cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

473
Views
0
Helpful
4
Replies
Highlighted
Beginner

CISCO ASA: Can't reach outside for my wsus server

Hi,

 

First of all, I would like to thank you for taking the time to help me with my issue.

 

i am working on a Cisco ASA5516 and i am having trouble to access the internet from my DMZ and DC's.

 

On the DMZ, i have one Server working as WSUS and AntiVirus server.

 

You can find attached the design

 

Here is the configuration of the Firewall

 

What am I missing?

: Saved

:
: Serial Number: JAD23090B21
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname CISCOFW
domain-name Domain.local
enable password $sha512$5000$XdhNQhpAiGXGL+KCMmiEnw==$vRwqWJ/uY48pa4uf+XnJMg== pbkdf2
names

!
interface GigabitEthernet1/1
nameif WAN
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif DMZ
security-level 50
ip address 192.168.49.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif PDC
security-level 100
ip address 192.168.50.1 255.255.255.0

!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name Domain.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network AVOS01
host 192.168.49.251
object network VERITAS01
host 192.168.50.253
object network PDC01
host 192.168.50.251
object network PDC02
host 192.168.50.252
object network NAS01
host 192.168.50.250
object-group network DM_INLINE_NETWORK_1
network-object 192.168.50.0 255.255.255.0
network-object object AVOS01
object-group network DMZ_Zone
network-object object AVOS01
object-group network PDC_Zone
network-object object NAS01
network-object object PDC01
network-object object PDC02
network-object object VERITAS01
access-list DMZ_access_in extended permit ip object AVOS01 interface WAN log
access-list DMZ_access_in extended permit ip object AVOS01 object-group DM_INLINE_NETWORK_1 log
access-list PDC_access_in extended permit ip object-group PDC_Zone interface EvonikWAN log
access-list PDC_access_in extended permit ip 192.168.50.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 log
access-list ripACL_FR standard permit 192.168.50.0 255.255.255.0
access-list ripACL_FR standard permit 192.168.2.0 255.255.255.0
access-list ripACL_FR_2 standard permit 192.168.50.0 255.255.255.0 
access-list ripACL_FR_2 standard permit 192.168.2.0 255.255.255.0
access-list ripACL_FR_1 standard permit 192.168.50.0 255.255.255.0
access-list ripACL_FR_1 standard permit 192.168.49.0 255.255.255.0
access-list ripACL_FR_4 standard permit 192.168.50.0 255.255.255.0
access-list ripACL_FR_3 standard permit 192.168.50.0 255.255.255.0
access-list ripACL_FR_3 standard permit 192.168.49.0 255.255.255.0
access-list ripACL_FR_6 standard permit 192.168.2.0 255.255.255.0
access-list ripACL_FR_5 standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu DMZ 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
nat (any,EvonikWAN) dynamic interface
access-group DMZ_access_in in interface DMZ
access-group PDC_access_in in interface PDC
router rip
network 192.168.49.0
network 192.168.50.0
passive-interface default
version 1
distribute-list ripACL_FR_4 in interface EvonikWAN
distribute-list ripACL_FR_2 in interface DMZ
distribute-list ripACL_FR out interface DMZ
distribute-list ripACL_FR_6 in interface PDC
distribute-list ripACL_FR_5 out interface PDC
!
route WAN 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 Reserve
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config WAN
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username Cisco password $sha512$5000$gcPhgtCIdMTJgwRX3xx13Q==$VR7QGIdzUagvX7UbupTlCA== pbkdf2
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:ab12e87608a3d794e77f096a069d72b6
: end

 

4 REPLIES 4
Highlighted
Hall of Fame Guru

There might be more than one issue but I stopped looking after I found this one: your nat configuration is not correct

object network obj_any
nat (any,EvonikWAN) dynamic interface

This does not match the interface name.

 

HTH

 

Rick

HTH

Rick
Highlighted

Thanks

I've change it and it is still not working
Highlighted
VIP Advisor

In addition to what Richard has mentioned, your access lists are not allowing traffic from DMZ and PDC to the internet (this is assuming you have posted your full ASA configuration and it is not a copy paste error of the configuration):

 

access-list DMZ_access_in extended permit ip object AVOS01 interface WAN log
access-list DMZ_access_in extended permit ip object AVOS01 object-group DM_INLINE_NETWORK_1 log
access-list PDC_access_in extended permit ip object-group PDC_Zone interface EvonikWAN log
access-list PDC_access_in extended permit ip 192.168.50.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 log

 

access-group DMZ_access_in in interface DMZ
access-group PDC_access_in in interface PDC

 

 

--
Please remember to select a correct answer and rate helpful posts
Highlighted

If you want to deny traffic to the internal IPs you will first need to add deny statements and at the end of each ACL add a permit any statement.

--
Please remember to select a correct answer and rate helpful posts
Content for Community-Ad