Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7228
Views
0
Helpful
15
Replies

ASA 9.1 Inside To DMZ Access

mthomas1999
Level 1
Level 1

‎02-27-2013 11:18 AM - edited ‎03-11-2019 06:06 PM

Hello, I recently upgraded my asa from 8.2 to 9.1 (reconfigured from scratch - didnot convert old config) and everything seems to be working fine except for communication between my INTERNAL network and my DMZ.  Any help would be greatly appreciated.  Here's my config below -

:

ASA Version 9.1(1)

!

hostname ZEPPELIN

domain-name MIWEBPORTAL.com

enable password XXXXX

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd FClk4V74ruL1dFGo encrypted

names

!

interface Ethernet0/0

description ISP-MODEM

switchport access vlan 20

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/3

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/4

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/5

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/6

description DMZ

switchport access vlan 99

!

interface Ethernet0/7

description DMZ

switchport access vlan 99

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan19

description INTERNAL-NET

nameif MYNETWORK

security-level 100

ip address 172.19.19.1 255.255.255.0

!

interface Vlan20

description DHCP-MODEM-INTERNET

mac-address XXX

nameif INTERNET

security-level 0

ip address dhcp setroute

!

interface Vlan99

description DMZ-NET

no forward interface Vlan19

nameif MYDMZ

security-level 50

ip address 192.168.99.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name MIWEBPORTAL.com

object network MYNETWORK

subnet 172.19.19.0 255.255.255.0

object network MYDMZ

subnet 192.168.99.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu MYNETWORK 1500

mtu INTERNET 1500

mtu MYDMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network MYNETWORK

nat (MYNETWORK,INTERNET) dynamic interface

object network MYDMZ

nat (MYDMZ,INTERNET) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable 1999

http 172.19.19.0 255.255.255.0 MYNETWORK

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 172.19.19.0 255.255.255.0 MYNETWORK

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 691200

dhcpd ping_timeout 750

!

dhcpd address 172.19.19.18-172.19.19.28 MYNETWORK

dhcpd enable MYNETWORK

!

dhcpd address 192.168.99.9-192.168.99.19 MYDMZ

dhcpd enable MYDMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username XXXX password xxxxxx

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5c772fc57a4aaf9546d3a28527c1ca06

: end

Labels:
0 Helpful
15 Replies 15

mthomas1999
Level 1
Level 1
In response to Jouni Forss

‎03-01-2013 08:48 AM

okay will do.  I was testing it via ping to the only computer i have in the DMZ (192.168.99.9) but have also tried disabling the local firewall on the PC and accessing it through a share.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card