03-28-2019 02:05 PM - edited 02-21-2020 08:59 AM
ASA 5508 9.6 public ip to dmz
how config
# sho run
ASA Version 9.6(1)
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.111 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/5
description to DMZ-APP0
nameif DMZ-APP0
security-level 50
ip address 192.168.0.1 255.255.255.0
interface GigabitEthernet1/6
description to DMZ-APP1
nameif DMZ-APP1
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/7
description to DMZ-WIFI
nameif DMZ-WIFI
security-level 20
ip address 192.168.2.1 255.255.255.0
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network app-ext
host x.x.x.111
object network app1
host 192.168.1.20
object network app0
host 192.168.0.20
access-list out-in extended permit icmp any any echo-reply
access-list out-in extended deny ip any any
access-list out_in extended permit tcp any host 192.168.1.20 eq 7778
access-list dmz_acl extended permit ip any any
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ-WIFI,outside) after-auto source dynamic any interface
access-group outside-in in interface outside
access-group dmz_acl in interface DMZ-APP0
route outside 0.0.0.0 0.0.0.0 x.x.x.110 1
ciscoasa#
not work plz help??????
Solved! Go to Solution.
03-29-2019 11:28 PM
Hi,
What is your question, I am not sure but here I found some fundamental error in the ACL configuration as:
access-list out-in extended permit icmp any any echo-reply access-list out-in extended deny ip any any access-list out_in extended permit tcp any host 192.168.1.20 eq 7778
You had denied "ip any any" means any traffic will match this ACL will drop and a packet will not go down to check 3rd line. So 3rd entry in the ACL will not work Make it correction as
access-list out-in extended permit icmp any any echo-reply no access-list out-in extended deny ip any any access-list out_in extended permit tcp any host 192.168.1.20 eq 7778
The first match determines whether the Cisco IOS® Software accepts or rejects the packet. Because the Cisco IOS Software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet because of an implicit deny all clause. So there is no required for "deny IP any any" statement at the end of ACL.
Second issue: I am not sure that your default is applied is correct or not:
route outside 0.0.0.0 0.0.0.0 x.x.x.111 1
Because you had assigned IP x.x.x.111 on the outside interface and the same end IP is configured on the route. Here x.x.x.111 replace with next hop IP.
Issue third:
object network app-ext host x.x.x.111 ! object network app1 host 192.168.1.20 ! object network app0 host 192.168.0.20
I am not sure what you want to archive with configuration but As per your question subnet line, seems you are looking a solution for port forwarding and I am not sure that which ports do you required but suppose APP1 is required TCP port 443 then your configuration will be like:
object network app1
host 192.168.1.20
nat (DMZ-APP1,outside) static interface service tcp https https
Please let me know if there is any mistake to understand your question.
Regards,
Deepak Kumar
03-30-2019 12:15 AM
Hi,
Change this network statement to:
object network app1 host 192.168.1.20 nat (DMZ-APP1,outside) static interface service tcp 7778 http
03-29-2019 11:28 PM
Hi,
What is your question, I am not sure but here I found some fundamental error in the ACL configuration as:
access-list out-in extended permit icmp any any echo-reply access-list out-in extended deny ip any any access-list out_in extended permit tcp any host 192.168.1.20 eq 7778
You had denied "ip any any" means any traffic will match this ACL will drop and a packet will not go down to check 3rd line. So 3rd entry in the ACL will not work Make it correction as
access-list out-in extended permit icmp any any echo-reply no access-list out-in extended deny ip any any access-list out_in extended permit tcp any host 192.168.1.20 eq 7778
The first match determines whether the Cisco IOS® Software accepts or rejects the packet. Because the Cisco IOS Software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet because of an implicit deny all clause. So there is no required for "deny IP any any" statement at the end of ACL.
Second issue: I am not sure that your default is applied is correct or not:
route outside 0.0.0.0 0.0.0.0 x.x.x.111 1
Because you had assigned IP x.x.x.111 on the outside interface and the same end IP is configured on the route. Here x.x.x.111 replace with next hop IP.
Issue third:
object network app-ext host x.x.x.111 ! object network app1 host 192.168.1.20 ! object network app0 host 192.168.0.20
I am not sure what you want to archive with configuration but As per your question subnet line, seems you are looking a solution for port forwarding and I am not sure that which ports do you required but suppose APP1 is required TCP port 443 then your configuration will be like:
object network app1
host 192.168.1.20
nat (DMZ-APP1,outside) static interface service tcp https https
Please let me know if there is any mistake to understand your question.
Regards,
Deepak Kumar
03-29-2019 11:53 PM - edited 03-30-2019 12:07 AM
thank you Mr.Deepak Kumar
but public -ip ( X.X.X.111:80)
i use oracle application server
http://public-ip:80/aaaaaaaa
forward to
03-30-2019 12:15 AM
Hi,
Change this network statement to:
object network app1 host 192.168.1.20 nat (DMZ-APP1,outside) static interface service tcp 7778 http
04-04-2019 03:18 AM
not working access list error
--------
object network app1
host 192.168.1.20
access-list out_in extended permit tcp any host 192.168.1.20 eq 7778
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network app1
nat (dmz-app1,outside) static interface service tcp 7778 www
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz-app1,outside) after-auto source dynamic any interface
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x1
03-30-2019 07:25 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide