08-25-2010 07:36 AM - edited 03-11-2019 11:30 AM
Hi,
Having serious trouble getting my DMZ zone to work as planned.
The setup is typical, having WAN interface, and a internal interface with a few vlans on it - besides that I now configured a new VLAN on a vacant interface eth0/3 which I am planning to use as DMZ.
internal VLANs - security level 100
DMZ VLAN - security level 50
WAN interface - security level 0
ticked on the "Allow between interfaces with same secury level" which made it easy to configure access between everything located internal, also from internal to DMZ.
However I have 1 public IP and I wish to port NAT to servers in the DMZ. Just to test I tried to make a public server following cisco's guide http://www.cisco.com/en/US/docs/security/asa/asa83/getting_started/5500/guide/dmz.html#wp1065777
When I am trying to NAT to the external IP I get this following error :
[ERROR] nat (DMZ_SKA,WAN) static XXX.XXX.XXX.XXX service tcp 3389 3389
Address XXX.XXX.XXX.XX overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
Then tried using the CLI with a command like :
nat (DMZ_SKA,WAN) static interface service tcp 3389 3389
Still no joy, even when allowing everything on WAN and DMZ nothing is working. If I try to NAT port 80 it gets blocked by the firewall at the WAN interface even though I explicity allowed it.
Anyone with bright ideas ?
08-25-2010 07:46 AM
Hi Poul,
Can you post the output of the following commands:
sh run nat
sh run object network
With regards to the port 80 translation make sure that the access-list refers to the real ip address, in this case the server address as it exists on the dmz network,
This link gives some examples of natting in 8.3.
https://supportforums.cisco.com/docs/DOC-9129
Thanks,
Loren
08-25-2010 08:02 AM
Seems like the NAT that you configued is ok. ACL may be a problem.
On the outside ACL where you permit 3389 and 80 to this dmz server you need to use the real/private IP of the server in the DMZ.
Read this link. https://supportforums.cisco.com/docs/DOC-12690#ACL_Changes
-KS
08-25-2010 10:21 AM
Hi Poul,
While the previous engineer is correct, the nat statement is correct, we still need to make sure the host defined in the network object is the real ip address of the server. Can you verify this and also make sure that the access-list you have applied to the WAN interface is allowing traffic to the real ip address and real port of the server.
Thanks,
Loren
08-26-2010 12:28 AM
Hi all,
Thanks for the suggestion, tried to delete everything and start over with the DMZ thing.
Here is sh run nat :
ciscoasa# sh run nat
nat (PROD_SKA,WAN) source dynamic any interface
nat (DEV_SKA,WAN) source dynamic any interface
!
object network DMZ_RDP_SRV
nat (DMZ_SKA,WAN) static interface service tcp www www
ciscoasa#
Here is sh run object network :
ciscoasa# sh run object network
object network LAN_WAN_NAT
subnet 10.10.101.0 255.255.255.0
description LAN NAT
object network A_
object network WAN
host 217.116.XXX.XXX
object network DMZ_RDP_SRV
host 192.168.100.100
ciscoasa#
Here is sh run access-list :
ciscoasa# sh run access-list
access-list DEV_SKA_access_in extended permit ip 10.10.102.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list DEV_SKA_access_in extended permit object-group DM_INLINE_SERVICE_1 10.10.103.0 255.255.255.0 any
access-list PROD_SKA_access_in extended permit object-group DEV_SKA_ACCESS_GROUP 10.10.102.0 255.255.255.0 any
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq www
access-list allow_ping_to_wan remark ping from lan to wan
access-list allow_ping_to_wan standard permit 10.10.101.0 255.255.255.0
ciscoasa#
Here is sh run access-group :
ciscoasa# sh run access-group
access-group OUTSIDE_IN_DMZ in interface WAN
access-group PROD_SKA_access_in in interface PROD_SKA
access-group DEV_SKA_access_in in interface DEV_SKA
ciscoasa#
Still no joy...
Checked the ACL's which to me seems to be good ( that might not really be the case ).. WAN is still blocking port 80.
Do you guys need more conf info ? I am stuck..
08-26-2010 04:50 AM
This ACL
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq www
should actually be
access-list OUTSIDE_IN_DMZ extended permit tcp any host 192.168.100.100 eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 192.168.100.100 eq www
Refer this link: https://supportforums.cisco.com/docs/DOC-12690#ACL_Changes
-KS
08-26-2010 11:07 AM
Hi Poul,
The following nat statements need to be changed:
nat (PROD_SKA,WAN) source dynamic any interface
nat (DEV_SKA,WAN) source dynamic any interface
You will need to configure them using network objects, i.e. auto-nat.
Assuming the source for the dynamic pat is 192.168.100.0/24 for the PROD_SKA network and 172.16.1.0/24 for the DEV_SKA network the following nat configuration would be necessary.
object network obj-prod_ska
subnet 192.168.100.0 255.255.255.0
nat (PROD_SKA,WAN) dynamic interface
object network obj-dev_ska
subnet 172.16.1.0 255.255.255.0
nat (DEV_SKA,WAN) dynamic interface
Additional networks off of the PROD_SKA and DEV_SKA interfaces would need to be configured in a similar fashion.
Let me know if you have any questions.
Thanks
Loren
08-29-2010 12:30 PM
Hi,
Got it working - thank you soo much.
It was indeed a mix of both the ACL and the fact that the ASDM choose to use a network object rather than the physical WAN interface.
Running your suggested commands in the CLI did the trick..
So you both answered correctly - being new here I would like to click "Correct answer" to you both but is that possible?
Best regards
08-29-2010 08:00 PM
Hi Poul,
Glad to hear this is working, As far as who gets credit I dont think there is a way to give credit to more than one person, so this is your call. You can, however, provide a rating based on how helpful you found the answers to your questions.
Best regards,
Loren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide