Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
2
Replies

Implementing email, webserver and DNS in a DMZ, cannot ping from DMZ and inside to natted IP and outside interface

Eduardo Guerra
Level 1
Level 1

‎07-10-2014 05:11 PM - edited ‎03-11-2019 09:27 PM

I am implementing a DNS, a webserver and an email server in a DMZ. I mounted those services on a windows 2008 standard but my NS does not recognize external IP. I assume because i cannot ping form DMZ/inside to outside interface or natted IP. Someone can help. Here's my configuration:

 

: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 200.87.226.123 255.255.255.248
!
interface Ethernet0/1
 nameif Branch_Office
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 10
 ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.0.2 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network POSLINKSER
 network-object host 192.168.41.101
 network-object host 192.168.41.102
 network-object host 192.168.41.103
 network-object host 192.168.41.104
 network-object host 192.168.41.105
 network-object host 192.168.41.106
 network-object host 192.168.27.101
 network-object host 192.168.27.102
 network-object host 192.168.27.103
 network-object host 192.168.27.104
 network-object host 192.168.27.105
 network-object host 192.168.27.106
 network-object host 192.168.42.101
 network-object host 192.168.42.102
 network-object host 192.168.42.103
 network-object host 192.168.42.104
 network-object host 192.168.42.105
 network-object host 192.168.42.106
 network-object host 192.168.23.101
 network-object host 192.168.23.102
 network-object host 192.168.23.103
 network-object host 192.168.23.104
 network-object host 192.168.23.105
 network-object host 192.168.23.106
 network-object host 192.168.39.101
 network-object host 192.168.39.102
 network-object host 192.168.39.103
 network-object host 192.168.39.104
 network-object host 192.168.39.105
 network-object host 192.168.39.106
 network-object host 192.168.40.101
 network-object host 192.168.40.102
 network-object host 192.168.40.103
 network-object host 192.168.40.104
 network-object host 192.168.40.105
 network-object host 192.168.40.106
 network-object host 192.168.0.62
access-list dmz_in extended permit ip any host 172.16.31.2
access-list dmz_in extended permit tcp any host 172.16.31.2
access-list dmz_in extended permit udp any host 172.16.31.2
access-list dmz_in extended permit tcp any host 172.16.31.2 eq 3000
access-list dmz_in extended permit tcp any host 172.16.31.2 eq https
access-list dmz_in extended permit udp any host 172.16.31.2 eq domain
access-list dmz_in extended permit tcp any host 172.16.31.2 eq pop3
access-list dmz_in extended permit tcp any host 172.16.31.2 eq smtp
access-list dmz_in extended permit tcp any host 172.16.31.2 eq www
access-list dmz_in extended permit tcp any host 172.16.31.2 eq 1000
access-list dmz_in extended permit tcp any host 172.16.31.2 eq echo
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list Inside extended permit tcp any any
access-list 100 extended permit ip any host 200.87.226.122
access-list 100 extended permit tcp any host 200.87.226.122
access-list 100 extended permit udp any host 200.87.226.122
access-list linkser extended permit ip any 193.168.1.0 255.255.255.0
access-list linkser extended permit ip 193.168.1.0 255.255.255.0 any
access-list linkser extended permit tcp 193.168.1.0 255.255.255.0 any
access-list linkser extended permit tcp any 193.168.1.0 255.255.255.0
access-list ping extended permit icmp any any echo-reply
access-list ping extended permit icmp any any source-quench
access-list ping extended permit icmp any any unreachable
access-list ping extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Branch_Office 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.168.0.43 Outside
icmp permit any Outside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (DMZ) 101 interface
global (Inside) 102 192.168.0.3
nat (Branch_Office) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Branch_Office,Inside) 193.168.1.0 193.168.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.25.0 192.168.25.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.34.0 192.168.34.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.23.0 192.168.23.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.39.0 192.168.39.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.29.0 192.168.29.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (DMZ,Outside) 200.87.226.122 172.16.31.2 netmask 255.255.255.255
access-group ping in interface Outside
access-group ping in interface DMZ
route Outside 0.0.0.0 0.0.0.0 200.87.226.121 20
route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.1.0.0 255.255.192.0 192.168.2.2 1
route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.22.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.23.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.25.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.26.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.27.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.29.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.32.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.34.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.39.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1
route Inside 193.168.1.0 255.255.255.0 192.168.0.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 Branch_Office
telnet 172.16.31.0 255.255.255.0 DMZ
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username eguerra password dr6zkC4iOPQHLH5f encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:316ae9cbc1ea6482776a8766720c307f
: end
ASAFCHFW#

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-11-2014 12:48 AM

Hi,

 

Sadly I don't have a ASA running older software with me right now to test this out.

 

What you are wanting to achieve is not really ideal with the ASA. Also you wont be able to ping a remote interface IP address and I don't think there is any workaround for that. With remote interface I mean for example sending ICMP from a host behind "inside" to the "outside" interface which would make "outside" the remote interface in this case.

 

At this point only thing with regards to the server I can think of is really doing a NAT from "DMZ" to "DMZ"

 

I assume that this is the current NAT for the server towards "outside"

static (DMZ,Outside) 200.87.226.122 172.16.31.2 netmask 255.255.255.255

 

That would make the "DMZ" NAT like this

static (DMZ,DMZ) 200.87.226.122 172.16.31.2 netmask 255.255.255.255

 

You also seem to have the following Dynamic PAT configuration

global (DMZ) 101 interface
nat (DMZ) 101 0.0.0.0 0.0.0.0

So I presume when you send an ICMP from the server to its own public IP address the following would happen

  • ICMP Echo sent from server to the ASA
  • ASA matches the public IP address to the new Static NAT configured
  • ASA does UN-NAT for the destination IP address (public -> local)
  • ASA does NAT for the source address using the Dynamic PAT configuration (server IP -> DMZ interface IP)
  • ICMP Echo arrives at the server that sent the ICMP sourced from the ASA DMZ interface IP address.
  • Server sends a ICMP Echo reply back

 

I can really not give any guarantees that this would even work as I am not able to test this out right now.

Even if it worked its not an ideal solution as its playing around with the NAT a bit too much. Best situation would be if you could allocate a small public subnet for the DMZ segment itself so no NAT configurations would be needed.

 

With regards to connections from the "inside" network to the "DMZ" using the public IP address you would naturally require the NAT from "DMZ" to "inside". But this would also mean that "inside" users could only use the public IP address to connect after this and if you had any services that were using the local IP address of the DMZ server before this they would most likely fail

 

- Jouni

0 Helpful

Eduardo Guerra
Level 1
Level 1
In response to Jouni Forss

‎07-11-2014 07:03 AM

Journi, i wasn't very clear on my entire topology. I have a DNS and AD DC server on side network that serves all local network requests. DNS located on DMZ is to serve remote hosts requests for Website and entire email service (this includes inside hosts). That scenario is you are suggesting?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card