01-13-2020 07:32 PM
Hi all,
I cannot seem to ping server in dmz from "OUTSIDE" (Static Nat). However, I can ping Outside from inside (PAT).
Could anyone point me to the right direction please?
object network INSIDE-OUTSIDE
nat (inside,outside) dynamic interface
object network DMZ2-OUTSIDE
nat (dmz2,outside) dynamic interface
object network DMZ1-OUTSIDE
nat (dmz1,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
ASAlab2(config)#
ASAlab2(config)#
ASAlab2(config)# sh run
: Saved
:
: Serial Number: 9AMKNK263EE
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2095 MHz
:
ASA Version 9.9(2)
!
hostname ASAlab2
enable password $sha512$5000$+Kpz/EysDD1un1b5YiX/MQ==$k3TtQlPYooJmTbkU/HIykA== pbkdf2
names
!
interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
description LAN
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ1
nameif dmz1
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
description DMZ2
nameif dmz2
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
no ip address
!
ftp mode passive
object network INSIDE-OUTSIDE
subnet 192.168.0.0 255.255.255.0
object network DMZ1-SERVER
host 192.168.1.10
object network OUTSIDE-DMZ1
host 10.1.1.10
object network DMZ2-OUTSIDE
subnet 192.168.2.0 255.255.255.0
object network DMZ1-OUTSIDE
subnet 192.168.1.0 255.255.255.0
access-list OUTISDE-DMZ extended permit ip any host 192.168.1.10
pager lines 23
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network INSIDE-OUTSIDE
nat (inside,outside) dynamic interface
object network DMZ2-OUTSIDE
nat (dmz2,outside) dynamic interface
object network DMZ1-OUTSIDE
nat (dmz1,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
access-group OUTISDE-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
console serial
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:1d55c3acd48ddf7aa7f83d370abfc6ba
: end
Thanks
01-13-2020 08:59 PM
Hi,
I do see access list configured to allow all kind of traffic from outside to dmz server but I do not see any static nat associated with dmz server.Please configure static nat to allow ping from outside to DMZ.
Example:
If you have any free IP address in range of outside subnet then use it for static static Nat with DMZ.
lets say :10.1.1.3 is free IP address in outside subnet.(10.1.1.0/24)
object network obj-10.1.1.3
host 10.1.1.3
object network obj-192.168.1.10
host 192.168.1.10
Nat (DMZ1,OUTSIDE) source static obj-192.168.1.10 obj-10.1.1.3.
The above Nat is applicable only when you have free IP address in outside subnet, but in your case you are are using /30 subset where you have only two useable IP address,one is for the firewall and other one is for the Gateway(according to the pasted configuration).
For UDP/TCP we can use the interface IP address of the firewall for port forwarding but for ICMP we can not use port forwarding since ICMP doesn't work on port (different protocol).
Note :
We can use the outside interface IP address for one to one static Nat with DMZ server ,however it will break the other Nat.
Nat (DMZ1,Oustide) source static obj-192.168.1.10 interface.
Please let me know if you have any query and do rate if it is help.
Thanks
Guddu
01-15-2020 02:40 PM
thanks @GudduPrasad83044 .
I have adjusted that to a slash 24 subnet. Still not working.
So if I am to understand you correctly, I cannot have PAT and static NAT on the same interface (zone)?
01-15-2020 02:47 PM
You cannot have it. You can configure port forwarding in that case if you want to utilize same IP for PAT and NAT ( for incoming traffic to server)
01-15-2020 03:14 PM
01-15-2020 11:15 PM
For icmp you can configure access list. here is the example.
access-list outside-in exten permit icmp any host 192.168.10.1 eq echo.
access-list outside-in in outside
01-19-2020 07:26 AM
01-13-2020 09:02 PM - edited 01-13-2020 09:04 PM
Hi
It is not going to ping with your NAT configuration. You have already done NAT of many to one from Inside Subnet to Outside which will allow your Inside to reach outside. What kind of service running on your DMZ? Option for you is either to arrange unique Public IP or configure port forwarding on the Outside Interface.
For Example, your server in DMZ is Web server running on port 443 and you want to access the webpage from outside then confige would look like:
object network DMZ1-OUTSIDE
nat (dmz1,outside) static interface service tcp 443 443
Further, you need to allow traffic on tcp port 443 in above example
01-15-2020 02:59 PM - edited 01-15-2020 03:10 PM
just to add what @Muhammad Awais Khan mentioned.
object network DMZ1-OUTSIDE
nat (dmz1,outside) static interface service tcp 443 443
access-list OUTSIDE_IN extended permit tcp any object DMZ1-OUTSIDE eq 443
access-group OUTSIDE_IN in interface outside.
01-15-2020 03:11 PM
01-19-2020 07:28 AM
01-19-2020 07:49 AM
For this scenario, as per my understanding it will not work as you are doing static NAT of outside Interface IP. If you have any additional IP available other than interface IP then you can use PAT and static NAT for your server together.
I tested some scenarios with PAT and port forwarding on the ASA's outside for internal servers which worked fine for me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: