01-17-2013 09:53 AM - edited 03-11-2019 05:48 PM
Hello guys,
I am busting my head to find out what is going wrong with this config and cant figure it out since i am not an advanced cisco technician.
Problem is that i cant access the 94.70.142.127 server that is supposed to be in a DMZ zone.
I know it is a bit chaotic but would really appreciate any help since i am running on a deadline.
I am building the config step by step and although it seems to be working access to the server all of the sudden is denied.
No idea if its a NAT issue a firewall issue or a security audit issue.
There are 3 vlans.
Vlan 1 is the inside network.
Vlan 2 is the DMZ server
Vlan 3 is the Management Network.
thanks in advance
Building configuration...
Current configuration : 11796 bytes
!
! Last configuration change at 11:28:33 PCTime Fri Jan 4 2013 by admin
! NVRAM config last updated at 11:27:51 PCTime Fri Jan 4 2013 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 8
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$oT7y$BwhdEjMJfAaTQI3dzDVwP.
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
!
crypto pki trustpoint TP-self-signed-2567543707
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2567543707
revocation-check none
rsakeypair TP-self-signed-2567543707
!
!
crypto pki certificate chain TP-self-signed-2567543707
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353637 35343337 3037301E 170D3133 30313032 30383431
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363735
34333730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ABA4 B7FFF4F1 9FBE79D8 2CEBCA68 A14BE3AB DBF770C2 EB35A954 B271AE3E
F8485837 F2E8566B 66E5EF6B BCFCDFA3 8F6F91F3 FD8E3015 879A67F5 85DD95F5
C26875C0 2202CA6C CE95888F 545AB4F6 6F708A0E C65E78D1 60967480 5589F5EE
80505E46 8767CE2C 37C994FE AB555AF0 BA4C4679 63FF7641 34FFF6EF 3EC38006
46B90203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C52312E 646F636E 65742E67 72301F06 03551D23 04183016
8014F0DE 85318FB3 70C36B4A FEB4B0CA 446025F0 329C301D 0603551D 0E041604
14F0DE85 318FB370 C36B4AFE B4B0CA44 6025F032 9C300D06 092A8648 86F70D01
01040500 03818100 5D76D5F4 5FB659C3 1E5B3777 420E1703 CD019889 AE79390D
A2AA4D26 AD9913B4 B3292277 97ACACDD D7093465 78279B4D 5FAC0A21 EFBF3B74
6A25BC5B ACFB648F 08F92678 00BB495C 037DEAF7 C5910944 3D2C0643 EA19E9BD
0AFE5423 AADBB3C2 B2C94296 DABE0D3D 6438F7A8 32B0A92B 3E8E0D26 635070A3
ACF87E49 65A9E468
quit
no ip source-route
!
!
ip cef
no ip bootp server
ip domain name docnet.gr
ip name-server 195.170.0.1
no ipv6 cef
!
!
!
!
username admin privilege 15 view root secret 5 $1$Lny5$et1FhWOpIKOOYRUtN89H10
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map type inspect match-any WebService
match protocol http
match protocol https
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map WebService
match access-group name WebServer
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1
match access-group name Spoofing
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any tcp-udp
match protocol http
match protocol https
match protocol dns
match protocol icmp
class-map type inspect match-all ccp-cls--3
match access-group name mng-out
match class-map tcp-udp
class-map type inspect match-all ccp-cls--2
match access-group name mng-self
class-map type inspect match-all ccp-cls--4
match access-group name mng-out-drop
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any http-https-DMZ
match protocol http
match protocol https
class-map type inspect match-all sdm-cls--2
match class-map http-https-DMZ
match access-group name web_server
class-map type inspect match-any MySQLService
match protocol mysql
class-map type inspect match-all sdm-cls--1
match class-map MySQLService
match access-group name DMZtoMySQL
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1
drop
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-https-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--2
class type inspect sdm-cls--2
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--5
class class-default
drop
!
zone security out-zone
zone security in-zone
zone security dmz-zone
zone security mng
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-dmz-to-outside source dmz-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security zp-outside-to-dmz source out-zone destination dmz-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-dmz-zone-in-zone source dmz-zone destination in-zone
service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-in-zone-dmz-zone source in-zone destination dmz-zone
service-policy type inspect sdm-policy-sdm-cls--2
zone-pair security sdm-zp-dmz-zone-self source dmz-zone destination self
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-mng-self source mng destination self
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-mng-out-zone source mng destination out-zone
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-out-zone-mng source out-zone destination mng
service-policy type inspect ccp-policy-ccp-cls--5
!
!
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Vlan2
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
!
interface Vlan3
description $FW_INSIDE$
ip address 10.0.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security mng
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly max-reassemblies 64
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname dikt15@otenet.gr
ppp chap password 7 0918425001505245
ppp pap sent-username dikt15@otenet.gr password 7 13511B4B1359417D
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.10.0 255.255.255.0 Vlan3
no ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.0.101 94.70.142.113
ip nat inside source static 192.168.1.102 94.70.142.127
!
ip access-list extended DMZtoMySQL
remark CCP_ACL Category=128
permit ip host 192.168.1.102 host 192.168.0.101
ip access-list extended Spoofing
remark CCP_ACL Category=128
permit ip 10.0.0.0 0.255.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
ip access-list extended VTY_incoming
remark CCP_ACL Category=1
permit ip host 10.0.10.2 any
ip access-list extended WebServer
remark CCP_ACL Category=128
permit ip any host 192.168.1.102
ip access-list extended mng-out
remark CCP_ACL Category=128
permit ip 10.0.10.0 0.0.0.255 any
ip access-list extended mng-out-drop
remark CCP_ACL Category=128
permit ip any any
ip access-list extended mng-self
remark CCP_ACL Category=128
permit ip any any
ip access-list extended web_server
remark CCP_ACL Category=128
permit ip 192.168.0.0 0.0.0.255 host 192.168.1.102
!
logging 10.0.10.2
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 remark VLan 1 Access
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 remark VLan 3 Access
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 1 remark Vlan 2 Access
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.0.101
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
banner login ^CWARNING!!!This is a highly monitored private system. Access is prohibited!!^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class VTY_incoming in
password 7 12292504011C5C162E
login local
transport input ssh
!
scheduler max-task-time 5000
ntp authentication-key 1 md5 10603D29214711255F106B2677 7
ntp authenticate
ntp trusted-key 1
ntp master 2
end
Solved! Go to Solution.
02-08-2013 09:17 AM
lol,
Okay at least we know we are good
If you do not have any other question, please mark the question as answered
Remember to rate all of the helpful posts , that works as a thanks for the community users
01-17-2013 10:21 AM
Hello karolos,
Here is the thing.
You said you are trying to access 94.70.142.113 and that is a server on the DMZ but based in your configuration that is not true
ip nat inside source static 192.168.0.101 94.70.142.113
So 192.168.0.101 is on Vlan 1 witch is the in-zone
interface Vlan1
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
security in-zone
If you got confused with the security zone that the host is assigned to then just add the following and it should work
ip access-list extended WebServer
permit ip any host 192.168.0.101
Regards
01-17-2013 10:26 AM
My bad. the correct DMZ server ip address is .127 and not .113
I corrected my original post. sorry for the trouble.
01-17-2013 10:30 AM
Okay,
They are using the same policy so add what I said and let me know the result
01-17-2013 10:44 AM
Dont quite follow you..
There is already an entry
ip access-list extended WebServer
remark CCP_ACL Category=128
permit ip any host 192.168.1.102
which is the internal ip of the DMZ server
access to 192.168.0.101 has been removed since it was not not correct.
01-17-2013 11:11 AM
Yeah, you are right..
Got confused because of the wrong topic.
Okay add the following
ip inspect log drop-pkt
Then try to connect to the server and do
show logging | include 192.168.1.102
Regards
02-07-2013 11:51 PM
after a lot of time i discovered that the security audit was causing the problem and specifically the ip unreachables command. No idea why!
02-08-2013 09:17 AM
lol,
Okay at least we know we are good
If you do not have any other question, please mark the question as answered
Remember to rate all of the helpful posts , that works as a thanks for the community users
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide