Hi,
I have the following requirement and done the below configuration but it looks like I'm missing some configuration and appreciate if someone help me out.
Requirement;
I have DMZ server with private IP and require both outside and inside people to access this server via public IP for cerntain ports
Configuraiton;
- I have dmz server ip 172.17.25.23 (with DG 25.1) Nated to public IP 78.100.42.158.
static (DMZ,outside) 78.100.42.158 172.17.25.23 netmask 255.255.255.255
- Inside one server require to talk to this DMZ server with the public IP and I have configured a policy NAT
static (inside,DMZ) 78.100.42.158 access-list VCS-EX
access-list VCS-EX extended permit ip host 172.16.18.153 host 172.17.25.23
- Inside server require to access DMZ server with the following ports and have created the below ACLs
access-list acl-inside extended permit tcp host 172.16.18.153 host 78.100.42.158 range 7001 7010
access-list acl-inside extended permit udp host 172.16.18.153 host 78.100.42.158 eq 2776
access-list acl-inside extended permit udp host 172.16.18.153 host 78.100.42.158 eq 2777
access-list acl-inside extended permit udp host 172.16.18.153 host 78.100.42.158 eq 6001
access-list acl-inside extended permit tcp host 172.16.18.153 host 78.100.42.158 eq 2776
access-list acl-inside extended permit udp host 172.16.18.153 host 78.100.42.158 eq 1719
access-list acl-inside extended permit tcp host 172.16.18.153 host 78.100.42.158 eq h323
access-list acl-inside extended permit udp host 172.16.18.153 host 78.100.42.158 range 50000 52399
- Return traffic from DMZ server to inside server have been allowed with below ACLs
access-list DMZ-IN extended permit tcp host 172.17.25.23 host 172.16.18.152 eq ldap
access-list DMZ-IN extended permit udp host 172.17.25.23 host 172.16.18.152 eq ntp
access-list DMZ-IN extended permit tcp host 172.17.25.23 host 172.16.18.152 eq www
access-list DMZ-IN extended permit tcp host 172.17.25.23 host 172.16.18.152 eq https
access-list DMZ-IN extended permit udp host 172.17.25.23 any eq domain
access-list DMZ-IN extended permit udp host 172.17.25.23 any eq sip
access-list DMZ-IN extended permit tcp host 172.17.25.23 any eq sip
access-list DMZ-IN extended permit udp host 172.17.25.23 host 172.16.18.152 range 40000 49999
access-list DMZ-IN extended permit udp host 172.17.25.23 host 172.16.18.152 eq snmp
access-list DMZ-IN extended permit udp host 172.17.25.23 any gt 1024
access-list DMZ-IN extended permit tcp host 172.17.25.23 any eq h323
access-list DMZ-IN extended permit tcp host 172.17.25.23 any gt 1024
- Outside people require to access DMZ server with following ports and have created below ACLs
access-list acl-out extended permit udp any host 78.100.42.158 eq sip
access-list acl-out extended permit tcp any host 78.100.42.158 eq sip
access-list acl-out extended permit udp any host 78.100.42.158 range 50000 52399
access-list acl-out extended permit udp any host 78.100.42.158 eq 1719
access-list acl-out extended permit tcp any host 78.100.42.158 eq h323
access-list acl-out extended permit tcp any host 78.100.42.158 range 15000 19999
access-list acl-out extended permit tcp any host 78.100.42.158 eq 2776
access-list acl-out extended permit udp any host 78.100.42.158 eq 2776
access-list acl-out extended permit udp any host 78.100.42.158 eq 2777
access-list acl-out extended permit tcp any host 78.100.42.158 eq 2777
I still can’t establish the connection between DMZ server with the inside server (connection failed appeared in DMZ server logs) and I see the below error logs getting on ASA
2|Oct 31 2010|13:18:07|106016|||Deny IP spoof from (213.130.121.43) to 78.100.42.158 on interface outside
6|Oct 31 2010|13:18:01|302014|78.100.42.158|172.16.18.153 |Teardown TCP connection 107969229 for outside:78.100.42.158/7002 to inside: 172.16.18.153 /26511 duration 0:00:30 bytes 0 SYN Timeout
2|Oct 31 2010|13:18:01|106016|||Deny IP spoof from (213.130.121.43) to 78.100.42.158 on interface outside
My concern here are;
-can we do the NAT with same IP to outside as well as DMZ/Inside?
-what is the reason I’m getting Deny IP spoof error and how to troubleshoot that?.
-Am I missing some configuration with regard to NAT/ip routing?
If you require further information please reply me.
thanks
