Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

asa 5510 inside to dmz not working

Status
Not open for further replies.
melak77

melak77

IS-IT--Management
Apr 20, 2009
5
HU
Hello guys,
I have a huge problem, and can not resolv it for 2 days now.
I have a Cisco ASA 5510 (ASA 7.2.4, ADSM 5.2.4), configured for my network. I have some services (http/https) configured for outside access, working perfectly. But I can not get it work for inside users. I need to access the services on the outside addresses but from the inside network.

I realy need your help

Here is my config. DMZ is called Production. The services are http and https, for 4 addreses (195.228.55.236, 195.228.55.237, 195.228.55.238, 195.228.55.239) redirected to 10.0.4.125 in the DMZ, to different web server ports.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname asatlhu
domain-name dom.t-logic.hu
enable password xxxxxx encrypted
passwd xxxxxx encrypted
names
name 10.0.4.2 Production-Interface
name 10.0.4.125 linuxportal
name 10.0.0.56 VPN_Admins_Pool
name 10.0.0.64 VPN_Users_Pool
name 10.0.0.2 Inside-interface
name 195.228.55.239 Outside-Interface
name 195.228.55.238 name 195.228.55.236 name 195.228.55.237 name 10.0.4.7 cvs
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address Outside-Interface 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address Inside-interface 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif Production
security-level 100
ip address 10.0.4.1 255.255.255.0
!
interface Ethernet0/3
nameif Storage
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dom.t-logic.hu
same-security-traffic permit inter-interface
object-group service TLOGIC_CVS tcp
port-object eq 2222
object-group service HTTP-HTTPS tcp
port-object eq www
port-object eq https
object-group service internal-http-https tcp
group-object HTTP-HTTPS
port-object eq 444
port-object eq 445
port-object eq 446
port-object eq 83
port-object eq 84
port-object eq 85
object-group network DM_INLINE_NETWORK_1
network-object host network-object host network-object host network-object host Outside-Interface
object-group network DM_INLINE_NETWORK_4
network-object 10.0.0.0 255.255.255.0
network-object 10.0.4.0 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object 10.0.0.0 255.255.255.0
network-object 10.0.4.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 10.0.0.0 255.255.255.0
network-object 10.0.4.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 10.0.0.0 255.255.255.0
network-object 10.0.4.0 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
group-object TLOGIC_CVS
access-list Inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any object-group internal-http-https
access-list Inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_3
access-list Inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any eq ssh
access-list Inside_access_in extended permit udp 10.0.0.0 255.255.255.0 any eq domain
access-list Outside_access_out extended permit tcp any any object-group internal-http-https
access-list Outside_access_out extended permit tcp any any object-group TLOGIC_CVS
access-list Outside_access_out extended permit tcp host Outside-Interface any eq ssh
access-list Outside_access_out extended permit udp host Outside-Interface any eq domain
access-list Outside_access_out extended permit ip object-group DM_INLINE_NETWORK_4 10.0.0.0 255.255.255.0
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group internal-http-https
access-list Outside_access_in extended permit tcp any host Outside-Interface eq smtp
access-list Outside_access_in extended permit tcp any host Outside-Interface object-group TLOGIC_CVS
access-list Inside_access_out extended permit tcp any any object-group internal-http-https
access-list Inside_access_out extended permit tcp any host brightmail eq smtp
access-list Inside_access_out extended permit ip 10.0.4.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Production_access_in extended permit tcp 10.0.4.0 255.255.255.0 any object-group HTTP-HTTPS
access-list Production_access_in extended permit tcp 10.0.4.0 255.255.255.0 host brightmail eq smtp
access-list Production_access_in extended permit ip 10.0.4.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Production_access_out extended permit tcp any host linuxportal object-group internal-http-https
access-list Production_access_out extended permit tcp any host cvs eq ssh
access-list Production_access_out extended permit tcp 10.0.0.0 255.255.255.0 any eq smtp
access-list Production_nat0_outbound extended permit ip 10.0.4.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Production_nat0_outbound extended permit ip 10.0.4.0 255.255.255.0 10.0.0.0 255.255.255.128
access-list Production_nat0_outbound extended permit ip 10.0.4.0 255.255.255.0 VPN_Users_Pool 255.255.255.224
access-list Production_nat0_outbound extended permit ip 10.0.4.0 255.255.255.0 VPN_Admins_Pool 255.255.255.248
pager lines 24
logging enable
logging asdm debugging
mtu Outside 1500
mtu Inside 1500
mtu Production 1500
mtu Storage 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (Production) 103 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 10.0.0.0 255.255.255.0
nat (Production) 0 access-list Production_nat0_outbound
nat (Production) 101 10.0.4.0 255.255.255.0
nat (Storage) 0 access-list Storage_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
static (Production,Outside) tcp interface 255.255.255.255
static (Production,Outside) tcp interface https linuxportal https netmask 255.255.255.255
static (Production,Outside) tcp 83 netmask 255.255.255.255
static (Production,Outside) tcp https linuxportal 444 netmask 255.255.255.255
static (Production,Outside) tcp 84 netmask 255.255.255.255
static (Production,Outside) tcp https linuxportal 445 netmask 255.255.255.255
static (Production,Outside) tcp 85 netmask 255.255.255.255
static (Production,Outside) tcp https linuxportal 446 netmask 255.255.255.255
static (Inside,Outside) tcp interface smtp brightmail smtp netmask 255.255.255.255
static (Inside,Inside) tcp interface 69 bswks2 69 netmask 255.255.255.255
static (Production,Inside) tcp 83 netmask 255.255.255.255
static (Production,Inside) tcp https linuxportal 444 netmask 255.255.255.255
static (Production,Inside) tcp Outside-Interface 2222 cvs ssh netmask 255.255.255.255
static (Production,Outside) tcp interface 2222 cvs ssh netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
access-group Production_access_in in interface Production
access-group Production_access_out out interface Production
access-group Storage_access_in in interface Storage
access-group Storage_access_out out interface Storage
route Outside 0.0.0.0 0.0.0.0 195.228.55.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 195.228.55.233 255.255.255.255 Outside
http 195.228.55.224 255.255.255.224 Outside
http 85.159.50.18 255.255.255.255 Outside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map Outside_dyn_map 40 set pfs group1
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto isakmp enable Outside
telnet timeout 5
ssh 195.228.55.233 255.255.255.255 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:125b373ce8b620f0103c97d9219bd1ae
: end
 
Sort by date Sort by votes
try this:
alias (Inside) 10.0.4.125 255.255.255.255
alias (Inside) 10.0.4.125 255.255.255.255
alias (Inside) 10.0.4.125 255.255.255.255
alias (Inside) Outside-Interface 10.0.4.125 255.255.255.255

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Hi unclerico,
thanks for the idea, but still not working. I could do some similar thing on the dns server, but in this way I always get a certificate warning (on https).

I think the main problem (if I understand correctly) is that the NAT is built to the outside interface. When I disable the acl which permits port 80, I get this in the log:

305011 bswks2 Outside-Interface Built dynamic TCP translation from Inside:bswks2/3786 to Outside:Outside-Interface/11200
302013 Built outbound TCP connection 51794 for Outside: ( to Inside:bswks2/3786 (Outside-Interface/11200)

It seems to me that the translationis done, but for the wrong interface. I tried to do as described in the guide, but no luck.

Thanks
 
Upvote 0 Downvote
where is the Inside_nat0_outbound ACL defined?? I don't see it in your config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
here is it

access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.128

thanks
 
Upvote 0 Downvote
It doesn't look right. If you have the alias command implemented along with NAT exemption, you should not see a translation occuring. The config that you posted, is it the full config because the NAT exemption is not listed in there? I'm assuming that you can access the website via internal IP address directly??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Hi unclerico

the alias command that you sent is not recognized by asa, maybe because of the version.
the website can be accessed via internal IP

This line is the NAT exemptionaccess-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0

Without this (and with a network to interface nat) I can not see the real ip (internal) who accessed the machines in DMZ

I played around with this nat rule (and deleted the exemption):
static (Inside,Production) 10.0.0.215 10.0.0.215 netmask 255.255.255.255 tcp 0 0 udp 0
but still not working

I don't know what am I missing

Thanks
 
Upvote 0 Downvote
Hi unclerico,

I found the problem, it was an exempt in my dmz
access-list Production_nat0_outbound extended permit ip 10.0.4.0 255.255.255.0 10.0.0.0 255.255.255.0

After deletion it is working now

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
965
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
864
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
766
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
538
gkreg
gkreg
phjames
  • Locked
  • Question
Replacement for ASA-5510
Replies
1
Views
214
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top