I have an ASA 5510, setup for a dmz with a webserver on it. I tried playing around with an internal DNS setting yesterday and it didn't work so I changed it back but now my Web Server won't work, the only way I can get it to work is if I click clear dynamic ARP Entries and the website is up for a couple minutes and then fails again. Any ideas?
Here is my running config (outside internet x.x.x.194, webserver public ip x.x.x.184, internal webserver address 10.0.0.2, public dns x.x.x.8, internal dns 195.168.4.101
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password By8z9vzib.NyHQdS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.194 255.255.255.0
!
interface Ethernet0/1
nameif servers
security-level 100
ip address 195.168.4.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.2
vlan 2
nameif table
security-level 95
ip address 195.168.2.1 255.255.255.0
!
interface Ethernet0/3.3
vlan 3
nameif labs
security-level 100
ip address 195.168.3.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup servers
dns domain-lookup labs
dns server-group DefaultDNS
name-server 195.168.4.101
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list table_access_in extended permit ip any any
access-list labs_access_in extended permit icmp any any echo-reply
access-list labs_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host 10.0.0.2 x.x.x.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp any eq 10.0.0.2
access-list dmz_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any eq 198.109.31.184
access-list outside_access_in extended permit ip any any
access-list DMZ extended permit icmp any any
access-list server_access_in extended permit ip any any
access-list server_access_in extended permit icmp 10.0.0.0 255.255.255.0 195.168.4.0 255.255.255.0 echo-reply
access-list servers_access_in extended permit ip any any
access-list servers_access_in extended permit icmp any any echo-reply
access-list servers_access_in extended permit object-group TCPUDP 195.168.3.0 255.255.255.0 eq domain host 195.168.4.101
access-list servers_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.0.0.0 255.255.255.0 eq domain host 195.168.4.101
access-list labs_nat0_outbound extended permit ip any 195.168.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu servers 1500
mtu dmz 1500
mtu table 1500
mtu labs 1500
mtu management 1500
ip local pool VPNaddress 195.168.4.120-195.168.4.170 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (servers) 1 0.0.0.0 0.0.0.0 dns
nat (dmz) 1 0.0.0.0 0.0.0.0 dns
nat (table) 1 0.0.0.0 0.0.0.0 dns
nat (labs) 0 access-list labs_nat0_outbound
nat (labs) 1 0.0.0.0 0.0.0.0 dns
static (dmz,outside) tcp x.x.x.184 255.255.255.255 dns
static (labs,servers) 195.168.3.0 195.168.3.0 netmask 255.255.255.0
static (servers,labs) 195.168.4.0 195.168.4.0 netmask 255.255.255.0
static (servers,dmz) 195.168.4.0 195.168.4.0 netmask 255.255.255.0
static (dmz,servers) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 dns
access-group outside_access_in in interface outside
access-group servers_access_in in interface servers
access-group dmz_access_in in interface dmz
access-group table_access_in in interface table
access-group labs_access_in in interface labs
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ca server
shutdown
smtp from-address admin@ciscoasa.null
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 195.168.4.101
!
dhcpd address 10.0.0.2-10.0.0.3 dmz
dhcpd dns x.x.x.8 interface dmz
!
dhcpd address 195.168.2.100-195.168.2.120 table
!
dhcpd address 195.168.3.2-195.168.3.254 labs
dhcpd enable labs
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows CE"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask enable
username admin1 password ZtmwWxwfZJPPSOvr encrypted
username keith1 attributes
vpn-group-policy DfltGrpPolicy
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:09ec96014093871fc2b34bd088f4b6a4
: end
no asdm history enable
Here is my running config (outside internet x.x.x.194, webserver public ip x.x.x.184, internal webserver address 10.0.0.2, public dns x.x.x.8, internal dns 195.168.4.101
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password By8z9vzib.NyHQdS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.194 255.255.255.0
!
interface Ethernet0/1
nameif servers
security-level 100
ip address 195.168.4.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.2
vlan 2
nameif table
security-level 95
ip address 195.168.2.1 255.255.255.0
!
interface Ethernet0/3.3
vlan 3
nameif labs
security-level 100
ip address 195.168.3.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup servers
dns domain-lookup labs
dns server-group DefaultDNS
name-server 195.168.4.101
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list table_access_in extended permit ip any any
access-list labs_access_in extended permit icmp any any echo-reply
access-list labs_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host 10.0.0.2 x.x.x.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp any eq 10.0.0.2
access-list dmz_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any eq 198.109.31.184
access-list outside_access_in extended permit ip any any
access-list DMZ extended permit icmp any any
access-list server_access_in extended permit ip any any
access-list server_access_in extended permit icmp 10.0.0.0 255.255.255.0 195.168.4.0 255.255.255.0 echo-reply
access-list servers_access_in extended permit ip any any
access-list servers_access_in extended permit icmp any any echo-reply
access-list servers_access_in extended permit object-group TCPUDP 195.168.3.0 255.255.255.0 eq domain host 195.168.4.101
access-list servers_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.0.0.0 255.255.255.0 eq domain host 195.168.4.101
access-list labs_nat0_outbound extended permit ip any 195.168.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu servers 1500
mtu dmz 1500
mtu table 1500
mtu labs 1500
mtu management 1500
ip local pool VPNaddress 195.168.4.120-195.168.4.170 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (servers) 1 0.0.0.0 0.0.0.0 dns
nat (dmz) 1 0.0.0.0 0.0.0.0 dns
nat (table) 1 0.0.0.0 0.0.0.0 dns
nat (labs) 0 access-list labs_nat0_outbound
nat (labs) 1 0.0.0.0 0.0.0.0 dns
static (dmz,outside) tcp x.x.x.184 255.255.255.255 dns
static (labs,servers) 195.168.3.0 195.168.3.0 netmask 255.255.255.0
static (servers,labs) 195.168.4.0 195.168.4.0 netmask 255.255.255.0
static (servers,dmz) 195.168.4.0 195.168.4.0 netmask 255.255.255.0
static (dmz,servers) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 dns
access-group outside_access_in in interface outside
access-group servers_access_in in interface servers
access-group dmz_access_in in interface dmz
access-group table_access_in in interface table
access-group labs_access_in in interface labs
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ca server
shutdown
smtp from-address admin@ciscoasa.null
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 195.168.4.101
!
dhcpd address 10.0.0.2-10.0.0.3 dmz
dhcpd dns x.x.x.8 interface dmz
!
dhcpd address 195.168.2.100-195.168.2.120 table
!
dhcpd address 195.168.3.2-195.168.3.254 labs
dhcpd enable labs
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows CE"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask enable
username admin1 password ZtmwWxwfZJPPSOvr encrypted
username keith1 attributes
vpn-group-policy DfltGrpPolicy
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:09ec96014093871fc2b34bd088f4b6a4
: end
no asdm history enable
