10-26-2011 01:05 PM - edited 03-11-2019 02:42 PM
I have 3 Servers in my DMZ. The Servers can VNC and ping each other fine. From 'inside' I can ping and VNC 2 of them, but not the third.
From 'inside' I can access NS2 (172.168.1.12) and WebServer (192.168.1.10)
I cannot access NS1 (172.168.1.11)
Since I had to learn 8.4 in less than a week, I may have other items wrong. I'm open to any criticism.
.
Lon
:
ASA Version 8.4(2)
!
hostname #####
domain-name #####
enable password ##### encrypted
passwd ##### encrypted
names
dns-guard
!
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 69.##.##.82 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.0.2 255.255.0.0
!
interface Ethernet0/2
nameif dmz
security-level 80
ip address 172.168.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name #####
object network insidetoInternet
subnet 10.1.0.0 255.255.0.0
description Inside net to Internet connector
object network RemoteAccessServer
host 10.1.2.7
description Internal Terminal Server 3389
object network WebServer
host 172.168.1.10
description Web Server in DMZ
object network dmz-to-inside
subnet 172.168.1.0 255.255.255.0
description Route traffic DMZ and Inside
object network ExchangeServer
host 10.1.2.3
description Exchange (Mail) Server
object network NS1
host 172.168.1.11
description DNS Server in DMZ
object network NS2
host 172.168.1.12
description DNS Server in DMZ
object network inside-to-dmz
subnet 10.1.0.0 255.255.0.0
description Route traffic DMZ and Inside
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object WebServer
network-object object ExchangeServer
object-group network DM_INLINE_NETWORK_2
network-object object NS1
network-object object NS2
access-list OutsideAllowedIn extended permit icmp any any
access-list outside_access_in extended permit tcp any object RemoteAccessServer eq 3389
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq domain
access-list outside_access_in extended permit tcp any object ExchangeServer eq 2883
access-list outside_access_in extended permit tcp any object ExchangeServer eq smtp
access-list outside_access_in extended permit tcp any object ExchangeServer eq https
access-list outside_access_in extended permit tcp any object ExchangeServer eq 8080
access-list outside_access_in extended permit tcp any object ExchangeServer eq 4343
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-205.bin
no asdm history enable
arp timeout 14400
nat (inside,dmz) source static inside-to-dmz inside-to-dmz destination static dmz-to-inside dmz-to-inside
!
object network insidetoInternet
nat (inside,outside) dynamic interface
object network RemoteAccessServer
nat (inside,outside) static 69.##.##.88
object network WebServer
nat (dmz,any) static 69.##.##.90
object network ExchangeServer
nat (inside,any) static 69.##.##.85
object network NS1
nat (dmz,any) static 69.##.##.91
object network NS2
nat (dmz,any) static 69.##.##.92
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.##.##.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.1.2.3 source inside
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:#####
: end
[OK]
Solved! Go to Solution.
10-27-2011 09:28 AM
Hello Lon,
lol, sometimes that is the first thing to check.
Well I am happy now everything is working.
Please mark the question as answered.
Have a great day,
Julio
10-26-2011 03:04 PM
Hello Lon,
First lets do a packet tracer, then we could do captures.
Packet-tracer input inside tcp 10.1.0.11 1025 172.16.1.11 5900 (VNC Port)
Please provide us the output you will get
Regards,
Julio
10-26-2011 05:13 PM
Result of the command: "Packet-tracer input inside tcp 10.1.0.11 1025 172.16.1.11 5900"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network insidetoInternet
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.1.0.11/1025 to 69.##.##.82/46184
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 361221, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
10-26-2011 07:14 PM
Hello Lon,
As we can see seems like the ASA allows this traffic so next thing to do will be captures:
-access-list capin permit tcp host 10.1.0.11 host 172.16.1.11 eq 5900
-access-list capin permit tcp host 172.16.1.11 eq 5900 host 172.16.1.11
-capture capin access-list capin interface inside
-access-list capdmz permit tcp host 10.1.0.11 host 172.16.1.11 eq 5900
-access-list capdmz permit tcp host 172.16.1.11 eq 5900 host 10.1.0.11
-capture capdmz access-list capdmz interface dmz
-Http 0.0.0.0 0.0.0.0 inside
-Then you will need to download the capture on a browser.
-https://10.1.0.11/capture/capin/pcap
-https://10.1.0.11/capture/capdmz/pcap
Then attach the captures to this discussion.
Have a great day,
Julio
10-26-2011 11:16 PM
Julio,
I modified your access-list example a little.
Changed 172.16... to 172.168...
Changed the second line of capin -- internal ip to 10.1.0.11 instead of 172.16...
oh... dang... I guess I should be using 172.16 not 172.168---I'll have to change that in the morning.
However, I am getting empty files. I must be doing something wrong. I'll try again in the morning.
Lon
10-27-2011 05:59 AM
Ok, I was so focused on the Firewall.... I didn't even notice that the Server in question did not have a gateway assigned. As I was changing the IP addresses to 172.16.... I noticed and fixed it, all is well now. Thank-you for your assistance. Someitmes it's the simple stuff that gets us.
Lon
10-27-2011 09:28 AM
Hello Lon,
lol, sometimes that is the first thing to check.
Well I am happy now everything is working.
Please mark the question as answered.
Have a great day,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide