06-29-2014 02:07 PM - edited 03-11-2019 09:24 PM
I see in my history that I had a similar problems a while back, unfortunately I had to nuke the setup and so I am sort of start of from the start again.
I have two servers set up in DMZ, one FTP and one WWW
FTP = 192.168.2.101
WWW = 192.168.2.100
Outside IP: Dynamic (currently, goal is to have a static public IP in the future)
When running packet-tracer input outside tcp current.ip.address 80 192.168.2.100 80 I get this message:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (dmz,outside) source static dmz-webserver interface service WWW WWW
My nats are like this:
1 (dmz) to (outside) source static dmz-webserver interface service WWW WWW
translate_hits = 0, untranslate_hits = 0
2 (dmz) to (outside) source static dmz-ftpserver interface service FTP FTP
translate_hits = 0, untranslate_hits = 4
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside-net interface
translate_hits = 16168, untranslate_hits = 1515
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 254, untranslate_hits = 0
Setup for dmz is like this:
object network dmz-webserver
host 192.168.2.100
description Web Server Host Object
object network dmz-ftpserver
host 192.168.2.101
description FTP Server Host Object
object network DMZ.net
subnet 192.168.2.0 255.255.255.0
object service FTP
service tcp source eq ftp
object service WWW
service tcp source eq www
access-list outside_access_in extended permit tcp any host 192.168.2.101 eq ftp
access-list outside_access_in extended permit tcp any host 192.168.2.100 eq www
access-list inside_access_dmz extended permit tcp any object DMZ.net range 1 65535
Hope for some assistance.
Best trond
Solved! Go to Solution.
07-02-2014 02:28 PM
Yes, the virtual servers in the dmz are connected to the eth1 (192.168.2.8), and so that could be the problem.
Right, I have to consider the plus license, because it seems as the eth1-problem is also related to get outside-traffic to hit the servers in the dmz-sone through the eth1-interface on the server.
EDIT:
1) which license do I then need?
... and ...
2) is it possible to just buy the license. I see lots of bundles...
07-03-2014 01:45 AM
1) which license do I then need?
You will need the Security Plus license
2) is it possible to just buy the license. I see lots of bundles...
Yes it is possible to buy just the license...and not the bundle. You will need to contact your local Cisco partner for this, as you can not buy the license directly from Cisco.
--
Please remember to select a correct answer and rate helpful posts
07-03-2014 07:41 AM
Just to test. I have an ftp- and a www-server on the 192.168.1.8-server (which is on the inside). Would it be possible to change the settings on the fw to check if I can reach that server instead? Or wouldn't that matter at all?
Just to clarify the matter.
Host-server has two nics, one with 192.168.1.8 (eth0) and the eth1 with 192.168.2.8. I have set up one ftp-server with ip 192.168.2.101 and one web-server with 192.168.2.100.
I have set up port-forwarding and allowed for any traffic in ip-tables on the host-machine.
07-03-2014 10:34 AM
of course you can add rules for the servers off the 192.168.1.8 port...but I do not think you will get a different result. If you have any spare ports on the ASA you could configure a port in VLAN3 and connect a PC to it, give it an IP within the range of the web server and see if you can first ping the webserver, and then try to reach the webpage from that PC. If you are unable to ping the webserver IP and/or unable to reach the webpage I would think there is a problem with the bridging between the virtual server and the host physical port.
--
Please remember to select a correct answer and rate helpful posts
07-03-2014 01:06 PM
Thanks for that suggestion. I'll try that approach tomorrow with a laptop I have hanging around.
Trond
07-04-2014 12:32 AM
So I have now a laptop set up with 192.168.2.102
nic is set up with:
address 192.168.2.102
gateway 192.168.2.1 (which I noticed the dmz-sone was set up with)
and then the rest.
Default route was set up to 192.168.2.1
I can ping the asa 5505, but the machine cannot connect to outside network (pinging 8.8.8.8 is impossible)
(dns-nameservers on the laptop is set to 8.8.8.8 8.8.4.4)
This is the current configuration:
: Saved : ASA Version 8.4(2) ! hostname fw domain-name inside-sport.no enable password m6c6UkyG/paoZ2LZ encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 speed 100 duplex full ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 300 speed 100 duplex full ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address xxx.x.xxx.xx 255.255.255.252 ! interface Vlan300 no forward interface Vlan1 nameif dmz security-level 50 ip address 192.168.2.1 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring dns domain-lookup inside dns domain-lookup outside dns domain-lookup dmz dns server-group DefaultDNS name-server 192.168.1.8 name-server 193.75.75.75 name-server 193.75.75.193 name-server 8.8.8.8 domain-name inside-sport.no same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network inside-net subnet 192.168.1.0 255.255.255.0 object network dmz-webserver host 192.168.2.100 description Web Server Host Object object network dmz-ftpserver host 192.168.2.101 description FTP Server Host Object object network DMZ.net subnet 192.168.2.0 255.255.255.0 object service FTP service tcp source eq ftp object service WWW service tcp source eq www object network NETWORK_OBJ_192.168.1.0_24 subnet 192.168.1.0 255.255.255.0 object network VPNUSERS subnet 10.10.10.0 255.255.255.248 object-group network obj_10.10.10.0_16 network-object 10.10.10.0 255.255.255.248 object-group network obj_192.168.1.0_24 network-object 192.168.1.0 255.255.255.0 access-list outside_access_in extended permit tcp any host 192.168.2.100 eq www access-list outside_access_in extended permit tcp any host 192.168.2.101 eq ftp access-list split_tunnel_acl standard permit 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 ip local pool client_pool 10.10.10.1-10.10.10.10 mask 255.255.255.248 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (dmz,outside) source static dmz-webserver interface service WWW WWW nat (dmz,outside) source static dmz-ftpserver interface service FTP FTP nat (inside,outside) source static obj_192.168.1.0_24 obj_192.168.1.0_24 destination static obj_10.10.10.0_16 obj_10.10.10.0_16 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup ! object network obj_any nat (inside,outside) dynamic interface object network inside-net nat (inside,outside) dynamic interface object network VPNUSERS nat (outside,outside) dynamic interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.x.xxx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authorization command LOCAL aaa authorization exec authentication-server http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1 crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 (REMOVED) 6c2527b9 deb78458 c61f381e a4c4cb66 quit crypto ikev1 enable outside crypto ikev1 policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 30 console timeout 0 management-access inside dhcpd dns 192.168.1.1 193.75.75.75 dhcpd domain inside-sport.no dhcpd auto_config outside ! dhcpd address 192.168.1.50-192.168.1.79 inside dhcpd dns 192.168.1.1 interface inside dhcpd domain inside-sport.no interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy ipsec_ra_policy internal group-policy ipsec_ra_policy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value split_tunnel_acl username admin password xxxxxxxxxxxxxxxx encrypted privilege 15 username trond password xxxxxxxxxxxxxxxx encrypted privilege 15 tunnel-group VPN-INSIDE-SPORT type remote-access tunnel-group VPN-INSIDE-SPORT general-attributes address-pool client_pool default-group-policy ipsec_ra_policy tunnel-group VPN-INSIDE-SPORT ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context call-home reporting anonymous Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end no asdm history enable
07-04-2014 03:20 PM
You will not be able to reach the internet as you do not have NAT set up for the DMZ.
object network DMZ
host 192.168.2.0 255.255.255.0
nat (dmz,outside) dynamic interface
What about the connection to the webserver / FTP server?
--
Please remember to select a correct answer and rate helpful posts
07-05-2014 01:21 AM
So I need to change these settings then? object network dmz-webserver host 192.168.2.100 description Web Server Host Object object network dmz-ftpserver host 192.168.2.101 description FTP Server Host Object object network DMZ.net subnet 192.168.2.0 255.255.255.0
And I have these NATs defined:
nat (dmz,outside) source static dmz-webserver interface service WWW WWW nat (dmz,outside) source static dmz-ftpserver interface service FTP FTP
I have since this last message changed route on the servers from 192.168.2.8 to 192.168.2.1 (fw).
This change made it possible to get access to the www-server, and maybe to the ftp-server (I am getting some connection-errors, so I am not sure).
They do not, how ever, have access to the internet, so I have to change something I believe.
If I change the route to 192.168.2.8 the servers get access to the internet, but then no one from outside get access to the www-server.
07-05-2014 01:21 AM
so I need to change these settings then?
Not necessarily, The reason your test PC was unable to reach the internet is because there is no dynamic NAT to translate the DMZ network to a public IP. The static IPs allow users on the public network to access that single server using the configured port...in your case HTTP and FTP. The commands I posted earlier will allow machines on the DMZ network to reach the internet...if that is required.
But were you able to access the WWW server and FTP server from the test PC? Were you able to ping 192.168.2.8 (host machine)? If you were able to ping the host machine and not the virtual machines, then there is a bridging problem between the virtual machines and the host NIC.
--
Please remember to select a correct answer and rate helpful posts
07-05-2014 02:43 PM
I will test what you are saying some day in the future.
I have now added the nat (dmz,outside) dynamic interface to the DMZ.net object. Now the FTP-server can reach the internet. And I can also reach the FTP-server from the outside.
I am marking this thread/task as solved.
I will post the configuration at the beginning of the thread in case someone else has the same setup.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: