Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
4
Replies

need help DMZ acces from outside IPv6 asa 5510

mrsuhailasad
Level 1
Level 1

‎06-10-2013 11:06 PM - edited ‎03-11-2019 06:55 PM

hi in IPv4 everthing was working fine. i could access from outside to dmz but after i moved to IPv6 as there is no nat needed, i applied the acl's but dont know where i'm going wrong. I need access from outside to dmz web server. here's my config pls reply asap... plss. I just want only http service to be enabled as only webserver access i need.

show run

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

no ip address

ipv6 address fc04::2/64

ipv6 enable

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ipv6 address fc06::1/64

ipv6 enable

!

interface Ethernet0/2

nameif dmz

security-level 70

no ip address

ipv6 address fc05::1/64

ipv6 enable

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

port-object eq www

port-object eq https

pager lines 24

mtu inside 1500

mtu dmz 1500

mtu outside 1500

ipv6 route outside ::/0 fc04::1

ipv6 access-list inside_access_ipv6_in permit ip any any

ipv6 access-list inside_access_ipv6_in permit tcp any fc05::/64 object-group DM_

INLINE_TCP_2

ipv6 access-list dmz_access_ipv6_in permit ip any any

ipv6 access-list dmz_access_ipv6_in permit tcp any fc05::/64 object-group DM_INL

INE_TCP_1

ipv6 access-list outside_access_ipv6_in permit ip any any

ipv6 access-list outside_access_ipv6_in permit tcp any fc05::/64 object-group DM

_INLINE_TCP_3

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

access-group inside_access_ipv6_in in interface inside

access-group dmz_access_ipv6_in in interface dmz

access-group outside_access_ipv6_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

!

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎06-11-2013 07:50 AM

Hello Suhail,

From which IPv6 address are you trying to access the Web-dmz server,

I do not see any routes, what is the IPv6 address of the DMZ server?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

mrsuhailasad
Level 1
Level 1
In response to Julio Carvajal

‎06-11-2013 07:58 AM

dmz server ip address is fc05::2/64

i'm trying to access from a pc which is connected to a router and inturn which is connnected to the router of firewall

fc01::1 is the ip add of the machine from which i'm trying to connect..

routing is okay i gues because from pc to outside interface of asa fc04::2 i'm able to ping. and from the asa console i'm able to ping every device, pc.. the problem is from outside of asa is not pinging to inside of dmz and vice versa so no transmission is taking placing between them

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to mrsuhailasad

‎06-11-2013 08:01 AM

Hello Suhail,

Yeah, I missed the IPv6 route, now I see it,

Can you create captures to match the traffic and apply it to both interfaces?

Right now looks like the ASA setup is good so the captures will tell us where the issue is,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

James Leinweber
Level 4
Level 4

‎06-11-2013 07:50 AM

If you put permit ip any any as the first line in an access-lists, then pretty much all packets are going to be allowed through.  You can see which lines in your ACL's are matching by doing either:

  show access-list

to get the hit counts, or something like

  packet-tracer input outside tcp fc04::3 50000 fc05::3 80 detail

to see what would happen to a particular flow.  If you take the "permit ip any any" line out, the tcp line will become effective.

Note that in version 9, v4 and v6 access lists were unified, so the syntax will change some when you upgrade.

Since you are using ULA addresses (fc00::/7)  rather than global scope addresses (2000::/3), I assume this is in a test lab.  Everyone should have IPv6 in their test lab, so congratulations.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card