Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with DMZ can't ping from internal NOR access from internet

Status
Not open for further replies.
cal060307

cal060307

Technical User
Jun 20, 2007
42
AU
Hi Brent and all

At the moment I am trying to get DMZ up and running. After adding some static commands for NAT, I won't be able to ping from internal network nor access to web server from outside world (internet)
Any help/reply would be greatly appreciated.
Summary our network:
IP range for internal: 192.168.0.0/24
IP range for DMZ: 10.30.30.0/24
IP for INSIDE interface : 192.168.0.154
IP for OUTSIDE interface : PPPoE
IP for DMZ interface: 10.30.30.1
IP for WEB server : 10.30.30.30
Only one public ip address which I put as "public IP" below

And three STATIC for DMZ:

static (dmz,outside) tcp "public IP" 255.255.255.255
static (dmz,inside) 10.30.30.30 "public IP" netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0


Here is my "show run" minus all credential info.

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name cisco.com
enable password ZpQMNxr.M7BvPJ8p encrypted
names
name 192.168.0.3 DBS01 description SQL Server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.154 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe
ip address pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.30.30.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2KFQnbNIdI encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name cisco.com
access-list inside_nat0_outbound extended permit ip host 172.17.A.B 146.178.C.D 255.255.255.0
access-list outside_cryptomap_20 extended permit ip host 172.17.A.B 146.178.C.D 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any 192.168.0.192 255.255.255.224
access-list SQL_splitTunnelAcl remark Inside Network IP
access-list SQL_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list VBS_splitTunnelAcl remark Inside Network
access-list VBS_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in remark Providng Public HTTP access to the DMZ web report
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1492
mtu outside 1492
mtu dmz 1500
ip local pool pool4 192.168.0.201-192.168.0.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 6 172.17.A.B
global (dmz) 200 10.30.30.20-10.30.30.60 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 6 192.168.0.136 255.255.255.252
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp "public IP" 255.255.255.255
static (dmz,inside) 10.30.30.30 "public IP" netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 "Public IP" 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
group-policy VBS internal
group-policy VBS attributes
dns-server value 192.168.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SQL_splitTunnelAcl
default-domain value mydomain.com
group-policy SQL internal
group-policy SQL attributes
dns-server value 192.168.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SQL_splitTunnelAcl
default-domain value mydomain.com
username p password m1HK1nIETQR encrypted privilege 0
username p attributes
vpn-group-policy VBS
username dl password xccSJuVpu0. encrypted privilege 0
username d attributes
vpn-group-policy VBS
username y password rhRsfgJD/R. encrypted privilege 0
username y attributes
vpn-group-policy VBS
username h password swvwd7QdcaG encrypted privilege 0
username h attributes
vpn-group-policy SQL
username d password hvkjKk5blF encrypted privilege 15
username d attributes
vpn-group-policy VBS
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 202.44.Y.Z
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 40
tunnel-group 202.44.Y.Z type ipsec-l2l
tunnel-group 202.44.Y.Z ipsec-attributes
pre-shared-key *
tunnel-group SQL type ipsec-ra
tunnel-group SQL general-attributes
address-pool pool4
default-group-policy SQL
tunnel-group SQL ipsec-attributes
pre-shared-key *
tunnel-group VBS type ipsec-ra
tunnel-group VBS general-attributes
address-pool pool4
default-group-policy VBS
tunnel-group VBS ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe request dialout pppoe
vpdn group pppoe localname username@isp.com
vpdn group pppoe ppp authentication chap
vpdn username username@isp.com password *******

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ba3b9e311f945422e07a048609e6e877
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

Once agin thank you for your help
 
Sort by date Sort by votes
Remove this

static (dmz,inside) 10.30.30.30 "public IP" netmask 255.255.255.255

Add this

access-list dmz-in permit icmp any any echo reply

access-list dmz-in in interface dmz
 
Upvote 0 Downvote
Hi

Thanks for your helpand I did that, but it does not work in both ways, internal -> DMZ host nor Internet -> DMZ host.
I changed the second line command access-list to access-group, I know what you meant

Please help me. Thanks a lot
 
Upvote 0 Downvote
What version of the 5505 do you have? The base versions only allow the DMZ to communicate to the outside.
 
Upvote 0 Downvote
Hi

It is a base version. I think with a base version we can do internal > DMZ and DMZ > Internet NOT concurrently. Please correct me if I am wrong.

Thanks for your help.

Cheers
 
Upvote 0 Downvote
Yes,with the base model the dmz can initiate traffic to the outside, but can not initiate traffic to the inside. However, it will reply to traffic from initiating from the inside.
 
Upvote 0 Downvote

Hi

Thanks for your confirm. I will email to Cisco to see if it is worth to update our license.
Once again much appreciated
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
323
Sameer258
Sameer258
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
170
hairlessupportmonkey
hairlessupportmonkey
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
73
Garbear
Garbear
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
378
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
76
tklamb
tklamb

Part and Inventory Search

Sponsor

Back
Top