cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2469
Views
0
Helpful
23
Replies

Network architecture on ASA 5510

beaujoire
Level 1
Level 1

Hi,

Iam working on ASA5510 and I have some problem.I have already posted in the forum but I resum to you my network architecture and what i want to do.

- PC in LAN :

192.168.1.0/24 with a gateway : 192.168.1.254 ( ASA Lan interface)

- 2 public Server in DMZ

194.x.x.66 /29  ( Public IP) 

194.x.x.65 /29 ( Public IP)
Gateway : 194.x.x.70/29 ( public IP router)
These Servers should be joined from the LAN on their Public IP.

- WAN
194.x.x.69 /29 ( public IP used by PC from LAN to navigate on the Internet)
We have a Pool of public ip from 194.x.x.64 to 194.x.x.70.

To be Precised I joined the ASA configuration and a picture of the Network.

The result is :

From the LAN : i can perfectly navigate on the internet with the right Public IP (194.x.x.69) but I can't ping anything (public IP router, ISP DNS, websites..)

From the DMZ : no communication with LAN and WAN.

From the WAN : I can ping the IP public Router

Any ideas? Thank You

23 Replies 23

Hi,

I will try your solution this week,Probably wednesday.As soon as my problem is resolved I will tell you.

Thanks.

Hi,

I try your solution today but no changed...

I Join logs from packet tracer input command. Result : ICMP packet is allowed between LAN - DMZ and DMZ - LAN so I don't understand why it doesn't work.

always in trouble,No ideas?

Thanks.

You gathered these

packet-tracer input LAN icmp 192.168.1.116 8 0 194.206.235.65  --(icmp request from 192.x to 194.x)

packet-tracer input DMZ icmp 10.1.1.2  8 0 192.168.1.116 -- (icmp request from 10.x to 192.x) This should have been reply 0 0 instead of 8 0.

packet-tracer input DMZ icmp 10.1.1.2  0 0 192.168.1.116

Anyway, you don't seem to have icmp inspection. Try to add that and see if that gets the reply back automatically.

conf t

policy-map global_policy
class inspection_default
  inspect icmp

Pls. ping from 10.1.1.2 ====> 192.168.1.116 and

from 192.168.1.116 ====> 194.206.235.65

and watch what the logs say afer enabling the logs.

conf t

loggin on

logging buffered 7

exit

sh logg | i 192.168.1.116

-KS

Ok I will try.

I've already enable icmp inspection.

Thanks

Gather the following if it doesn't work. Make sure the hosts don't have windows firewall or some other firewall enabled. Try to access using tcp as well.

Pls. ping from 10.1.1.2 ====> 192.168.1.116 and

from 192.168.1.116 ====> 194.206.235.65

cap capin int inside match ip ho 192.168.1.116 194.206.235.65

cap capdmz int DMZ match ip ho 192.168.1.116 10.1.1.2

sh cap capin det

sh cap capdmz det

-KS

There are no other Firewall Enabled.

To be sure,i am wondering :

My real IP configuration for the DMZ Servers is : 194.x.x.x ( The public IP).

10.x.x.x network is just a private pool i've created in the Firewall. You're sure i haven't to change my servers IP configuration or Gateway , or add route?

The Fact these 2 servers are connected on a switch ,itself connected on the DMZ interface doesn't imply to allow something in the Firewall ?

Thank you.

Thomas,

We need to get these two sorted out.

Private or Real IP - is the IP that would show when you issued ifconfig or ipconfig on the server or pc.

Mapped or Translated IP - is the IP that the server or pc would like out on the internet or on another interface

Now, if you could open a TAC case for this issue that would be great.  Since this has been going on for a while, we can quickly solve this issue once we have access to the device.

-KS

Ok I know the difference But I would just like to know if my DMZ real IP must be configured :

-  with the Public IP : 194.x.x.x /29 ( Actually the case with The SonicWall) or

-  with the Private IP i've created in the ASA  ( 10.x.x.x)  --> ( what I have to do because ASA doesn't support a same Subnet on the 2 interfaces : wan and dmz)

In my first post, a cisco employee tells me that I haven't to change my DMZ Real IP : 194.x.x.x./29  so I want to be sure.

I don't know if you follow me.

Thank you

Review Cisco Networking for a $25 gift card