07-15-2009 12:28 AM - edited 03-11-2019 08:55 AM
Hi Guys,
I have pix firewall 525 with software V 6.3. In that pix firewall, i can able to access the one of the dmz server using both nated ip( let say 10.80.80.2) and the original DMZ IP (let say 172.80.1.2). Recently i tried to upgrade to ASA with version 8.0. after the upgrade i can access only via nated ip (10.80.80.2)once the nating enabled not able to access the dmz ip(172.80.1.2). I didn't upgrade due to this issue as some of my testers use the original dmz ip. I setup the test lab to try it out. the following shows the config. The problem is i cannot access original DMZ IP in asa V 7.2 onwards once Nating is enabled but with the same config i can access both the IP's in PIX V 6.3 while the nating is enabled. Is there any new features blocking it. what's the reason for not able to access the original dmz ip while static NAT is enabled for the DMZ Server from the inside interface.Pls advise.Thanks.
Test Lab Config :
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif dmz
security-level 10
ip address 172.80.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list dmz extended permit ip any any
pager lines 24
mtu outside 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (dmz,outside) 192.168.1.22 172.80.1.2 netmask 255.255.255.255
static (dmz,inside) 10.80.80.2 172.80.1.2 netmask 255.255.255.255
access-group outside in interface outside
access-group dmz in interface dmz
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
route inside 10.0.0.0 255.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:abc973974aff9ec64fcc2513e330487c
: end
ciscoasa(config)#
07-15-2009 05:11 AM
It sounds like you may have had DNS doctoring in the PIX. In the ASA you can setup bidirectional NAT explained in the following link.
http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide