08-15-2014 08:13 PM - edited 03-11-2019 09:38 PM
08-18-2014 12:06 AM
What you have to configure on the ASA:
08-18-2014 04:37 PM
Thanks, to ensure that I am following the direction correctly, I did
ciscoasa(config)# show firewall
Firewall mode: Router
ciscoasa(config)# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside up Et0/1, Et0/2, Et0/3, Et0/5 // Security level 100. 0/1 is connected to Et0/6, Et0/7 //other router (dhcpd) wh ich assign IP pool
2 ouside down Et0/0 //Security level 0. Currently I donot need to use //it
5 dmz up Et0/4 // The application server is connect to this // interface
ciscoasa(config)#
ciscoasa(config)# show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 172.16.1.140 255.255.255.0 CONFIG
Vlan5 dmz 172.16.0.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 172.16.1.140 255.255.255.0 CONFIG
Vlan5 dmz 172.16.0.1 255.255.255.0 manual
// Now I am testing ping dmz
ciscoasa(config)# ping 172.16.0.71 // This is real ip of Application server that connected to // dmz direct
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.71, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
// Tesing ping inside
ciscoasa(config)# ping 172.16.1.134 // ip of host in inside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.134, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
/*
Either when host (inside) ping app server doesnot work
*/
// As maybe noticed that I can not ping inside or dmz from thr asa5505
/*
However, my problem does not end at this point, furthermore, I want hosts in inside to access the APP Server by "http://172.16.0.71:7071 or 7072
and both direction from/to dmz to inside. So I did the following:
*/
ciscoasa(config)# object network web-server-frominside
ciscoasa(config-network-object)# host 172.16.0.71
ciscoasa(config-network-object)# nat (dmz,inside) static interface service tcp www www
ciscoasa(config-network-object)# access-list dmztoinside extended permit tcp any host 172.16.0.71 eq 7071
ciscoasa(config-network-object)# access-list dmztoinside extended permit tcp any host 172.16.0.71 eq 7072
ciscoasa(config)# access-group dmztoinside in interface inside
ciscoasa(config)# route dmz 0 0 172.16.1.1 // is the router 1900 Default Gateway for inside
This is what I tried and did not work at all, so any help is really appreciated
08-18-2014 06:46 AM
Thanks for your reply.
The inside subnet is managed by the router 172.16.1.1 and not by the ASA5505 which has no dhcpd for the inside network but still in route mode.
Any Client on the inside (100 Security Level), by default, should be able to ping DMZ (50 Security level) which is not work at all for me.
What I want to do is: typing "http://172.16.0.71" on any client in the inside subnet in order to access the web application server in DMZ. (in bidirectional way connection)
I tried ACL, NAT, and Route based on similar topology, I used object network, but I was unable to let them talk to each other.
I used NAT for (inside,dmz) and ACL to allow tcp 7071 & 7072 only.
May I made it more complex rather than what it should to be, so any help is really appreciated.
08-18-2014 07:08 AM
OK, this time http-access:
1) Do you have a route on the ASA to your internal network?
2) For this you don't need a DMZ-ACL, so we skip that point.
3) Is the internal ACL allowing the traffic?
4) security-levels are fine with 100/inside and 50/dmz.
5) The nat for (inside, outside) should be removed as it only adds unnessasary complexity.
Please show your config to help with that.
08-18-2014 01:15 PM
All TCP and UPD traffic should be accessible through the firewall without any ACL entry untill unless any implicit or explicit rule is blocking the traffic.
1) Check you have reachibility to both the networks from the firewall. Firewall should have proper routing in place. You can test by pinging the hosts at both DMZ and Inside network
2) Both subnets (Inside and DMZ) should have route; either static or default to reach to each other.
3) NAT should not be required in your case.
Best thing which you can do is to run a packet tracer and see where its being blocked. Based on the packet trracer output you can proceed further and take the required action.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide