Solved: Re: ASA 5508 9.6 public ip to dmz

a.eldeeb · ‎03-28-2019

ASA 5508 9.6 public ip to dmz

how config

# sho run

ASA Version 9.6(1)
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.111 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!

interface GigabitEthernet1/5
description to DMZ-APP0
nameif DMZ-APP0
security-level 50
ip address 192.168.0.1 255.255.255.0
interface GigabitEthernet1/6
description to DMZ-APP1
nameif DMZ-APP1
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/7
description to DMZ-WIFI
nameif DMZ-WIFI
security-level 20
ip address 192.168.2.1 255.255.255.0
!
object network obj_any
subnet 0.0.0.0 0.0.0.0

object network app-ext
host x.x.x.111

object network app1
host 192.168.1.20

object network app0
host 192.168.0.20

access-list out-in extended permit icmp any any echo-reply
access-list out-in extended deny ip any any
access-list out_in extended permit tcp any host 192.168.1.20 eq 7778
access-list dmz_acl extended permit ip any any

!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ-WIFI,outside) after-auto source dynamic any interface
access-group outside-in in interface outside
access-group dmz_acl in interface DMZ-APP0
route outside 0.0.0.0 0.0.0.0 x.x.x.110 1

ciscoasa#

not work plz help??????

Deepak Kumar · ‎03-29-2019

Hi,

What is your question, I am not sure but here I found some fundamental error in the ACL configuration as:

access-list out-in extended permit icmp any any echo-reply
access-list out-in extended deny ip any any
access-list out_in extended permit tcp any host 192.168.1.20 eq 7778

You had denied "ip any any" means any traffic will match this ACL will drop and a packet will not go down to check 3rd line. So 3rd entry in the ACL will not work Make it correction as

access-list out-in extended permit icmp any any echo-reply
no access-list out-in extended deny ip any any
access-list out_in extended permit tcp any host 192.168.1.20 eq 7778

The first match determines whether the Cisco IOS® Software accepts or rejects the packet. Because the Cisco IOS Software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet because of an implicit deny all clause. So there is no required for "deny IP any any" statement at the end of ACL.

Second issue: I am not sure that your default is applied is correct or not:

route outside 0.0.0.0 0.0.0.0 x.x.x.111 1

Because you had assigned IP x.x.x.111 on the outside interface and the same end IP is configured on the route. Here x.x.x.111 replace with next hop IP.

Issue third:

object network app-ext
host x.x.x.111
!
object network app1
host 192.168.1.20
!
object network app0
host 192.168.0.20

I am not sure what you want to archive with configuration but As per your question subnet line, seems you are looking a solution for port forwarding and I am not sure that which ports do you required but suppose APP1 is required TCP port 443 then your configuration will be like:

object network app1
host 192.168.1.20
 nat (DMZ-APP1,outside) static interface service tcp https https

Please let me know if there is any mistake to understand your question.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

Deepak Kumar · ‎03-30-2019

Hi,

Change this network statement to:

object network app1
host 192.168.1.20
 nat (DMZ-APP1,outside) static interface service tcp 7778 http

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

Deepak Kumar · ‎03-29-2019

Hi,

What is your question, I am not sure but here I found some fundamental error in the ACL configuration as:

access-list out-in extended permit icmp any any echo-reply
access-list out-in extended deny ip any any
access-list out_in extended permit tcp any host 192.168.1.20 eq 7778

You had denied "ip any any" means any traffic will match this ACL will drop and a packet will not go down to check 3rd line. So 3rd entry in the ACL will not work Make it correction as

access-list out-in extended permit icmp any any echo-reply
no access-list out-in extended deny ip any any
access-list out_in extended permit tcp any host 192.168.1.20 eq 7778

The first match determines whether the Cisco IOS® Software accepts or rejects the packet. Because the Cisco IOS Software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet because of an implicit deny all clause. So there is no required for "deny IP any any" statement at the end of ACL.

Second issue: I am not sure that your default is applied is correct or not:

route outside 0.0.0.0 0.0.0.0 x.x.x.111 1

Because you had assigned IP x.x.x.111 on the outside interface and the same end IP is configured on the route. Here x.x.x.111 replace with next hop IP.

Issue third:

object network app-ext
host x.x.x.111
!
object network app1
host 192.168.1.20
!
object network app0
host 192.168.0.20

I am not sure what you want to archive with configuration but As per your question subnet line, seems you are looking a solution for port forwarding and I am not sure that which ports do you required but suppose APP1 is required TCP port 443 then your configuration will be like:

object network app1
host 192.168.1.20
 nat (DMZ-APP1,outside) static interface service tcp https https

Please let me know if there is any mistake to understand your question.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

a.eldeeb · ‎03-29-2019

thank you Mr.Deepak Kumar

but public -ip ( X.X.X.111:80)

i use oracle application server

http://public-ip:80/aaaaaaaa

forward to

http://192.168.0.20:7778/aaaaaa

Deepak Kumar · ‎03-30-2019

Hi,

Change this network statement to:

object network app1
host 192.168.1.20
 nat (DMZ-APP1,outside) static interface service tcp 7778 http

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

a.eldeeb · ‎04-04-2019

not working access list error

--------

object network app1

host 192.168.1.20

access-list out_in extended permit tcp any host 192.168.1.20 eq 7778

no arp permit-nonconnected

!

object network obj_any

nat (any,outside) dynamic interface

object network app1

nat (dmz-app1,outside) static interface service tcp 7778 www

!

nat (inside,outside) after-auto source dynamic any interface

nat (dmz-app1,outside) after-auto source dynamic any interface

access-group out_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x1

gbekmezi-DD · ‎03-30-2019

What is not working exactly? Some issues I see:

access-list out-in extended permit icmp any any echo-reply
access-list out-in extended deny ip any any
access-list out_in extended permit tcp any host 192.168.1.20 eq 7778

What do you expect the first line of that access list will do? In the current configuration, it does nothing. Also, the 3rd line of the access list will never be reached because the line above it denies all ip traffic.

It looks like you want to be able to reach tcp port 7778 on 192.168.1.20 from the Internet, however, you don’t have a static PAT (NAT) entry exposing the port/address to the internet.

I also see you have a dynamic NAT for “any” to outside, but then you have other more specific dynamic NAT entries. I’d have to double check, but I don’t think that’s necessary.

George