ASA Version 8.2(5)

!

hostname ACTIVE

domain-name test

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

description Inside to the Core Switches

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/1

duplex full

no nameif

no security-level

no ip address

!

!

interface Ethernet0/2

description public Server - DMZ

duplex full

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

!

interface Ethernet0/3

description outside to the internet via router

duplex full

nameif Outside

security-level 0

ip address 125.209.70.90 255.255.255.248 standby 125.209.70.91

!

interface Management0/0

description LAN/STATE Failover Interface

management-only

!

interface Redundant1

member-interface Ethernet0/0

member-interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

!

!

ftp mode passive

clock timezone PST 5

dns domain-lookup DMZ

dns domain-lookup Outside

dns server-group DEFAULT-DNS

name-server 202.142.160.2

name-server 202.141.224.34

dns server-group DefaultDNS

domain-name dhalahore.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 102 extended permit icmp any any

access-list 102 extended permit ip any any

access-list 102 extended permit tcp any any eq www

access-list 102 extended permit tcp any host 125.209.70.90 eq www

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.25

5.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.2

55.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.25

5.255.0

pager lines 24

logging asdm informational

mtu DMZ 1500

mtu Outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover key *****

failover link FAILOVER Management0/0

failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.2

50

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (DMZ) 1 10.1.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.25

5

static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

access-group 102 out interface DMZ

access-group 102 in interface Outside

access-group no-nat in interface inside

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1

route inside 0.0.0.0 0.0.0.0 192.168.11.254 2

route inside 172.16.10.0 255.255.255.0 192.168.11.254 1

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1

route inside 172.16.30.0 255.255.255.0 192.168.11.254 1

route inside 172.16.40.0 255.255.255.0 192.168.11.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.11.254 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cisco password ZBZ8GNEdrJsjFvsR encrypted

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3b155d3e6de565df85cf05d25db9ea8e

: end

Yes can acees orignol ip

This the Current Configuration and thanks for replying

Message was edited by: rab nawaz

Hi,

I am kind of wondering why you are using this ACL on the "inside" interface

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.255.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0

access-group no-nat in interface inside

To me it seems you are NOT allowing any traffic from the "inside" to the Internet

But onto the matter with the "inside" to "DMZ"

You seem to have the NAT0 configured correctly

nat (inside) 0 access-list no-nat

What is exactly the traffic you are testing connections with? Some TCP connection perhaps? What is the source IP address of the connecting host and what is the destination IP address of the host you are trying to connect to?

If the traffic is ICMP then add the following

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni

i wnat to communicate web server(ip address is 10.1.1.254) that is in DMZ  with the another DB Server(ip address 192.168.11.18) that is connect with the switch cisco 3550. and asa inside(192.168.11.249) is connectd with the switch 3550.

Hi,

As I said, you already seem to have NAT0 configured so the connection should basically go through.

I dont however see a point for this NAT configuration

no static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

You should be able to test your firewall rules with the below command if the connecting host is 192.168.11.18

packet-tracer input inside 192.168.11.18 12345 10.1.1.254

You should be able to test your firewall rules with the below command if the connecting host is 10.1.1.254

packet-tracer input DMZ 10.1.1.254 12345 192.168.11.18

Just replace the

• with either of the options depending what kind of traffic you are testing
• with the actual destination port number you are testing connections for

- Jouni

These are the outputs

------------------------------------------------

packet-tracer input inside 192.168.11.18 12345 10.1.1.254

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.1.0        255.255.255.0   DMZ

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group no-nat in interface inside

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.25

5.255.0

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

  match ip inside 192.168.11.0 255.255.255.0 DMZ 10.1.1.0 255.255.255.0

    NAT exempt

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip inside any DMZ any

    no translation group, implicit deny

    policy_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip inside any DMZ any

    no translation group, implicit deny

    policy_hits = 0

Additional Information:

Phase: 8

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 102 out interface DMZ

access-list 102 extended permit ip any any

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

nat-control

  match tcp DMZ host 10.1.1.254 eq 80 Outside any

    static translation to 125.209.70.90/80

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 523, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

-----------------------------------------------------------

packet-tracer input DMZ 10.1.1.254 12345 192.168.11.18

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.11.0    255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

But can you please clarify which host opens the connection that is not working at the moment?

Does DMZ open connection to inside

Or does inside open connection to DMZ

Your ACLs seem very wierd and certainly not how I would configure them.

To allow traffic from DMZ to inside you would need to attach an ACL to the DMZ interface in the direction "in" in the "access-group" command.

- Jouni

i need ping 10.1.1.254(web server) to DB server(192.168.11.18)

can i give u access through team viewer?

Thanks a lot

Done it now

u r genious

if i feel any problem then i wil tell u

my email id is nawazwattoo@gmail.com

plz send me ur email id

Hi,

You can send me PM (private message) through my profile here on the CSC if you need.

- Jouni

jhow cani send u private msg?

Hi,

You should be able to click my profile name in the post which takes you to my profile page.

There on the right hand side of the page should be an option to send a private message.

Though if you have some question its better to post the question here on the forums.

- Jouni