Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

internal access to DMZ outside IP's

Status
Not open for further replies.
Daniel2040

Daniel2040

IS-IT--Management
Mar 28, 2008
24
0
0
GB
Hi,

I have a 515e and 2x web servers on DMZ on 30.30.30.1 & .2
I have a LAN with NAT on 192.168.0.xxx

I have mapped 2x external WAN address's 213.xxx.xxx.35 & 36 to the 2x Web servers.

When i go to 213.xxx.xxx.35 or 36 from the LAN i cannot see the web servers. Can anyone advise.

Kind regards,

Daniel.
 
Sort by date Sort by votes
What does you r access list read?

Post the config, should be easy to sort.
 
Upvote 0 Downvote
PIX Version 8.0(3)
!
interface Ethernet0
nameif outside
security-level 0
ip address 213.xxx.xxx.25 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.200 255.255.255.0
ospf cost 10
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 30.30.30.100 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any host 213.xxx.xxx.26 eq www
access-list outside_access_in extended permit tcp any host 213.xxx.xxx.27 eq www
access-list inside_access_in extended permit tcp any host 213.xxx.xxx.26 eq www
access-list inside_access_in extended permit tcp any host 213.xxx.xxx.27 eq www
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128
access-list inside_access_out extended permit tcp any any eq smtp
access-list inside_access_out extended permit tcp any any eq pop3
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
asdm image flash:/asdm-603.bin
arp timeout 14400
global (outside) 101 213.xxx.xxx.28-213.xxx.xxx.29 netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (DMZ,outside) 213.xxx.xxx.26 30.30.30.201 netmask 255.255.255.255
static (DMZ,outside) 213.xxx.xxx.27 30.30.30.202 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.30 1
 
Upvote 0 Downvote
Try this:-

object-group network all-subnets
network-object 0.0.0.0 0.0.0.0

object-group network dmz-www
network-object host 30.30.30.1
network-object host 30.30.30.2

object-group service service-object eq www


access-list dmz permit tcp object-group all-subnets object-group dmz- www


access-group dmz in interface dmz

Let me know if it works, should do.

I always use object groups, makes it much easier.

When you put the rule in you can see exactly what it is doing.

do a sh access-list dmz and you will see what I mean.
 
Upvote 0 Downvote
thanks for your help

when i use the command network-object i get :

Result of the command: "network-object 0.0.0.0 0.0.0.0"

network-object 0.0.0.0 0.0.0.0
^
ERROR: % Invalid input detected at '^' marker.
 
Upvote 0 Downvote
Does it take the object-network all-subnets?
 
Upvote 0 Downvote
This command needs to be under the

object-group network all-subnets
network-object 0.0.0.0 0.0.0.0

Copy and paste the above.
 
Upvote 0 Downvote
Thanks, it works fine up until:

Result of the command: "object-group service
The command has been sent to the device


Result of the command: "service-object eq www"

service-object eq www
^
ERROR: % Invalid input detected at '^' marker.
 
Upvote 0 Downvote
By the way, I do not use the ASDM so may make it a bit harder for you if you are.
 
Upvote 0 Downvote
thank you for all your help.
It has accepted all the commands but from a LAN client on the network 'Inside' i still cannot see the DMZ :(



Kind regards,

Daniel.
 
Upvote 0 Downvote
Ah I think I see what you want to do.

Your inside address is on 192.168.xxx.xxx address, all you inside statements are pointing to the outside.

Do you want inside users to only be able to access the DMZ?

Are you bothered if they are natted?

If you are not worried about that the you can do a no-nat from the inside to the DMZ.

Would that help?
 
Upvote 0 Downvote
i only need the 'inside' interface to access the 2 web servers on the 'DMZ' interface.

Would the no-nat be more secure for the inside interface?
 
Upvote 0 Downvote
You have this:-


access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128

What is the last bit doing by the way, 192.168.0.0 255.255.255.128? is this your VPN clients?
 
Upvote 0 Downvote
You have this:-


access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128

try changing it to this, do not remove it yet because you can put it back any time.



object-group network dmz-www
network-object host 30.30.30.1
network-object host 30.30.30.2

object-group service port-object eq www


object-group network no-nat
network-object 192.168.0.0 255.255.255.0


object-group network local-lan
network-object 192.168.0.0 255.255.255.0

object-group network vpn-client
network-object 192.168.0.0 255.255.255.128


access-list dmz permit tcp object-group local-lan object-group dmz- www
access-group dmz in interface dmz

access-list nonat permit ip object-group local-lan object-group dmz-www
access-list nonat permit ip object-group local-lan object-group vpn-client
no nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list nonat





If the above does not work, which it should, just copy and paste what is below:-

no nat (inside) 0 access-list nonat
nat (inside) 0 access-list inside_nat0_outbound
 
Upvote 0 Downvote
sorry to be a pain.
I have tried both of the above and still nothing :(
 
Upvote 0 Downvote
got to be carefull of the access-list order.

Would be easier if we convert all the access-list to use object-groups.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
139
Johnkite
Johnkite
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
40
Garbear
Garbear
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top