03-22-2009 08:07 PM - edited 03-11-2019 08:08 AM
PIX config:
hostname ASA5520
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 202.101.2.X 255.255.255.248
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 172.10.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_server extended permit tcp any host 202.101.2.Y
access-list outside_access_server extended permit icmp any any
access-list dmz_access_inside extended permit ip any any
access-list dmz_access_inside extended permit icmp any any
access-list dmz_access_inside extended permit ip any any
access-list inside-accesss-dmz extended permit icmp any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any dmz
icmp permit any inside
global (outside) 1 interface
nat (inside) 1 172.10.1.0 255.255.255.0 tcp 400 300
static (dmz,outside) 202.101.2.Y 192.168.1.10 netmask 255.255.255.255 dns
static (inside,dmz) 172.10.1.0 172.10.1.0 netmask 255.255.255.0
access-group outside_access_server in interface outside
access-group dmz_access_inside in interface dmz
access-group inside-accesss-dmz out interface dmz
route outside 0.0.0.0 0.0.0.0 202.101.X.X
timeout xlate 8:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:00:00 absolute uauth 3:00:00 inactivity
!
!
class-map tcp_allow
match access-list acl_tcp
class-map type regex match-any testhttp
class-map down
match access-list download
class-map inspection_default
match default-inspection-traffic
!
!
policy-map down
class down
police input 2048000 512000
police output 2048000 512000
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
policy-map tcppolicy
class tcp_allow
set connection advanced-options conform_tcp
!
service-policy global_policy global
service-policy tcppolicy interface outside
problem description:
1ãinside client can traceroute to internet.
2ãinside client can traceroute to DMZ server.
3ãDMZ server can not traceroute to internet and inside client.
03-23-2009 09:12 AM
1.) DMZ to client communication:
I could only see translation for 172.10.1.0 network
static (inside,dmz) 172.10.1.0 172.10.1.0 netmask 255.255.255.0
You also need to have translation for the 192.168.1.x network. Then do a clear xlate.
2.) DMZ server to Internet
Can the DMZ server reach the gateway? Defined in this line?
route outside 0.0.0.0 0.0.0.0 202.101.X.X
If you enable debugs what do you see?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide