Thanks a lot for reply

now ping time is more and i want to ping time of DB server (192.168.11.10 and 192.168.11.18) to Webserver (10.1.1.254) in DMZ decrease

Navaz

Hi,

You still didnt quite answer my question.

What kind of NAT configuration do you want? Do you want to remove any NAT between the "DMZ" and "inside" interfaces?

You could also share the configuration so we can take into account any existing configurations

- Jouni

ACTIVE# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ACTIVE

domain-name dhalahore.org

names

dns-guard

!

interface Ethernet0/0

description Inside to the Core Switches

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/1

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/2

description public Server - DMZ

duplex full

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

!

interface Ethernet0/3

description outside to the internet via router

duplex full

nameif Outside

security-level 0

ip address 125.209.70.90 255.255.255.248 standby 125.209.70.91

!

interface Management0/0

description LAN/STATE Failover Interface

!

interface Redundant1

member-interface Ethernet0/0

member-interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

!

ftp mode passive

clock timezone PST 5

dns domain-lookup DMZ

dns domain-lookup Outside

dns server-group DEFAULT-DNS

name-server 202.142.160.2

name-server 202.141.224.34

dns server-group DefaultDNS

domain-name dhalahore.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DMZ-BLOCKED-LAN-NETWORKS

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 172.16.30.0 255.255.255.0

network-object 172.16.40.0 255.255.255.0

access-list 102 extended permit icmp any any

access-list 102 extended permit ip any any

access-list 102 extended permit tcp any any eq www

access-list 102 extended permit tcp any host 125.209.70.90 eq www

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.25

5.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.2

55.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.25

5.255.0

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any

access-list ICMP extended permit icmp any any

pager lines 24

logging asdm informational

mtu DMZ 1500

mtu Outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover key *****

failover link FAILOVER Management0/0

failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.2

50

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (DMZ) 1 10.1.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.25

5

static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

access-group DMZ-IN in interface DMZ

access-group 102 in interface Outside

access-group no-nat in interface inside

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1

route inside 0.0.0.0 0.0.0.0 192.168.11.254 2

route inside 0.0.0.0 0.0.0.0 192.168.10.254 2

route inside 172.16.10.0 255.255.255.0 192.168.11.254 1

route inside 172.16.10.0 255.255.255.0 192.168.10.254 1

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1

route inside 172.16.20.0 255.255.255.0 192.168.10.254 1

route inside 172.16.30.0 255.255.255.0 192.168.11.254 1

route inside 172.16.30.0 255.255.255.0 192.168.10.254 1

route inside 172.16.40.0 255.255.255.0 192.168.11.254 1

route inside 172.16.40.0 255.255.255.0 192.168.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.1.0 255.255.255.0 DMZ

http 192.168.11.249 255.255.255.255 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.11.254 255.255.255.255 inside

telnet 192.168.10.254 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15

username cisco123 password ffIRPGpDSOJh9YLq encrypted

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

!

class-map ICMP-CMAP

match access-list ICMP

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

class ICMP-CMAP

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:2ae5436abbb0241872fb7fe948e8cb57

: end

ACTIVE#

Navaz

Hi,

You seem to already have NAT0 configuration between "inside" and "DMZ". You also have ICMP Inspection enabled.

I am not quite sure what the problem currently is.

If the "DMZ" server isnt replying to the ICMP Echo I would suggest confirming that no local firewall on the server isnt blocking the ICMP. You could also test ICMP directly from the ASA to the "DMZ" server.

You could also confirm routing if you havent already.

- Jouni

Thanks for reply

when i ping DMZ server (10.1.1.254) and DB Server (192.168.11.18) it is perfect  response time. But when i ping 10.1.1.254(Web server) from DB Server(192.168.11.254) It gives delay.

Navaz

Hi,

I would start looking through the path that the DB server 192.168.11.254 uses on the network towards the Web server. I would imagine though that there is not many places to check because the source hosts are both in the directly connected network with ASA.

You could check some switch ports.

I cant see why the ASA or any NAT configuration would be related to RTT from 2 different hosts. I mean if other works just fine and the other doesnt.

Do you have the ICMP output to share with us? You dont mention any values.

- Jouni

i am sending  you the diagram of my network and also mention the DB serve.

Navaz

Message was edited by: Navaz Wattoo