cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

581
Views
0
Helpful
9
Replies
itlklubos6
Beginner

ASA 5505 - DMZ

Hi,

I followed examples from Internet to configure DMZ on ASA 5505 (version 9.*). The result is, I have traffic to a web server, it is accessible from outside, but the inside network has no access to Internet. I am posting here the relevant part of the config file (with fake IP).

The rules:

- no connection allowed between DMZ and inside

Config:

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 5
!
interface Ethernet0/2
 switchport access vlan 1
!
interface Ethernet0/3
 switchport access vlan 1
!
interface Ethernet0/4
 switchport access vlan 1
!
interface Ethernet0/5
 switchport access vlan 1
!
interface Ethernet0/6
 switchport access vlan 1
!
interface Ethernet0/7
 switchport access vlan 1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 198.168.0.3 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 191.51.100.100 255.255.255.252
!
interface Vlan5
 description Interface for WebServer, DMZ level 50
 no forward interface Vlan1
 nameif DMZ50
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
dns server-group DefaultDNS
 domain-name SomeName
!
object network obj_any
 subnet 0.0.0.0 0.0.0.0
!
object network WebServer
 host 192.168.1.100
!
object-group network DMZ-DEFAULT-PAT-SOURCE
 network-object 192.168.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit tcp any object WebServer eq www
!
object network obj_any
 nat (inside,outside) dynamic interface
!
object network WebServer
 nat (DMZ50,outside) static interface no-proxy-arp service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ50,outside) after-auto source dynamic DMZ-DEFAULT-PAT-SOURCE interface
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 198.51.100.101 1

The address 198.51.100.101 should represent the real public IP address of the server.

Obviously, I am missing something.

----------

Also I would like to ask about the syntax: in the config above there is vlan named as "vlan 1" and Vlan1.  Is the config script case sensitive? Also, why there is a space in the string "vlan 1" when we refer to this LAN with no space "Vlan1"

Thank you for help.

9 REPLIES 9
Philip D'Ath
Advisor

You should not need this line, as you already have an object NAT doing it.

nat (inside,outside) after-auto source dynamic any interface

hanks for answer. I have removed the line. However, the inside cannot reach the Internet still.

The DMZ is working.

Do you have any suggestions?

Also, I notice when running the command (using ASDM) "show running-config"  that the switchport access is missing for inside ports:

!
interface Ethernet0/0
 switchport access vlan 2

!
interface Ethernet0/1
 switchport access vlan 5
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

Is this significant or is it just filtered out for display? I have checked that all ports are enabled. The startup-config has the switchport definition in place for all interfaces, as shown in my sample when I created these discussion. The startup and running confit are identical except those missing switchports.

Could this be the root of a problem that is causing that I am not able to connect to Internet from the Inside network?

That just means they belong to the default vlan 1.

Are you able to ping the ASA's Inside IP from one of the internal hosts?

Run a packet tracer and see if it's being stopped for some reason:

packet-tracer input inside icmp <inside host IP>  8 0 8.8.8.8

__ __

Pablo

he response is "Flow is denied by configured rule" Using ASDM it navigates me to Configuration>Firewall>Access rules

There is a Global implicit rule: any any ip Deny

If I do packet tracer from inside to outside interface, I get result "No route to host". The Trace route to ISP Gateway is "NAT cluster unassigned pool"

From the ASA are you able to ping the gateway IP or something outside such as 8.8.8.8

Can you post the result of a show route?

I have tried it both from ASA and Windows command line.

On ASA I get the response:

RRRRR

Success rate is 0% (0/5)

From command line I get "Request timed out". Interestingly I get the same  message when I run ping from command line on the web server, which has no problem with reaching Internet. Maybe the ping service is disabled?

Pablo
Cisco Employee

On top of what Philip added, there's no good reason to have "no-proxy-arp" in the port forwarding configuration.

This should be enough:

object network WebServer
 nat (DMZ50,outside) static interface service tcp www www

In regards to your syntax question it, the configuration is not case sensitive (at least not for this). The string with the space is just the switchport configuration syntax, it attaches a physical port to a particular vlan (L2 config). The vlan with no space is the SVI; this is your layer 3 interface used to route packets out or between the vlans.

HTH

__ __

Pablo

itlklubos6
Beginner

Figured it out, so I am posting the solution here just in case if somebody else would need it.

If connection to Internet from inside is not working, despite that the DMZ is fine and all ASA configuration file looks OK, double check the information about DNS in your config, or in the host's TCP/IP settings.

Content for Community-Ad