Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
2
Replies

DMZ server access problem

dinchavan
Level 1
Level 1

‎10-09-2019 02:55 AM - edited ‎10-09-2019 03:16 AM

We are configured Cisco ASA firewall with three network , One Router and a Switch.

One Anti-Virus server are used for antivirus server updated, IP 124.124.124.2 which is connected to Campus Router 

*Campus Router Cisco 1841 Interface 

Gig0/1 = 124.124.124.1

Gig0/0 = 123.123.123.1

 

*Cisco ASA 5506 interface  

Gig 0/1 (Inside=10.10.10.1 /24)

Gig 0/3 (DMZ = 172.16.1.0/24)

Gig 0/8 (Outside =123.123.123.0/24)

 

All lasted AntiVirus definition update package are download Server (124.124.124.2) and it is send to DMZ server 172.16.1.100. 

All internal endpoint are ping to DMZ server as well as 124.124.124.2 server

DMZ server 172.16.1.100 are ping to internal network as well as 124.124.124.2 server.

But when I ping Update server 124.124.124.2 to DMZ server 172.16.1.100 , Not able to ping

===================Campus Router 1841 Configuration=============

interface GigabitEthernet0/1

IP address 124.124.124.1 255.255.255.0

 

interface GigabitEthernet1/1

IP address 123.123.123.1 255.255.255.0

 

Router ospf 1

network 124.124.124.0 255.255.255.0 area 0

network 123.123.123.0 255.255.255.0 area 0

==================ASA 5506 Configuration=====================  

interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 123.123.X.X 255.255.255.0
!
object network LAN
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic interface

object network VLAN-2
subnet 10.20.10.0 255.255.255.0
nat (inside,outside) dynamic interface
object network VLAN-3
subnet 10.30.10.0 255.255.255.0
nat (inside,outside) dynamic interface
object network VLAN-4
subnet 10.40.10.0 255.255.255.0
nat (inside,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 123.123.X.1
!
access-list in-to-internet extended permit ip any any
access-list in-to-internet extended permit icmp any any
!
access-group in-to-internet in interface outside
access-group in-to-internet in interface dmz
!
class-map inspection-default
match default-inspection-traffic
!
policy-map global-policy
class inspection-default
inspect dns
inspect http
inspect icmp
!
service-policy global-policy global

Labels:
0 Helpful
2 Replies 2

bhargavdesai
Spotlight
Spotlight

‎10-09-2019 04:01 AM

Additional details required as the given configuration is partial. But I think you have route issue.

What is the Gateway for your Anti-Virus server 124.124.124.2?
Do you have ROUTE for the DMZ server 172.16.1.100 on the ROUTER 1841?
Can you post "Show ip route" on the Router?
Output of the packet tracer "packet-tracer input OUTSIDE icmp 124.124.124.2 8 0 172.16.1.100 detailed

To give brief explanation.

Your Internal and DMZ network go through ASA to reach to Anti-Virus Server. The ASA send traffic for Anti-Virus Server on the OUTSIDE interface but it NAT the traffic with OUTSIDE IP 123.123.123.x. going out. So when it reaches to the Anti-Virus Server, It has path back to 123.123.123.x hence ping from Internal and DMZ to the Anti-Virus Server Succeed.
Now when Anti-Virus Server 124.124.124.2 initial Ping to DMZ server 172.16.1.100 it sends traffic to the Gateway (Which at the moment we are not aware as if it is your Router's interface 124.124.124.1 or the ISP's Interface). If it is your Router's interface 124.124.124.1, The ROUTER must have ROUTE to that destination 172.16.1.100 sending traffic to ASA on the OUTSIDE interface. It can be Static or Dynamic ROUTE.

First You should have proper ROUTE so that packet can reach to ASA.
Then we can check for block on the ASA, however your ACL applied on the OUTSIDE interface allow all traffic. (These is not consider secure)

I hope this helps you.

HTH
### RATE ALL HELPFUL RESPONSES ###
0 Helpful

dinchavan
Level 1
Level 1
In response to bhargavdesai

‎10-09-2019 05:26 AM

As per security policy, internet are not allowed in Campus network. Every Morning , We will connect Anti-Virus (124.124.124.2) server to internet and download latest update file. Then Anti-Virus server should be connect to Campus_Router, and all endpoint system are automatically updated.

124.124.124.2 = Anti-Virus Server for latest package download and DMZ server 172.16.1.100 is Anti-Virus server. 

 

**Anti-Virus Update Server 124.124.124.2 gateway is 124.124.124.1 (which is Campus Router IP)

** Router 1841 just configured interface and

    Router ospf 1

    Network 124.124.124.0 255.255.255.0 area 0

    Network 123.123.123.0 255.255.255.0 area 0

*** 

Below detail will be share ASAP

 

Can you post "Show ip route" on the Router?
Output of the packet tracer "packet-tracer input OUTSIDE icmp 124.124.124.2 8 0 172.16.1.100 detailed 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card