Solved: DMZ to other DMZ cannot discuss - Page 2 - Cisco Community

|

|

2480

Views

10

Helpful

24

Replies

Hi,

I try to find a solution but got some problem ...

I got Two DMZ, one name "Dmz" and other "service" I can have the same security level but not a problem. I want that traffic from Dmz to service works in some TCP port to some IP and from service to Dmz same.

I v do access-list in interface service but when I apply it, the traffic outbound doesn't works.

Some one have idea ? I dont want to user NAT for traffic for traffic to/from Dmz inside and service.

ASA Version 8.2(1)

!

hostname ASA5510

domain-name xxxx.com

enable password xxxx

passwd xxxxxx

names

!

interface Ethernet0/0

description Connection to Fiber Internet / Public IP

speed 100

duplex full

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.100.254 255.255.255.0

!

interface Ethernet0/2

description Connection DMZ;

nameif Dmz

security-level 50

ip address 172.16.254.254 255.255.255.0

!

interface Ethernet0/3

nameif service

security-level 50

ip address 172.30.20.254 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name ocea.net

object-group network DM_INLINE_NETWORK_1

network-object 192.168.100.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 172.16.254.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object 172.16.254.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 192.168.100.0 255.255.255.0

network-object 172.30.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_5

network-object 172.30.20.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

access-list Enter extended permit tcp any host xx.xx.xx.201 eq 3389

access-list Enter extended permit tcp any host xx.xx.xx.202 eq 3389

access-list Enter extended permit tcp any host xx.xx.xx.203 eq 8080

access-list Enter extended permit tcp any host xx.xx.xx.203 eq ftp

access-list Enter extended permit tcp any host xx.xx.xx.203 eq gopher

access-list Enter extended permit tcp any host xx.xx.xx.203 eq 63

access-list Enter extended permit tcp any host xx.xx.xx.203 eq 11438

access-list Enter extended permit tcp any host xx.xx.xx.203 eq https

access-list Enter extended permit tcp any host xx.xx.xx.203 eq www

access-list Enter extended permit tcp any host xx.xx.xx.203 eq pop3

access-list Enter extended permit tcp any host xx.xx.xx.203 eq smtp

access-list Enter extended permit tcp any host xx.xx.xx.210 eq https

access-list Enter extended permit tcp any host xx.xx.xx.210 eq www

access-list Enter extended permit tcp any host xx.xx.xx.211 eq https

access-list Enter extended permit tcp any host xx.xx.xx.211 eq www

access-list Enter extended permit tcp any host xx.xx.xx.202 eq ftp

access-list Enter extended permit tcp any host xx.xx.xx.231 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.231 eq 28001

access-list Enter extended permit tcp any host xx.xx.xx.232 eq 2800

access-list Enter extended permit icmp any any echo-reply

access-list Enter extended permit icmp any any source-quench

access-list Enter extended permit icmp any any unreachable

access-list Enter extended permit icmp any any time-exceeded

access-list Enter extended permit tcp any host xx.xx.xx.231 eq https

access-list Enter extended permit tcp any host xx.xx.xx.204 eq 8080

access-list Enter extended permit tcp any host xx.xx.xx.204 eq ftp

access-list Enter extended permit tcp any host xx.xx.xx.204 eq gopher

access-list Enter extended permit tcp any host xx.xx.xx.204 eq 63

access-list Enter extended permit tcp any host xx.xx.xx.204 eq 11438

access-list Enter extended permit tcp any host xx.xx.xx.204 eq https

access-list Enter extended permit tcp any host xx.xx.xx.204 eq www

access-list Enter extended permit tcp any host xx.xx.xx.204 eq pop3

access-list Enter extended permit tcp any host xx.xx.xx.204 eq smtp

access-list Enter extended permit tcp any host xx.xx.xx.232 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.233 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.234 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.235 eq 27000

access-list Enter extended permit tcp any host xx.xx.xx.232 eq 29000

access-list Enter extended permit tcp any host xx.xx.xx.233 eq 29000

access-list Enter extended permit tcp any host xx.xx.xx.234 eq 29000

access-list Enter extended permit tcp any host xx.xx.xx.235 eq 29000

access-list Enter extended permit tcp any host xx.xx.xx.231 eq 29000

access-list ocea-groupe_splitTunnelAcl standard permit 172.16.254.0 255.255.255.0

access-list ocea-groupe_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list ocea-groupe_splitTunnelAcl standard permit 172.30.20.0 255.255.255.0

access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_1 10.254.254.0 255.255.255.192

access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_2 192.1.1.0 255.255.255.0

access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.105.0 255.255.255.0

access-list inside-nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 10.254.254.0 255.255.255.192

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 10.253.253.0 255.255.255.192

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.168.182.0 255.255.255.0

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.1.1.0 255.255.255.0

access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.168.105.0 255.255.255.0

access-list dmz-groupe_splitTunnelAcl standard permit 172.16.254.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 192.1.1.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 192.168.105.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 172.16.254.0 255.255.255.0 192.168.182.0 255.255.255.0

access-list Enter-DMZ extended permit icmp any any echo-reply

access-list Enter-DMZ extended permit icmp any any source-quench

access-list Enter-DMZ extended permit icmp any any unreachable

access-list Enter-DMZ extended permit icmp any any time-exceeded

access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 172.16.254.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 192.168.99.0 255.255.255.0

access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 10.254.254.0 255.255.255.192

access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 10.253.253.0 255.255.255.192

access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list UMCPG-CRYPTOMAP extended permit ip object-group DM_INLINE_NETWORK_5 192.168.99.0 255.255.255.0

access-list UMCPG-CRYPTOMAP extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0

ip local pool pool1remoteuser 10.254.254.1-10.254.254.50 mask 255.255.255.0

ip local pool pool2remoteuser 10.253.253.1-10.253.253.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 2 xx.xx.xx.254

global (outside) 1 xx.xx.xx.253

nat (inside) 0 access-list inside-nat0

nat (inside) 1 192.168.100.0 255.255.255.0

nat (Dmz) 0 access-list dmz-nat0

nat (Dmz) 2 172.16.254.0 255.255.255.0

nat (service) 0 access-list service-nat0

nat (service) 2 172.30.20.0 255.255.255.0

static (inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Dmz,outside) xx.xx.xx.201 172.16.254.1 netmask 255.255.255.255

static (Dmz,outside) xx.xx.xx.xx 172.16.254.2 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.210 192.168.100.200 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.211 192.168.100.201 netmask 255.255.255.255

static (inside,service) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (service,outside) xx.xx.xx.232 172.30.20.2 netmask 255.255.255.255

static (service,outside) xx.xx.xx.231 172.30.20.1 netmask 255.255.255.255

static (service,outside) xx.xx.xx.233 172.30.20.3 netmask 255.255.255.255

static (service,outside) xx.xx.xx.234 172.30.20.4 netmask 255.255.255.255

static (service,outside) xx.xx.xx.235 172.30.20.5 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.203 192.168.100.45 netmask 255.255.255.255

static (Dmz,outside) xx.xx.xx.204 172.16.254.246 netmask 255.255.255.255

static (Dmz,service) 172.16.254.0 172.16.254.0 netmask 255.255.255.0

access-group Enter in interface outside

access-group service-Enter in interface service

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.193 1

24 Replies 24

check if your laptop have windows FW enabled.

Run "debug icmp trace" and see where it's failing

nothing on the trace ... I ve check firewall on my laptop

nothing on the trace meaning the ping doesn't even get to the firewall.

if you try to ping the firewall interface itself, do you see anything in the trace? and does the ping work?

So ... I don' t understand. I see other ping when I m on inside ping. When I ping interface I see trace but when I try to pass through the fw to dmz to service It fall ...

Just wondering, does it work when you have different security level on the 2 interfaces?

Try to configure security level of 45 on the "service" interface.

Works !!!!!!

Now I v to do some access-list ton control access to service

Thks !!!

Is ther a restriction on multiple VPN lan to lan ?

I want to present network 172.30.20.0/24 on service interface to network 192.168.99.0/24 that is target and it does nt work.

I have well add nat0 to service interface :

access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 192.168.99.0 255.255.255.0

and add to my crypto map access-list :

access-list DISTANT3-CRYPTOMAP extended permit ip 172.30.20.0 255.255.255.0 192.168.99.0 255.255.255.0

any Idea?

No, there is no restriction for multiple VPN lan-to-lan.

Is this a new tunnel, or part of the existing VPN tunnel?

Looks like the destination 192.168.99.0/24 is part of ACL "UMCPG-CRYPTOMAP".

If it is, then you would need to add it to this ACL. Also, you would have to configure the remote end to also have your subnet included in their crypto ACL and NAT exemption.

I ve re check and on the other side I ve different configuration ( v8.3.1 ) and old ACL be not affect ...

Works ! Thks a lot!

Great, excellent. Pls kindly mark the question answered so others can learn from your post. Thanks.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card