cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
399
Views
0
Helpful
3
Replies

Switching from an old PIX to a new ASA (8.6), issues with DMZ

jgrover1108
Level 1
Level 1

I'm working on replacing an old PIX-515E with a new ASA 5512.  I'm having an issue figuring out what commands I need to open up traffic between the DMZ and the inside network for various applications.  I'm sure it's just a simple command I'm missing, but I think my head is too gummed up with all the other PIX-to-ASA translation I've been doing for the rest of the config (I'm not familiar with ASA configuration).

To start, everything on the inside network can get online fine via NAT.  Everything in the DMZ network can also get online fine via NAT.  Inbound access lists are working (I've been able to do mappings and open ports to both internal hosts and DMZ hosts).  However we also have several servers in the DMZ that communicate with inside hosts (SMTP connections, SQL connections, etc), and I can't get that working in my test environment.

As an example, I've defined my Inside interface on G0/1:

interface GigabitEthernet0/1
 duplex full
 nameif Inside
 security-level 100
 ip address 10.1.250.252 255.255.0.0

My DMZ interface is GA0/4:

interface GigabitEthernet0/4
 nameif DMZ1
 security-level 50
 ip address 10.251.250.251 255.255.0.0

I've defined an object for the laptop I'll be putting in the DMZ:

object network DMZ1-LAPTOPTEST
 host 10.251.20.25

I've configured the static mapping for the public IP (example IP used):

object network DMZ1-LAPTOPTEST
 nat (DMZ1,outside) static 172.16.200.200

With this configuration the laptop at 10.251.20.25 can get online, and its public IP shows as 172.16.200.200.

I then created an access list named DMZ_to_Inside and added a line that would permit this host to access my local machine on the inside network via RDP:

access-list DMZ1_to_Inside extended permit icmp any any
access-list DMZ1_to_Inside extended permit tcp host 10.251.20.25 host 10.1.17.81 eq 3389

I applied the access list to the DMZ1 interface:

access-group DMZ1_to_Inside in interface DMZ1

I went to the laptop and tried to RDP into 10.1.17.81.  It failed to connect.  I did however see the hit in the access list:

access-list DMZ1_to_Inside; 2 elements; name hash: 0x71c8f258
access-list DMZ1_to_Inside line 1 extended permit icmp any any (hitcnt=0) 0xb20dcd3c
access-list DMZ1_to_Inside line 2 extended permit tcp host 10.251.20.25 host 10.1.17.81 eq 3389 (hitcnt=3) 0x84e78f18

I'm not sure what other commands I need to get this to work.  I also confirmed that I cannot ping from my local machine to the host in the DMZ, so that's could be a symptom of the issue.

The only troubleshooting step I've found digging around online (that I somewhat understood, anyway) was a user at experts-exchange suggesting making objects for the general DMZ and internal networks, and creating a NAT entry between the two, so using that post I tried the following (with no success):

object network DMZ1-NETWORK
 subnet 10.251.0.0 255.255.0.0
object network INTERNAL-NETWORK
 subnet 10.1.0.0 255.255.0.0

nat (Inside,DMZ1) source static INTERNAL-NETWORK INTERNAL-NETWORK destination static DMZ1-NETWORK DMZ1-NETWORK

I'd appreciate any assistance.  I've attached a sanitized version of my config.  Thanks.

1 Accepted Solution

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

You don't need this line.

nat (Inside,DMZ1) source static INTERNAL-NETWORK INTERNAL-NETWORK destination static DMZ1-NETWORK DMZ1-NETWORK

View solution in original post

3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

You don't need this line.

nat (Inside,DMZ1) source static INTERNAL-NETWORK INTERNAL-NETWORK destination static DMZ1-NETWORK DMZ1-NETWORK

Just goes to show you that when you try something that didn't work you should take it out in case it wants to sabotage subsequent attempts.

Removing that line gave me the ability to ping between networks again, but RDP didn't work.  I then discovered that one of my compatriots played around with some network policies and RDP got disabled on my workstation, so that'd explain why *that* didn't work.

Thanks for helping me out.  I've been buried in 15 pages of configs for the last few days, so I was starting to get a bit loopy.

Now however it seems that the machine can't get online.  I can ping 8.8.8.8, but can't resolve DNS (using 8.8.8.8 as my primary DNS).

Working now.  Not sure what the issue was, but I blew away the access lists and recreated them and did a clear xlate and all is well now.

Review Cisco Networking for a $25 gift card