12-20-2011 07:42 PM - edited 03-07-2019 03:59 AM
I have an ASA 5505 configured with internal network, a DMZ, and a VPN on seperate subnets. The implicit rules allow my internal client computers to connect to the web servers on the DMZ IP, but I can not connect to the public NAT address from the internal network. I have a DNS server on my internal network and it does resolve to the public IP correctly. NAT seems to be working correctly because if I go outside the network and connect to the public IP or qualified name then I can get to everything correctly. I do not see any messages in the Cisco logs and the packet trace tool shows the route of http from an internal IP adddress to the external (NATed) address is allowed. Can anyone help me troubleshoot this and figure out why it is not working?
Specifically, I can go to http://192.168.1.121 from the internal (192.168.0/24) network, but I can not go to http://72.22.214.121 (the NAT address) from the internal network. If I am outside my cisco then I can go to http://72.22.214.121 easily.
Here is most of my running config:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(5)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0 (my internal network is 192.168.0/24)
!
interface Vlan2
nameif outside
security-level 0
ip address 72.22.214.120 255.255.255.240 (this is my cisco's IP)
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0 (my DMZ network is 192.168.1/24)
!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
access-list botnet-exclude extended permit ip any any
access-list outside_access_in extended permit tcp any host 72.22.214.119 object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any host 72.22.214.121 object-group DM_INLINE_TCP_6
access-list outside_access_in extended permit tcp any host 72.22.214.123 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host 72.22.214.124 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host 72.22.214.125 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host 72.22.214.126 object-group DM_INLINE_TCP_4
access-list XXXXXX_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list XXXXXX_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.192
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool XXXXXXPool 192.168.2.10-192.168.2.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,outside) 72.22.214.119 192.168.1.119 netmask 255.255.255.255 (NAT entries)
static (dmz,outside) 72.22.214.121 192.168.1.121 netmask 255.255.255.255
static (dmz,outside) 72.22.214.124 192.168.1.124 netmask 255.255.255.255
static (dmz,outside) 72.22.214.125 192.168.1.125 netmask 255.255.255.255
static (dmz,outside) 72.22.214.126 192.168.1.126 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 72.22.214.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server XXXXXDomain protocol nt
aaa-server XXXXXDomain (inside) host 192.168.0.120
timeout 5
nt-auth-domain-controller test-pdc
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.20-192.168.0.30 inside
dhcpd dns 192.168.0.120 interface inside
dhcpd wins 192.168.0.120 interface inside
dhcpd domain xxx.xxxxxxxx.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface inside
dynamic-filter enable interface outside classify-list botnet-exclude
dynamic-filter drop blacklist interface inside
dynamic-filter ambiguous-is-black
ntp server 200.50.25.62 prefer
ntp server 128.138.188.172
ntp server 64.147.116.229
webvpn
group-policy XXXXXXXX internal
group-policy XXXXXXXX attributes
dns-server value 192.168.0.120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
!
class-map inspection_default
match default-inspection-traffic
class-map botnet-DNS
match port udp eq domain
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map botnet-policy
class botnet-DNS
inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy botnet-policy interface outside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:739ee35f8c0d3ff262fbf48e05bce41d
: end
Solved! Go to Solution.
12-20-2011 10:39 PM
Pls try this,
static (dmz,inside) 72.22.214.121 192.168.1.121 netmask 255.255.255.255
---
Posted by WebUser Kyaw Swar
12-20-2011 10:39 PM
Pls try this,
static (dmz,inside) 72.22.214.121 192.168.1.121 netmask 255.255.255.255
---
Posted by WebUser Kyaw Swar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide