Solved: internal network cannot access to DMZ web site, public can acces

aung.htwe · ‎03-04-2013

!

interface Ethernet0/0

description Link to Starhub

nameif Outside

security-level 0

ip address 149.128.38.151 255.255.255.240

!

interface Ethernet0/1

description Link to Internal 100.x

nameif Inside

security-level 100

ip address 192.168.100.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif DMZ

security-level 50

ip address 172.16.0.254 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

banner login This is a Sapientia Holding Property.

banner motd Do not attempt unauthorized access.

ftp mode passive

clock timezone MYT 8

dns server-group DefaultDNS

domain-name nscache1.m1net.com.sg

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.158 eq 3389

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 eq 3389

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 eq 3478

access-list Outside_in_DMZ extended permit udp any host 149.128.38.152 eq 3478

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 eq 5349

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 eq https

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 eq www

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 eq domain

access-list Outside_in_DMZ extended permit udp any host 149.128.38.152 eq domain

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 eq 5269

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 range 50000 59999

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 eq 3389

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 eq 3478

access-list Outside_in_DMZ extended permit udp any host 149.128.38.153 eq 3478

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 eq 5349

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 eq https

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 eq www

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 eq domain

access-list Outside_in_DMZ extended permit udp any host 149.128.38.153 eq domain

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 eq 5269

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 range 50000 59999

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.152 range sip 5065

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.153 range sip 5065

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 eq 3389

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 eq 3478

access-list Outside_in_DMZ extended permit udp any host 149.128.38.154 eq 3478

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 eq 5349

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 eq https

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 eq www

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 eq domain

access-list Outside_in_DMZ extended permit udp any host 149.128.38.154 eq domain

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 eq 5269

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 range 50000 59999

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.154 range sip 5065

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 eq 3389

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 eq 3478

access-list Outside_in_DMZ extended permit udp any host 149.128.38.155 eq 3478

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 eq 5349

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 eq https

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 eq www

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 eq domain

access-list Outside_in_DMZ extended permit udp any host 149.128.38.155 eq domain

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 eq 5269

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 range 50000 59999

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.155 range sip 5065

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.157 eq domain

access-list Outside_in_DMZ extended permit udp any host 149.128.38.157 eq domain

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.156 eq 3478

access-list Outside_in_DMZ extended permit udp any host 149.128.38.156 eq 3478

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.156 eq 5349

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.156 eq https

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.156 eq www

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.156 eq domain

access-list Outside_in_DMZ extended permit udp any host 149.128.38.156 eq domain

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.156 eq 5269

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.156 range 50000 59999

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.156 range sip 5065

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.157 eq www

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.157 eq https

access-list Outside_in_DMZ extended permit tcp any host 149.128.38.157 eq 3389

access-list Outside_in_Internal extended permit tcp any host 192.168.100.2 range 40000 64999

access-list Outside_in_Internal extended permit tcp host 203.117.19.8 host 192.168.100.2 range 40000 64999

access-list Outside_in_Internal extended permit udp host 203.117.19.8 host 192.168.100.2 range 40000 64999

access-list Outside_in_Internal extended permit udp any host 192.168.100.2 range 40000 64999

access-list ACL-DMZ-TO-INSIDE extended permit ip any any

access-list NO-NAT-IN-TO-DMZ extended permit ip 192.168.100.0 255.255.255.0 host 172.16.0.5

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Inside) 0 access-list NO-NAT-IN-TO-DMZ

nat (Inside) 101 192.168.100.0 255.255.255.0

static (DMZ,Outside) 149.128.38.158 172.16.0.6 netmask 255.255.255.255

static (DMZ,Outside) 149.128.38.152 172.16.0.1 netmask 255.255.255.255

static (DMZ,Outside) 149.128.38.153 172.16.0.2 netmask 255.255.255.255

static (DMZ,Outside) 149.128.38.154 172.16.0.3 netmask 255.255.255.255

static (DMZ,Outside) 149.128.38.155 172.16.0.4 netmask 255.255.255.255

static (DMZ,Outside) 149.128.38.156 192.168.100.13 netmask 255.255.255.255

static (DMZ,Outside) 149.128.38.157 172.16.0.5 netmask 255.255.255.255

access-group Outside_in_DMZ in interface Outside

access-group ACL-DMZ-TO-INSIDE in interface DMZ

route Outside 0.0.0.0 0.0.0.0 49.128.38.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.100.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.100.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.100.100-192.168.100.199 Inside

dhcpd dns 203.211.152.66 210.193.2.66 interface Inside

dhcpd enable Inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

Please help to check , thanks

internal network cannot access to DMZ web site, public can access to web site.

Julio Carvajal · ‎03-05-2013

Yeah,

That should do it as I said before,

Please mark the question as answered and rate all of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

aung.htwe · ‎03-04-2013

i want to access from 192.168.100.x to web site. thanks

Julio Carvajal · ‎03-04-2013

Hello Aung,

In this case you have plenty of port-forwarding rules on port 80 so I am not aware of witch one is the one you are looking for...So just in case, lets say is the 172.16.0.2

Static (DMZ,Outside) 149.128.38.153 172.16.0.2 netmask 255.255.255.255

Do the following to make it available from the inside interface:

static (dmz,inside) 172.16.0.2 172.16.0.2

Then try to access it and let me know the result

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

aung.htwe · ‎03-04-2013

Hi Jcarvaja,

static (DMZ,Inside) 172.16.0.5 172.16.0.5

I want to access internet to 172.16.0.5 from 192.168.100.x

Already add

static (DMZ,Inside) 172.16.0.5 172.16.0.5

still cannot, Thanks

Julio Carvajal · ‎03-04-2013

Hello Aung,

Are you using an internal DNS or external DNS?

try this:

no static (DMZ,Inside) 172.16.0.5 172.16.0.5

static (DMZ,inside) 149.128.38.157 172.16.0.5

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

aung.htwe · ‎03-04-2013

Hi Jcarvaja,

I used internal DNS for internal users( 192.168.100.x)

DMZ server point to external DNS.

I can access from internet to DMZ web server.

I cannot access from internal to DMZ web server.

I already added above static.

Thanks

Julio Carvajal · ‎03-04-2013

Yeahp I forgot something

Add this and man this should work

global (dmz) 101 interface

Remember to rate ALL of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

aung.htwe · ‎03-04-2013

I just add

global (dmz) 101 interface

still cannot work.

Julio Carvajal · ‎03-04-2013

no nat (Inside) 0 access-list NO-NAT-IN-TO-DMZ

no access-list NO-NAT-IN-TO-DMZ extended permit ip 192.168.100.0 255.255.255.0 host 172.16.0.5

Then clear xlate

Give it a try and

Let me know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

aung.htwe · ‎03-04-2013

Not working also, thanks

Julio Carvajal · ‎03-04-2013

No way,

Can you share the updated configuration.

Also the output of the following

packet-tracer input inside tcp 192.168.100.10 1025 149.128.38.157 80

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

aung.htwe · ‎03-04-2013