Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6714
Views
0
Helpful
18
Replies

ASA Routing INSIDE, DMZ, OUTSIDE

Go to solution
woodjl16501
Level 1
Level 1

‎02-12-2017 12:43 PM - edited ‎03-05-2019 08:01 AM

I need some help, I have my web server on my DMZ interface, but that it doesn't have access to the internet. Unable to the get a ping from inside to the DMZ.  Not sure what I am missing, my goal is to have access to the internet from the DMZ and my inside subnet access to the DMZ and Internet.

192.168.10.0/24 > Inside

192.168.12.0/28 > DMZ

IP setting on Web Server

192.168.12.2 > WebServer Connected directly to F0/3 on the ASA

255.255.255.250 > Netmask

192.168.10.1 > Gateway

ASA Version 9.1(6)

Current Config:

ASAHome# show run

: Saved

: Serial Number: JMX1302L1QL

: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

:

ASA Version 9.1(6) 

!

hostname ASAHome

domain-name twinkie710.ddns.net

enable password 7rhyV6SC2srI9RYo encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool VPNUsers 192.168.11.10-192.168.11.50 mask 255.255.255.192

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0 

!

interface Ethernet0/2

 nameif DMZ

 security-level 0

 ip address 192.168.12.1 255.255.255.240 

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 management-only

 nameif management

 security-level 100

 ip address 192.168.11.1 255.255.255.252 

!

boot system disk1:/asa916-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 name-server 192.168.10.15

 name-server 8.8.8.8

 name-server 4.2.2.2

 name-server 8.8.4.4

 domain-name twinkie710.ddns.net

same-security-traffic permit intra-interface

object network inside-subnet

 subnet 192.168.10.0 255.255.255.0

object network dmz-subnet

 subnet 192.168.12.0 255.255.255.240

object network webserver-external-ip

 host 192.168.12.10

object network webserver

 host 192.168.12.2

object network dns-server

 host 192.168.10.15

object network LAN

 subnet 192.168.10.0 255.255.255.0

object network DMZ

 subnet 192.168.12.0 255.255.255.240

object network NETWORK_OBJ_192.168.11.0_26

 subnet 192.168.11.0 255.255.255.192

object network VPNPOOL

 subnet 192.168.11.0 255.255.255.192

access-list outside_acl extended permit tcp any object webserver eq www 

access-list dmz_acl extended permit udp any object dns-server eq domain 

access-list dmz_acl extended deny ip any object inside-subnet 

access-list dmz_acl extended permit ip any any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-751.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static inside-subnet inside-subnet destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup

!

object network inside-subnet

 nat (inside,outside) dynamic interface

object network dmz-subnet

 nat (DMZ,outside) dynamic interface

object network webserver

 nat (DMZ,outside) static webserver-external-ip service tcp www www 

!

nat (outside,outside) after-auto source dynamic VPNPOOL interface

access-group outside_acl in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL 

http server enable

http 192.168.10.0 255.255.255.0 inside

snmp-server group Admins v3 priv 

snmp-server host inside 192.168.10.11 community *****

snmp-server host inside 192.168.10.12 community *****

snmp-server host inside 192.168.10.2 community *****

snmp-server location Office

snmp-server contact Jonathan

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DMZ_map interface DMZ

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpool policy

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev1 enable outside

crypto ikev1 enable inside

crypto ikev1 enable DMZ

crypto ikev1 policy 10

 authentication crack

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 20

 authentication rsa-sig

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 40

 authentication crack

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 50

 authentication rsa-sig

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 60

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 70

 authentication crack

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 80

 authentication rsa-sig

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 100

 authentication crack

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 110

 authentication rsa-sig

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 120

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 130

 authentication crack

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 140

 authentication rsa-sig

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 150

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access management

dhcpd address 192.168.10.50-192.168.10.200 inside

dhcpd dns 192.168.10.15 interface inside

dhcpd domain twinkie710.ddns.net interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 38.229.71.1 source outside

ntp server 209.208.79.69 source outside

ntp server 108.59.2.24 source outside

ntp server 45.79.111.114 source outside prefer

group-policy VPN_Users internal

group-policy VPN_Users attributes

 dns-server value 192.168.10.15 8.8.8.8

 vpn-tunnel-protocol ikev1 

 split-tunnel-policy tunnelall

 default-domain value twinkie710.ddns.net

 split-tunnel-all-dns enable

username woodjl1650 password IYD1wu7sEjGmHAyj encrypted privilege 15

tunnel-group VPN_Users type remote-access

tunnel-group VPN_Users general-attributes

 address-pool VPNUsers

 default-group-policy VPN_Users

tunnel-group VPN_Users ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

 class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:e6125cf0a468ec6ad3f580aa3d861ffa

: end

 

Labels:
0 Helpful
18 Replies 18

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to woodjl16501

‎02-20-2017 03:26 PM

Hi

I'm sorry I don't understand what you want to achieve.

If you're connected through VPN, you can access all your internal servers if you have added them into the split tunnel acl (if doing split tunneling) and create the nat exemption.

the nat exemption should look like:

nat (inside,outside) source static inside-subnet inside-subnet destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup

If this wasn't your concern, please explain it again. Sorry for that.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
woodjl16501
Level 1
Level 1
In response to Francesco Molino

‎02-13-2017 11:34 AM

Instead of outside access, because I want this secure.  My VPN subnet should have access to the DMZ correct?  

When I try to connect via my iPhone with a VPN connection, the page/server fails to load.

Preview file
11 KB
Preview file
4 KB
0 Helpful

Go to solution
woodjl16501
Level 1
Level 1
In response to Francesco Molino

‎02-13-2017 06:10 AM

I had to reboot the DMZ, and now it works.  I am currently SSHing into it.

Finally config question.  I want all my outside in HTTP/HTTPS traffic to go to 192.168.12.2, what do I need to port forward that?

So the DMZ with be accessible both from all inside subnets as well as access from outside.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to woodjl16501

‎02-13-2017 06:29 AM

If you want that all HTTP and HTTPS traffic going to your public IP is forwarded to your DMZ server, you need to do static nat:

object network webserver-HTTP
host 192.168.12.2
nat (DMZ,outside) static YOUR-PUBLIC-IP service tcp www www
object network webserver-HTTPS
host 192.168.12.2
nat (DMZ,outside) static YOUR-PUBLIC-IP service tcp https https

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card