12-15-2010 03:52 PM - edited 03-11-2019 12:23 PM
Hi,
Iam working on ASA5510 and I have some problem.I have already posted in the forum but I resum to you my network architecture and what i want to do.
- PC in LAN :
192.168.1.0/24 with a gateway : 192.168.1.254 ( ASA Lan interface)
- 2 public Server in DMZ
194.x.x.66 /29 ( Public IP)
194.x.x.65 /29 ( Public IP)
Gateway : 194.x.x.70/29 ( public IP router)
These Servers should be joined from the LAN on their Public IP.
- WAN
194.x.x.69 /29 ( public IP used by PC from LAN to navigate on the Internet)
We have a Pool of public ip from 194.x.x.64 to 194.x.x.70.
To be Precised I joined the ASA configuration and a picture of the Network.
The result is :
From the LAN : i can perfectly navigate on the internet with the right Public IP (194.x.x.69) but I can't ping anything (public IP router, ISP DNS, websites..)
From the DMZ : no communication with LAN and WAN.
From the WAN : I can ping the IP public Router
Any ideas? Thank You
01-10-2011 02:36 PM
Hi,
I will try your solution this week,Probably wednesday.As soon as my problem is resolved I will tell you.
Thanks.
01-12-2011 12:09 PM
01-19-2011 03:02 AM
always in trouble,No ideas?
Thanks.
01-19-2011 05:18 AM
You gathered these
packet-tracer input LAN icmp 192.168.1.116 8 0 194.206.235.65 --(icmp request from 192.x to 194.x)
packet-tracer input DMZ icmp 10.1.1.2 8 0 192.168.1.116 -- (icmp request from 10.x to 192.x) This should have been reply 0 0 instead of 8 0.
packet-tracer input DMZ icmp 10.1.1.2 0 0 192.168.1.116
Anyway, you don't seem to have icmp inspection. Try to add that and see if that gets the reply back automatically.
conf t
policy-map global_policy
class inspection_default
inspect icmp
Pls. ping from 10.1.1.2 ====> 192.168.1.116 and
from 192.168.1.116 ====> 194.206.235.65
and watch what the logs say afer enabling the logs.
conf t
loggin on
logging buffered 7
exit
sh logg | i 192.168.1.116
-KS
01-19-2011 05:43 AM
Ok I will try.
I've already enable icmp inspection.
Thanks
01-19-2011 06:26 AM
Gather the following if it doesn't work. Make sure the hosts don't have windows firewall or some other firewall enabled. Try to access using tcp as well.
Pls. ping from 10.1.1.2 ====> 192.168.1.116 and
from 192.168.1.116 ====> 194.206.235.65
cap capin int inside match ip ho 192.168.1.116 194.206.235.65
cap capdmz int DMZ match ip ho 192.168.1.116 10.1.1.2
sh cap capin det
sh cap capdmz det
-KS
01-19-2011 08:30 AM
There are no other Firewall Enabled.
To be sure,i am wondering :
My real IP configuration for the DMZ Servers is : 194.x.x.x ( The public IP).
10.x.x.x network is just a private pool i've created in the Firewall. You're sure i haven't to change my servers IP configuration or Gateway , or add route?
The Fact these 2 servers are connected on a switch ,itself connected on the DMZ interface doesn't imply to allow something in the Firewall ?
Thank you.
01-19-2011 11:16 AM
Thomas,
We need to get these two sorted out.
Private or Real IP - is the IP that would show when you issued ifconfig or ipconfig on the server or pc.
Mapped or Translated IP - is the IP that the server or pc would like out on the internet or on another interface
Now, if you could open a TAC case for this issue that would be great. Since this has been going on for a while, we can quickly solve this issue once we have access to the device.
-KS
01-20-2011 08:05 AM
Ok I know the difference But I would just like to know if my DMZ real IP must be configured :
- with the Public IP : 194.x.x.x /29 ( Actually the case with The SonicWall) or
- with the Private IP i've created in the ASA ( 10.x.x.x) --> ( what I have to do because ASA doesn't support a same Subnet on the 2 interfaces : wan and dmz)
In my first post, a cisco employee tells me that I haven't to change my DMZ Real IP : 194.x.x.x./29 so I want to be sure.
I don't know if you follow me.
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide