cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2449
Views
0
Helpful
23
Replies

Network architecture on ASA 5510

beaujoire
Level 1
Level 1

Hi,

Iam working on ASA5510 and I have some problem.I have already posted in the forum but I resum to you my network architecture and what i want to do.

- PC in LAN :

192.168.1.0/24 with a gateway : 192.168.1.254 ( ASA Lan interface)

- 2 public Server in DMZ

194.x.x.66 /29  ( Public IP) 

194.x.x.65 /29 ( Public IP)
Gateway : 194.x.x.70/29 ( public IP router)
These Servers should be joined from the LAN on their Public IP.

- WAN
194.x.x.69 /29 ( public IP used by PC from LAN to navigate on the Internet)
We have a Pool of public ip from 194.x.x.64 to 194.x.x.70.

To be Precised I joined the ASA configuration and a picture of the Network.

The result is :

From the LAN : i can perfectly navigate on the internet with the right Public IP (194.x.x.69) but I can't ping anything (public IP router, ISP DNS, websites..)

From the DMZ : no communication with LAN and WAN.

From the WAN : I can ping the IP public Router

Any ideas? Thank You

23 Replies 23

Jennifer Halim
Cisco Employee
Cisco Employee

To ping, please add the following:

policy-map global_policy
class inspection_default

     inspect icmp

For DMZ to access the Internet:

nat (DMZ) 1 10.0.0.0 255.0.0.0

For DMZ to access LAN:

static (LAN,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.248.0

And depending on what access you would like from DMZ towards LAN subnet, you would need to add the respective ACL on your DMZ_access_in access-list.

Hope that helps.

ok. i will try it and I come to you for result.

Juste some questions to be sure.

nat (DMZ) 1 10.0.0.0 255.0.0.0  : On the Internet, Are the DMZ servers known with the WAN public IP (194.x.x.69)  or their own Public IP because its the second one i want to do.

static (LAN,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.248.0 :  Are you sure about the Netmask, not 255.255.255.248 ? because DMZ servers have a /29 subnet.

Should I removed this line in my current configuration to not overlap subnet: static (LAN,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Thanks.

OK, seems like your description on the post and your current configuration does not match.

You were saying on your post that:

- 2 public Server in DMZ

194.x.x.66 /29  ( Public IP)

194.x.x.65 /29 ( Public IP)

But on your configuration, DMZ interface is actually:

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 10.1.1.1 255.0.0.0

Can you please confirm which is correct? My answer is based on your existing configuration.

Yes, you can remove:

static (LAN,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

And yes, I am sure of the netmask of 255.255.248.0 as it is for your LAN network, not for your DMZ network. Based on your existing configuration, your LAN network consists of: 192.168.1.0/24, 192.168.0.0/24, 192.168.2.0/24 and 192.168.4.0/24 and I just summarise them to netmask of 255.255.248.0 because the third octet is the one that needs to be summarised, not the fourth octet.

Ok for the LAN Network.

Actually we have a sonic wall and we want to replace it by an ASA5510 so i try to find an equivalent in the configuration.

For the WAN interface we use : 194.x.x.69/29
For the DMZ interface ,there are actually 2 public Servers,

194.x.x.66 /29  ( Public IP)

194.x.x.65 /29 ( Public IP)

They used the Public IP router 194.x.x.70 as a gateway.
A switch is connect on the DMZ ASA interface to connect the two servers.


For the configuration of the ASA,I've Created a new pool of Privates Adresses using static NAT because I can't set up two interface with the same Subnet ( WAN et DMZ = network overlapping)

10.1.1.1/8 : ASA DMZ interface
10.1.1.2/8 : 1 DMZ server ( translate in 194.x.x.65 /29 )
10.1.1.3/8 : 1 DMZ server ( translate in 194.x.x.66 /29 )

You can read my previous Post : https://supportforums.cisco.com/thread/2046886?tstart=0
Maybe i'am in a wrong way for for the configuration ?

Here is how you should configure the DMZ servers static NAT:

static (DMZ,outside) 194.x.x.65 10.1.1.2 netmask 255.255.255.255

static (DMZ,outside) 194.x.x.66 10.1.1.3 netmask 255.255.255.255

Then to be able to access the servers from the Internet, you would also need to configure ACL to allow the traffic inbound on the outside interface.

Hello,

I try your different command lines, it's ok for the Ping from Lan to Wan ( icmp inspect command )

But no change for the rest.

DMZ doesn't communicate with Lan and Wan.The Translation from 10.1.1.x to 194.x.x.x  is ok but TCP/UDP connection failed ( syn timeout )

The ACL that i create are good I think because Traffic work on packet tracert . I don't know what I miss.

I joined a log screen.

Thanks

Tom,

Do you know if 10.1.1.2 will talk to 192.168.1.x? Does it have a route to this network via the firewall?

May be these will only talk to their own subnet IP addresses. In that case for one host you can try the following:

nat (inside) 100 192.168.1.111

global (dmz) 100 int

If you have a static line like this

static (inside,dmz) 192.168.1.0 192.168.1.0 net 255.255.255.0

remove that temporarity and see if these syn timeout messages go away when connecting from 192.168.1.111 to 10.1.1.2 mail server.

-KS

Hi,

192.168.1.x have to communicate with public  ip : 194.x.x.x.  not with private ip : 10.1.1.2

Actually It has no route to this network via the firewall.Should I add someting ?

I will try you solution for ( inside,dmz).

And What about (dmz,wan) because i can't access internet despite this rule  : nat (DMZ) 1 10.0.0.0 255.0.0. ?

Thanks again to take time to reply to Me.

Tom,

Not sure what lines you have now. Could we start over?

Pls. post the output of

sh run nat

sh run global

sh run static

Also tell us which source IP (source interface) is unable to go to which destination IP (destination interface).

-KS

Loren Kolnes
Cisco Employee
Cisco Employee

Hi Tom,

I have reviewed this post as well as the previous post. From what I gathered you want to perform the following:

PAT traffic from the LAN to the internet

Access the DMZ servers from the LAN using the 194.x.x.n addresses.

Access the DMZ servers from the internet using the 194.x.x.n addresses.

Since you cannot have the same subnet on the WAN and the DMZ at the same time we will need to using translations to accomplish this.


First we need to create a static translation that will allow hosts on the internet to access the DMZ servers.

The following static statements will translate traffic from the internet to 194.x.x.n to the 10.1.1.n address:

static (DMZ,WAN) 194.x.x.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.66 10.1.1.3 netmask 255.255.255.255

The following static statements will translate from 194.x.x.n to 10.1.1.n when coming from the LAN and when coming from the DMZ to the LAN traffic from 10.1.1.n will be translated to 194.x.x.n:

static (DMZ,LAN) 194.x.x.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.x.x.66 10.1.1.3 netmask 255.255.255.255

This static will translate the LAN source address to itself, in other words it will identiy translate the traffic.

static (LAN,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

After the translations are built then we need to make sure that the filters applied to each interfaces has the correct entries.

access-group LAN_access_in in interface LAN
access-group DMZ_access_in in interface DMZ
access-group WAN_access_in in interface WAN

Currently you have access-lists LAN_access_in, DMZ_access_in and WAN_access_in applied inbound on the LAN, DMZ and WAN interfaces, respectively.

So you would need to make sure that the appropriate traffic from the LAN to the DMZ is permitted in the LAN_access_in access-list, the souce would be the 192.168.x.x address space and the destination would be the mapped address, in this case 194.x.x.n.

Likewise the DMZ_access_in access-list needs to permit appropriate traffic from the 10.1.1.n address space to the appropriate destination.

The WAN_access_in access-list needs to permit the appropriate traffic from the internet to the to the mapped addresses in the following static statements for the appropriate ports and protocols:

static (DMZ,WAN) 194.x.x.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.66 10.1.1.3 netmask 255.255.255.255

You should be able to remove any nat commands that were applied to the DMZ interface, commands such as "nat (DMZ) 10.1.1.0 255.255.255.0" can be removed.

Let me know if this helps.

If you are still having trouble could you provide the output of the the following packet traces:

packet-tracer input LAN icmp 192.168.1.1 8 0 194.x.x.65

packet-tracer input DMZ icmp 10.1.1.2  8 0 92.168.1.1

Thanks,

Loren Kolnes

Here is output of :

Sh run nat

nat (LAN) 1 192.168.1.0 255.255.255.0

nat (DMZ) 1 10.0.0.0  255.0.0.0 --> have to be remove according to Loren in the last post

sh run global

global (WAN) 1 interface

sh run static

static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255

static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255

static (DMZ,WAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255

static (DMZ,WAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255

static (LAN,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.248.0

sh run route

route WAN 0.0.0.0 0.0.0.0 194.206.235.70 1

route LAN 192.168.0.1 255.255.255.255 192.168.1.229 1

route LAN 192.168.2.0 255.255.255.0 192.168.1.230 1

route LAN 192.168.4.0 255.255.255.0 192.168.1.229 1

As you say Loren I want to perform the following :

PAT traffic from the LAN to the internet

Access the DMZ servers from the LAN using the 194.x.x.n addresses.

Access the DMZ servers from the internet using the 194.x.x.n addresses.

And Actually the problem is my DMZ.The two servers don’t communicate with LAN and WAN.

Loren, as you can see on the output command lines,I have already applied the configuration you said but maybe I’am wrong on something , you said :

Likewise the DMZ_access_in access-list needs to permit appropriate traffic from the 10.1.1.n address space to the appropriate destination.

Actually my DMZ access_in Access-list is configured to permit traffic from 194.x.x.x to the appropriate destination. Should I replace 194.x.x.x to 10.1.1.x ?

Thanks.

Hi Thomas,

Yes the DMZ access list should allow traffic from the pre-nat addresses, 10.x.x.x. Can you give that a try and let me know if it helps.

Thanks,

Loren Kolnes

Yes I will try it !

It explain why DMZ couldn't communicate with Lan and Wan.

I think you put me in a right way !

Thanks

Hi Thomas,

I wanted to follow up with you to see if the access-list changes I suggested helped to resolve your issue.Let me know if you are still having trouble getting traffic through the ASA.

If your question has been resolved please consider marking the post as answered.

Best Regards,

Loren Kolnes

Review Cisco Networking for a $25 gift card