dmz static to outside - inside clients cant access outside 1

[F1lby]

Hi,

I've got my ASA set with STATICs to allow hosts on the DMZ to translated to addresses on the outside, so DMZ hosts are now accessable from the internet - ACL set allowing access from ANY - works fine. No problem here.

So now what I have is a web server for example on the outside that is accessable to the world.

Inside hosts on the lan however can't access anything on the OUTSIDE interface despite the outside is configured for ANY.

Just to clarify, what is happening is that a host on the INSIDE is trying to access a DMZ host that has a translation on to the OUTSIDE interface - the INSIDE host is attempting to access via an OUTSIDE address on the OUTSIDE interface - which doesn't work - can't even PING the OUTSIDE host address.

However, from another device on the internet (i.e. the source is from the OUTSIDE/INTERNET), access to the hosts is all fine and works well - the only clients who can't access our outside hosts are us!!

Clients on the inside can access anything they like on the internet - I've allowed access for all with no ACLs blocking anything traffic leaving the INSIDE.

Hellllppppp!!!

Thanks in advance

Phil B

 

[NetworkGhost]

alias (inside) xxx.xxx.xxx.xxx iii.iii.iii.iii 255.255.255.255



xxx.xxx.xxx.xxx = outside address

iii.iii.iii.iii = DMZ real address


This will DNAT for you internal users allowing them to access the DMZ Server by its external address.

Without it the Pix will have issues routing the traffic back in the interface it left.

 

[F1lby]

Thanks but still no luck.
No clients on the inside are able to talk to hosts that physically exist on the dmz, but have STATICS mapping them to the OUTSIDE.
But can talk to the hosts from a different public ip address.

I'm really pulling my hair out here!!!!!!

 

[F1lby]

p.s. as far as I can seem the alias command is for DNS mapping. My requirement is not to have DNS names altered.

So for example, a web server of IP address 10.1.0.50 on the DMZ would be mapped to 62.3.243.50 on the OUTSIDE

Then a client on the INSIDE should be able to

http://62.3.243.50

successfully......

But alas, this doesn't work. There has to be a way of getting this to work as my cheap £100 plastic Vigor 2600 router does this fine!! I've got a nice expensive ASA 5520.
And I can't find any documentation from Cisco to help here either.....

Cheers

Phil B

 

[NetworkGhost]

The alias command is for dns doctoring and also dnatting. Depending on how you implement it.

Post your config. Also after putting the alias command in do a

clear xlate

Still post your config. I have done this scenario many times.

 

[F1lby]

Hi NetworkGhost, I appreciate your assistance!!
Here's the running config below ... - this config is as simple as I can make it.
INSIDE is 10.0.0.0/16
OUTSIDE is 62.3.243.0/24
DMZ is 10.1.0.0/24

Web server lives at 10.1.0.50 mapped to 62.3.243.50
I've run the alias command as suggested but no luck.
62.3.243.50 is accessable fine from any host outside, but nowhere on INSIDE 10.0.0.0/16 - Inside can connect to the web fine (I'm on a machine on INSIDE right now).

Cheers

Phil B
____________________________________



: Saved
:
ASA Version 7.0(4)
!
hostname ywfirewall
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 62.3.243.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.0.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.1.0.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxxxxxxxxxx encrypted
boot system disk0:/asa704-k8.bin
ftp mode passive
access-list 101 extended permit tcp any host 62.3.243.50 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 62.3.243.3 netmask 255.255.255.255
nat (inside) 1 10.0.0.0 255.255.0.0
alias (inside) 62.3.243.50 10.1.0.50 255.255.255.255
static (dmz,outside) 62.3.243.50 10.1.0.50 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 62.3.243.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:aa1e9443f9507bd16faddd3456eaf0cb
: end

 

[NetworkGhost]

Try this:

static (inside,dmz) 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0

clear xlate


Then try connecting.

 

[F1lby]

Well finally got it working.

I owe you big time for your help.

Here's the solution to my problem.

static (dmz,outside) 62.3.243.50 10.1.0.50 netmask 255.255.255.255
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

The first STATIC sticks the web server on the OUTSIDE

The second STATIC maps the inside to the DMZ so I can access the DMZ from the inside - this also clears up the issue of not being able to access the web server on the OUTSIDE.

If I'd have set up access to the DMZ from the INSIDE this problem wouldn't have arisen in the first place - I'm learning quickly - 2 weeks ago I'd never touched a PIX/ASA!!

Still many miles to go but going in the right direction!

Cheers

Phil B

 

[NetworkGhost]

Glad I could help. Keep posting on this forum if you have any other issues. Lots of good Pix people here.

 

[wstran]

Please help! I have the same problem but my web and FTP servers are behind both Cisco router and PIX firewall. Basically my server configuration is:

PIX Firewall:
INSIDE 192.168.5.xxx
OUTSIDE 10.10.10.xxx
DMZ 192.168.3.xxx

Router:
INSIDE 10.10.10.xxx
OUTSIDE 66.208.150.xxx

My webserver is NAT'ed twice: 192.168.3.3 --> 10.10.10.4 --> 66.208.150.yyy

My FTP server is NAT'ed twice: 192.168.3.4 --> 10.10.10.5 --> 66.208.150.zzz

My web and ftp server is accessible from anywhere except the machine in INSIDE with IP 192.168.5.xxx.

Thanks