05-13-2013 12:15 PM - edited 03-07-2019 01:20 PM
I thought I had this all working, not sure why my DMZ comptuers cant ping the DHCP server (192.168.10.2 CPLserver)
Also my management vlan cant ping my DHCP.
Can someone help me out?
I need the DMZ to communicate only with the CPLserver
I need management to be able to ping any computer on the inside.
I dont want the inside to ping the management.
I only want the CPLserver to communicate with the DMZ. All other inside computers must not communicate with the DMZ.
Im pretty sure the NAT entries are working correctly.
Can someone help me out?
: Written by enable_15 at 12:39:47.199 UTC Sun May 12 2013
!
ASA Version 8.2(5)
!
hostname ASA5505CPL
domain-name CPL
names
name 10.10.10.0 DMZ description Public Computers
name 192.168.10.0 Inside description CPL Staff Network
name 192.168.0.0 Management description Cisco equipment Access only
name 192.168.1.0 default description Not in use
name 192.168.10.2 CPLserver
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 11-13
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 11
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 13
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
shutdown
nameif default
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan11
description Inside
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Vlan13
description Management
nameif Management
security-level 100
ip address 192.168.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name CPL
object-group network obj-10.0.1.0
object-group network obj-10.0.2.0
access-list inside_access_in extended permit ip any any
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 extended permit ip Inside 255.255.255.0 DMZ 255.255.255.0
access-list INSIDE-NAT0 extended permit ip Inside 255.255.255.0 Management 255.255.255.0
access-list InsidetoDMZ extended permit ip Inside 255.255.255.0 host DMZ
access-list ManagementtoDMZ extended permit ip Management 255.255.255.0 DMZ 255.255.255.0
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 extended permit ip DMZ 255.255.255.0 Management 255.255.255.0
access-list DMZ-NAT0 extended permit ip DMZ 255.255.255.0 Inside 255.255.255.0
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 extended permit ip Management 255.255.255.0 DMZ 255.255.255.0
access-list MANAGEMENT-NAT0 extended permit ip Management 255.255.255.0 Inside 255.255.255.0
access-list DMZtoInside extended permit ip any host CPLserver
access-list DMZtoInside extended permit ip host DMZ host CPLserver
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging buffered debugging
logging asdm debugging
mtu default 1500
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
icmp permit any Management
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list INSIDE-NAT0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list DMZ-NAT0
nat (dmz) 1 DMZ 255.255.255.0
nat (Management) 0 access-list MANAGEMENT-NAT0
nat (Management) 1 Management 255.255.255.0
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Inside 255.255.255.0 inside
http Management 255.255.255.240 Management
http Management 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet Inside 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
05-13-2013 12:39 PM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and I had to change the security level of the DMZ to 100
I added these to the ACL - My DMZ computers can Ping the file server, but it wont pull a DHCP address.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: