CISCO ASA 5510 - access to DMZ

smithcolm · ‎08-08-2013

Hi,

I know theres loads of discussions about giving access to DMZ from Inside network.

I got this to work, but there were some side effects....

say my inside network is 192.168.2.0

DMZ is 10.10.1.x

its on an ASA 5510 - which is not the default gateway on network, i put an ip route on my windows machine to route traffic for DMZ to my ASA.

I added a rule - see attached screen shot - rule 18.

I could then access DMZ, i thought yay, great, but thats when everything went wrong.

The VMotion network on my VM setup went down,

I lost access to a web service that was routed over the ASA - rule 17, i dont know if that was a VM issue or a Cisco issue.

I had to take rule out and everything came back (thankfully all was completed out of hours so no major impact)

does anyone have any idea what happened to cause this cluster f**k?

Thanks

Colm

Kevin P Sheahan · ‎08-08-2013

Gonna have to dig into this a bit to get you a solid answer. I have some clarifying questions:

- Why did you put the route on your windows box instead of using the L3 network device that is your default gateway?

- Do your DMZ hosts use the ASA as the default gateway?

- The web service that's routed through the ASA.. I see rule 17 showing NAT from inside --> DMZ (assumption). You're wondering if that went down due to V-motion failure or due to Cisco failure?

- The rule that you took out that brought everything back, was that rule 18?

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

smithcolm · ‎08-08-2013

thanks for the response

- Why did you put the route on your windows box instead of using the L3 network device that is your default gateway?

I was working remotely and just didnt want to edit the primary gateway, if i got it working without issue i would have added a route for DMZ network when i got back into office

- Do your DMZ hosts use the ASA as the default gateway?

yes they do - but theres only 2 at the moment and neither are critiical servers.

- The web service that's routed through the ASA.. I see rule 17 showing NAT from inside --> DMZ (assumption). You're wondering if that went down due to V-motion failure or due to Cisco failure?

rule 17 NATs onto a server in the "inside" network. this stopped working, i'm assuming due to VM, as rule 15 - OWA - was still working.

Going through alerts, it looks like connectivity to one of the VM hosts went down, i still do not know why.

- The rule that you took out that brought everything back, was that rule 18?

yes, took this out and a few minutes later everything came back up.

My initial thought was that VM config had some IPs in the DMZ network, but i cannot confirm this.

the only thing i can think of is that the network switch setup has "VM network / DMZ / Management" networks shared over the same 2 nics, and changing the NAT caused the issue.

see other screen shot attached (sorry, i know this is cisco forum, but just putting this out there)