Topology with ACL ASA-5505

Kuladbr · ‎05-23-2023

Hello,

DMZ Web server can open External Web Server (www.externalone.com), but Admin PC can not open DMZ Web Server (www.theccnas.com) also Net Admin can not open DMZ Web Server. I think routing is working maybe it is something with ACLCORP-ASA 5505.

Flavio Miranda · ‎05-23-2023

Hi

Admin PC can resolve the URL www.theccnas.com to IP address 209.165.200.241. But, as you can see below, it can not ping the server. And the ping stops on the CORP router. You need to check is CORP has route to 209.165.200.241.

C:\>nslookup www.theccnas.com

Server: [192.135.250.5]

Address: 192.135.250.5

Non-authoritative answer:

Name: www.theccnas.com

Address: 209.165.200.241

C:\>ping 209.165.200.241

Pinging 209.165.200.241 with 32 bytes of data:

Request timed out.

Ping statistics for 209.165.200.241:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

C:\>tracert 209.165.200.241

Tracing route to 209.165.200.241 over a maximum of 30 hops:

1 0 ms 1 ms 0 ms 198.133.219.62

2 1 ms 0 ms 7 ms 198.133.219.1

3 0 ms 2 ms 1 ms 209.165.200.226

4 * * * Request timed out.

5 * * * Request timed out.

Now, Net Admin can not resolve www.theccnas.com. You need to fix it by adding the entry on the Net Admin PC´s DNS server.

Your devices has credentials. If you inform what is the credentials, I can help you better.

Kuladbr · ‎05-23-2023

Hello, thank you for quick answer the detailed credentials and description I have now provided in pdf,

For CORP router username: CORPADMIN , pass: Ciscoccnas ,

For CORP ASA password Ciscoccnas

Flavio Miranda · ‎05-23-2023

Hi

I fixed the problem and both PCs can now open the web page. But, I had to fix a few things related to routing and firewall.

Take a close look and let me know. You may need to make some ajustment to follow you assigment. But, it is working.

Kuladbr · ‎05-23-2023

Hello @Flavio Miranda ,

thank you so much for your help! I noticed that you replaced the 5505 with 5506 ASA, which makes a lot of sense, but I asked my professor about it earlier and she said we must use 5505. Is there a way to achieve this by using 5505?

Flavio Miranda · ‎05-23-2023

I believe so. I replaced because the firewall was weird but they might be the same.

But I would not use vlan, unless this is a requirement

Kuladbr · ‎05-23-2023

Hi,

Yes it is was a requirement to use vlans.

MHM Cisco World · ‎05-23-2023

Share asa config here as text let me check it.

Kuladbr · ‎05-23-2023

Hi, @MHM Cisco World I have provided ASA config text as zip file in the question.

MHM Cisco World · ‎05-23-2023

NAT reflection,
the INSIDE must NAT to OUTside if the destination is Server in DMZ
https://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/1150-cisco-asa-firewall-nat-reflection-loopback-hairpinning-configuration.html

Flavio Miranda · ‎05-23-2023

Well, with 3 vlans the connectivity toward inside was not happening. Thats way I chnaged the firewall

Let me return the firewall and try again. I will let you know

Flavio Miranda · ‎05-23-2023

I am afraid that the ASA in PacketTracer will not work as your teacher wants.

In order to have 3 interfaces vlan, you need to have the command "no forward interface". If dont use this command, you get the error:

ERROR: Cannot configure this command while using 3 or more interfaces.

Remove interfaces until the count is 2 or below and try again.

So, this means that, using firewall 5505 and Interfaces vlan, you can have communication between only two vlans. Which means, the traffic will work between outside and dmz, or outside and inside or dmz and inside, but not between all the interfaces. That´s the error I got in the first attempt and that´s why I replace the firewall and used interfaces instead interface vlans.

You need to get back to your teacher and explain the situation. Unless you dont need communication between inside and dmz, which does not make sense to me.

If your teach know how to make all the interfaces vlan communication on this firewall, please, share with me.

Kuladbr · ‎05-24-2023

Hi @Flavio Miranda ,

yes I have used that command "no forward interface vlan 1" but still it does not work, something also with NAT and ASA is the problem since i can not reach from Net Admin PC in the Internal network that can access the URL http://www.externalone.com. But I can from DMZ Web Server to reach External Web Server www.externalone.com.

Flavio Miranda · ‎05-24-2023

I think that the problem. You need to use the command "no forward " and with that , you kill one interface. If the original config you made, you can not even ping the Router IP address 192.168.1.2.

So, my conclusion is either they did a wrong assignment or there is something I need to learn about ASA in PacketTracer.

Hopefylly you can get it from your teacher.

Kuladbr · ‎05-24-2023

Thank you very much I will check it, I have uploaded Configurations of all routers and ASA device in the file if you find anything please let me know.