cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1221
Views
0
Helpful
2
Replies

ASA 5510 DMZ cannot talk to inside network

Darren Lapierre
Level 4
Level 4

Evening all!

so I have tried this a few configuring this a few times now, and I have not had much success!

I am trying to do two things:

- first, have the DMZ be completely transparent to the inside network (icmp, https, and a few other TCP ports).

- secondly, I want to NAT my DMZ network to external.

Think anyone can give me a hand with this?

Below is a base config of my ASA.

~~~~~~~~~~~~~~~~~

ASA Version 8.0(4)

!

hostname igniteCSGfw

enable password awUSpLuFs5wdhqJE encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.0.0.0 inside-network

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 208.118.125.130 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz_inside

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object tcp

service-object tcp eq domain

service-object tcp eq www

service-object tcp eq https

service-object udp eq domain

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object icmp

service-object tcp eq domain

service-object tcp eq www

service-object tcp eq https

service-object udp eq domain

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any inside-network 255.0.0.0

access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz_inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 inside-network 255.0.0.0

static (dmz_inside,outside) 208.118.125.131 172.16.10.10 netmask 255.255.255.255

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 208.118.125.129 1

route inside inside-network 255.0.0.0 10.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http inside-network 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet inside-network 255.0.0.0 inside

telnet 192.168.0.0 255.255.0.0 management

telnet timeout 5

ssh inside-network 255.0.0.0 inside

ssh 192.168.0.0 255.255.0.0 management

ssh timeout 60

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username ignitecsg password 028ZcrY5F/cbezVk encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:626845dd33f8aeaa909dcbda9b04af05

: end

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Darren,

Okay... I will start with the DMZ being transparent to the DMZ

static (inside,dmz_inside) 10.1.1.0 10.1.1.10 netmask 255.255.255.0

static (dmz_inside,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

Now lets talk about being able to talk from DMZ to inside.. If this is required you need this:

access-list dmz_in permit ip any any

access-group dmz_in in interface dmz

OUTSIDE to DMZ

You have the following in place already:

static (dmz_inside,outside) 208.118.125.131 172.16.10.10 netmask 255.255.255.255

access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any

Does the access from outside to the DMZ server works????

Remember to rate all of the CSC answers, ( the stars at the bottom of each reply)

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Darren,

Okay... I will start with the DMZ being transparent to the DMZ

static (inside,dmz_inside) 10.1.1.0 10.1.1.10 netmask 255.255.255.0

static (dmz_inside,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

Now lets talk about being able to talk from DMZ to inside.. If this is required you need this:

access-list dmz_in permit ip any any

access-group dmz_in in interface dmz

OUTSIDE to DMZ

You have the following in place already:

static (dmz_inside,outside) 208.118.125.131 172.16.10.10 netmask 255.255.255.255

access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any

Does the access from outside to the DMZ server works????

Remember to rate all of the CSC answers, ( the stars at the bottom of each reply)

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio, Thank you so much. Worked perfectly!

Darren

Review Cisco Networking for a $25 gift card