07-10-2014 05:11 PM - edited 03-11-2019 09:27 PM
I am implementing a DNS, a webserver and an email server in a DMZ. I mounted those services on a windows 2008 standard but my NS does not recognize external IP. I assume because i cannot ping form DMZ/inside to outside interface or natted IP. Someone can help. Here's my configuration:
: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 200.87.226.123 255.255.255.248
!
interface Ethernet0/1
nameif Branch_Office
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network POSLINKSER
network-object host 192.168.41.101
network-object host 192.168.41.102
network-object host 192.168.41.103
network-object host 192.168.41.104
network-object host 192.168.41.105
network-object host 192.168.41.106
network-object host 192.168.27.101
network-object host 192.168.27.102
network-object host 192.168.27.103
network-object host 192.168.27.104
network-object host 192.168.27.105
network-object host 192.168.27.106
network-object host 192.168.42.101
network-object host 192.168.42.102
network-object host 192.168.42.103
network-object host 192.168.42.104
network-object host 192.168.42.105
network-object host 192.168.42.106
network-object host 192.168.23.101
network-object host 192.168.23.102
network-object host 192.168.23.103
network-object host 192.168.23.104
network-object host 192.168.23.105
network-object host 192.168.23.106
network-object host 192.168.39.101
network-object host 192.168.39.102
network-object host 192.168.39.103
network-object host 192.168.39.104
network-object host 192.168.39.105
network-object host 192.168.39.106
network-object host 192.168.40.101
network-object host 192.168.40.102
network-object host 192.168.40.103
network-object host 192.168.40.104
network-object host 192.168.40.105
network-object host 192.168.40.106
network-object host 192.168.0.62
access-list dmz_in extended permit ip any host 172.16.31.2
access-list dmz_in extended permit tcp any host 172.16.31.2
access-list dmz_in extended permit udp any host 172.16.31.2
access-list dmz_in extended permit tcp any host 172.16.31.2 eq 3000
access-list dmz_in extended permit tcp any host 172.16.31.2 eq https
access-list dmz_in extended permit udp any host 172.16.31.2 eq domain
access-list dmz_in extended permit tcp any host 172.16.31.2 eq pop3
access-list dmz_in extended permit tcp any host 172.16.31.2 eq smtp
access-list dmz_in extended permit tcp any host 172.16.31.2 eq www
access-list dmz_in extended permit tcp any host 172.16.31.2 eq 1000
access-list dmz_in extended permit tcp any host 172.16.31.2 eq echo
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list Inside extended permit tcp any any
access-list 100 extended permit ip any host 200.87.226.122
access-list 100 extended permit tcp any host 200.87.226.122
access-list 100 extended permit udp any host 200.87.226.122
access-list linkser extended permit ip any 193.168.1.0 255.255.255.0
access-list linkser extended permit ip 193.168.1.0 255.255.255.0 any
access-list linkser extended permit tcp 193.168.1.0 255.255.255.0 any
access-list linkser extended permit tcp any 193.168.1.0 255.255.255.0
access-list ping extended permit icmp any any echo-reply
access-list ping extended permit icmp any any source-quench
access-list ping extended permit icmp any any unreachable
access-list ping extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Branch_Office 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.168.0.43 Outside
icmp permit any Outside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (DMZ) 101 interface
global (Inside) 102 192.168.0.3
nat (Branch_Office) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Branch_Office,Inside) 193.168.1.0 193.168.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.25.0 192.168.25.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.34.0 192.168.34.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.23.0 192.168.23.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.39.0 192.168.39.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.29.0 192.168.29.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (DMZ,Outside) 200.87.226.122 172.16.31.2 netmask 255.255.255.255
access-group ping in interface Outside
access-group ping in interface DMZ
route Outside 0.0.0.0 0.0.0.0 200.87.226.121 20
route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.1.0.0 255.255.192.0 192.168.2.2 1
route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.22.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.23.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.25.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.26.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.27.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.29.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.32.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.34.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.39.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1
route Inside 193.168.1.0 255.255.255.0 192.168.0.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 Branch_Office
telnet 172.16.31.0 255.255.255.0 DMZ
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username eguerra password dr6zkC4iOPQHLH5f encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:316ae9cbc1ea6482776a8766720c307f
: end
ASAFCHFW#
07-11-2014 12:48 AM
Hi,
Sadly I don't have a ASA running older software with me right now to test this out.
What you are wanting to achieve is not really ideal with the ASA. Also you wont be able to ping a remote interface IP address and I don't think there is any workaround for that. With remote interface I mean for example sending ICMP from a host behind "inside" to the "outside" interface which would make "outside" the remote interface in this case.
At this point only thing with regards to the server I can think of is really doing a NAT from "DMZ" to "DMZ"
I assume that this is the current NAT for the server towards "outside"
static (DMZ,Outside) 200.87.226.122 172.16.31.2 netmask 255.255.255.255
That would make the "DMZ" NAT like this
static (DMZ,DMZ) 200.87.226.122 172.16.31.2 netmask 255.255.255.255
You also seem to have the following Dynamic PAT configuration
global (DMZ) 101 interface
nat (DMZ) 101 0.0.0.0 0.0.0.0
So I presume when you send an ICMP from the server to its own public IP address the following would happen
I can really not give any guarantees that this would even work as I am not able to test this out right now.
Even if it worked its not an ideal solution as its playing around with the NAT a bit too much. Best situation would be if you could allocate a small public subnet for the DMZ segment itself so no NAT configurations would be needed.
With regards to connections from the "inside" network to the "DMZ" using the public IP address you would naturally require the NAT from "DMZ" to "inside". But this would also mean that "inside" users could only use the public IP address to connect after this and if you had any services that were using the local IP address of the DMZ server before this they would most likely fail
- Jouni
07-11-2014 07:03 AM
Journi, i wasn't very clear on my entire topology. I have a DNS and AD DC server on side network that serves all local network requests. DNS located on DMZ is to serve remote hosts requests for Website and entire email service (this includes inside hosts). That scenario is you are suggesting?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide