.255.0 192.168.75.0 255.255.255.0 eq https inactive
<--- More --->

access-list Guestwlan_access_in extended permit object-group DM_INLINE_SERVICE_1 object net-guestwlan any
access-list Guestwlan_access_in extended permit object-group DM_INLINE_SERVICE_4 172.16.20.0 255.255.255.0 any
access-list DMZ_access_in extended permit tcp interface inside 192.168.75.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.75.0 255.255.255.0 10.230.100.0 255.255.255.0
access-list DMZ_access_in extended permit tcp 192.168.75.0 255.255.255.0 any object-group DM_INLINE_TCP_2
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 10.230.100.0 255.255.255.0 any
access-list DMZ_access_in extended permit tcp 172.16.20.0 255.255.255.0 host 196.179.169.140 object-group DM_INLINE_TCP_3
access-list dmz_acl extended permit udp 192.168.75.0 255.255.255.0 object dns-server eq domain
access-list OUTSIDE-IN extended permit tcp any host 192.168.75.10 eq https
access-list OUTSIDE-IN extended permit tcp any host 192.168.75.11 eq www
access-list OUTSIDE-IN extended permit tcp any host 192.168.75.11 eq https
access-list NO-NAT extended permit ip 172.16.20.0 255.255.255.0 192.169.75.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Guestwlan 1500
mtu management 1500
mtu DMZ 1500
ip local pool ai-Pool 192.168.190.10-192.168.190.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
<--- More --->

icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.190.0_25 NETWORK_OBJ_192.168.190.0_25 no-proxy-arp route-lookup
!
object network net-guestwlan
nat (Guestwlan,DMZ) static 196.179.169.140
object network VPNAccessHTTP
nat (any,outside) dynamic interface
object network VPN_Mail_Access
nat (any,inside) dynamic interface
object network dmz-subnet
nat (DMZ,outside) dynamic interface
object network limeserver
nat (DMZ,outside) static 196.179.169.140
object network owncloudserver
nat (DMZ,outside) static 196.179.169.141
object network DMZ-Guestwlan
nat (DMZ,Guestwlan) dynamic limeserver
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE-IN in interface outside
access-group inside_access_in in interface inside
access-group Guestwlan_access_in in interface Guestwlan
<--- More --->

access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 196.179.169.129 1
route inside 10.230.101.0 255.255.255.0 10.230.100.34 1
route inside 192.168.5.0 255.255.255.0 10.230.100.2 1
route inside 192.168.10.0 255.255.255.0 10.230.100.2 1
route inside 196.157.213.161 255.255.255.255 10.230.100.60 1
route inside 196.157.213.162 255.255.255.255 10.230.100.60 1
route inside 196.157.213.164 255.255.255.255 10.230.100.60 1
route inside 196.157.213.179 255.255.255.255 10.230.100.60 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.230.100.0 255.255.255.0 inside
no snmp-server location
<--- More --->