12-17-2007 01:20 AM - edited 03-12-2019 05:51 PM
Hi all,
I am runnning an ASA5510, with interface config
Inside: 192.168.0.254/24
Outside: 123.123.123.241/28
DMZ: 123.123.123.238/28
that mean usable IP range in DMZ is 123.123.123.225-238
usable IP range in Outside is
123.123.123.241-254
123.123.123.254 is gateway IP of ISP.
The problem is,
ISP gave us 64IP 123.123.123.192-255, but we now only use 32. I wanna make use of it by change the config of existing firewall.
NEW setting as below
Inside: 192.168.0.254/24
Outside: 123.123.123.241/27
DMZ: 123.123.123.222/27
Gateway is unchanged
that mean usable IP range in DMZ now is 123.123.123.193-222
usable IP range in Outside is
123.123.123.225-254
But once I change it, server behind inside interface can surf internet,
but both server behind DMZ and outside cannot.
and ASA show followling error message
3|Dec 17 2007 17:04:04|710003: UDP access denied by ACL from 123.123.123.244/1158 to outside:202.66.92.241/53
3|Dec 17 2007 17:04:03|710003: UDP access denied by ACL from 123.123.123.244/1158 to outside:202.66.92.241/53
2|Dec 17 2007 17:03:50|106001: Inbound TCP connection denied from 123.123.123.244/1393 to 203.161.231.35/80 flags SYN on interface outside
2|Dec 17 2007 17:03:44|106001: Inbound TCP connection denied from 123.123.123.244/1393 to 203.161.231.35/80 flags SYN on interface outside
Firstly, I think it may be ACL problem , but even I use very simple config as below, same problem still occur,
: Saved
: Written by enable_15 at 08:33:46.644 UTC Fri Dec 14 2007
ASA Version 7.0(2)
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 123.123.123.241 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 80
ip address 123.123.123.222 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
enable password RNbjwrefst9AcP.4V encrypted
passwd 2KFQWcdfIdI.2KYOU encrypted
hostname CPHKASA01
domain-name xxxxxxxx.com
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu dmz 1500
monitor-interface management
monitor-interface inside
monitor-interface outside
monitor-interface dmz
asdm image disk0:/asdm502.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
established tcp 80 0
route outside 0.0.0.0 0.0.0.0 123.123.123.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 123.123.123.203 202.76.4.36
Cryptochecksum:xxx
: end
Ay people know what is the problem and how to solve it? Thanks a lot!!!
12-17-2007 02:51 AM
Hi Patrick
Traffic flow from interface with higher security level to interface with lower is permit by default, and your traffic is from DMZ to outside. So this is not an ACL issue
"ISP gave us 64IP 123.123.123.192-255, but we now only use 32. I wanna make use of it by change the config of existing firewall"
"DMZ: 123.123.123.222/27 "
What I understand from above lines is, you assign public IPs from ISP directly to servers in DMZ and outside. If so, the issue is you most probably forgot to change the subnetmask of servers from 255.255.255.240 to 255.255.255.224
If it is not like as I understood, and you have private LAN IP for DMZ, then you dont have a NAT translation for them as following
nat (DMZ) 1 0 0
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide