Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

internal access to DMZ outside IP's

Status
Not open for further replies.
Daniel2040

Daniel2040

IS-IT--Management
Mar 28, 2008
24
0
0
GB
Hi,

I have a 515e and 2x web servers on DMZ on 30.30.30.1 & .2
I have a LAN with NAT on 192.168.0.xxx

I have mapped 2x external WAN address's 213.xxx.xxx.35 & 36 to the 2x Web servers.

When i go to 213.xxx.xxx.35 or 36 from the LAN i cannot see the web servers. Can anyone advise.

Kind regards,

Daniel.
 
Sort by date Sort by votes
try this before you do anything

nat (dmz) 1 0.0.0.0 0.0.0.0
 
Upvote 0 Downvote
Er, just think I may have seen what the problem is, you do not have a route to the DMZ.

route dmz 30.30.30.0 255.255.255.0 30.30.30.100

 
Upvote 0 Downvote
Still no joy, config reads as follows:


:
PIX Version 8.0(3)
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.25 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.200 255.255.255.0
ospf cost 10
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 30.30.30.100 255.255.255.0
!
dns server-group DefaultDNS

object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network all-subnets
network-object 0.0.0.0 0.0.0.0
object-group network dmz-www
network-object host 30.30.30.201
network-object host 30.30.30.202
network-object host xxx.xxx.xxx.26
network-object host xxx.xxx.xxx.27
object-group service port-object eq www
object-group network no-nat
network-object 192.168.0.0 255.255.255.0
object-group network local-lan
network-object 192.168.0.0 255.255.255.0
object-group network vpn-client
network-object 192.168.0.0 255.255.255.128
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.27 eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.26 eq www
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp object-group local-lan object-group dmz- www

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip any object-group dmz-www

access-list inside_access_out extended permit tcp any any eq smtp
access-list inside_access_out extended permit tcp any any eq pop3
access-list dmz extended permit tcp object-group all-subnets object-group dmz- www
access-list dmz extended permit tcp object-group local-lan object-group dmz- www
access-list nonat extended permit ip object-group local-lan object-group dmz-www
access-list nonat extended permit ip object-group local-lan object-group vpn-client
access-list inside_nat0_outbound_1 extended permit ip any object-group dmz-www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNPool1 192.168.0.61-192.168.0.66 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 xxx.xxx.xxx.28-xxx.xxx.xxx.29 netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) xxx.xxx.xxx.26 30.30.30.201 netmask 255.255.255.255
static (DMZ,outside) xxx.xxx.xxx.27 30.30.30.202 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.30 1
http server enable
http 192.168.0.0 255.255.255.0 inside
 
Upvote 0 Downvote
Er, just think I may have seen what the problem is, you do not have a route to the DMZ.

route dmz 30.30.30.0 255.255.255.0 30.30.30.100
 
Upvote 0 Downvote
Result of the command: "route dmz 30.30.30.0 255.255.255.0 30.30.30.100"

ERROR: Cannot add route, connected route exists


When i was editing config for here i cut that line out i think.

 
Upvote 0 Downvote
no nat (inside) 0 access-list inside_nat0_outbound
no nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 0 access-list nonat
 
Upvote 0 Downvote
We ned to re-write, if you look at the acces-list statements above they are almost the same as the ones I am writing.

I will look at this in the morning, re-write and get it back to you.

We will definately get this working by tomorrow :)
 
Upvote 0 Downvote
Once again thank you for all your help on this.
The config now reads as follows but still no access:

: Saved
:
PIX Version 8.0(3)
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.25 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.200 255.255.255.0
ospf cost 10
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 30.30.30.100 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS

object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network all-subnets
network-object 0.0.0.0 0.0.0.0
object-group network dmz-www
network-object host 30.30.30.201
network-object host 30.30.30.202
network-object host xxx.xxx.xxx.26
network-object host xxx.xxx.xxx.27
object-group service port-object eq www
object-group network no-nat
network-object 192.168.0.0 255.255.255.0
object-group network local-lan
network-object 192.168.0.0 255.255.255.0
object-group network vpn-client
network-object 192.168.0.0 255.255.255.128
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.27 eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.26 eq www
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp object-group local-lan object-group dmz- www

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip any object-group dmz-www

access-list inside_access_out extended permit tcp any any eq smtp
access-list inside_access_out extended permit tcp any any eq pop3
access-list dmz extended permit tcp object-group all-subnets object-group dmz- www
access-list dmz extended permit tcp object-group local-lan object-group dmz- www
access-list nonat extended permit ip object-group local-lan object-group dmz-www
access-list nonat extended permit ip object-group local-lan object-group vpn-client
access-list inside_nat0_outbound_1 extended permit ip any object-group dmz-www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNPool1 192.168.0.61-192.168.0.66 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 xxx.xxx.xxx.28-xxx.xxx.xxx.29 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) xxx.xxx.xxx.26 30.30.30.201 netmask 255.255.255.255
static (DMZ,outside) xxx.xxx.xxx.27 30.30.30.202 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.30 1
 
Upvote 0 Downvote
A quick question, are you using a proxy server internally?
 
Upvote 0 Downvote
I have completely re-written tha access list, all of them.

Back up your config and remove ALL access lists and start with the following.

IF you do have an internal ISA server make sure that any traffic going through it to the DMZ is not natted otherwise it will not work, have seen this before.

object-group icmp-type ping
icmp-object echo-reply
icmp-object time-exceeded
icmp-object source-quench
icmp-object unreachable

object-group service smtp tcp
port-object eq smtp

object-group service pop3 tcp
port-object eq pop3

object-group service port-object eq www


object-group network smtp-server-outside
description smtp outside static to internal
network-object host 62.49.103.146

object-group network smtp-server-inside
description smtp from inside server to outside
network-object host 192.168.xxx.xxx


object-group network outside-interface
network-object host xxx.xxx.xxx.25 255.255.255.248

object-group network all-subnets
network-object 0.0.0.0 0.0.0.0


object-group service domain tcp-udp
port-object eq domain

object-group network all-subnets
network-object 0.0.0.0 0.0.0.0

object-group network dmz-www
descritpion from inside
network-object host 30.30.30.201
network-object host 30.30.30.202


object-group network description to outside statics
network-object host xxx.xxx.xxx.26
network-object host xxx.xxx.xxx.27


object-group network local-lan
network-object 192.168.0.0 255.255.255.0

object-group network vpn-client
network-object 192.168.0.0 255.255.255.128

object-group network no-nat
descrition all target networks we do not nat to
group-object vpn-client
group-object dmz-www


access-list inside permit tcp object-group local-lan object-group all-subnets object-group domain
access-list inside permit udp object-group local-lan object-group all-subnets object-group domain
access-list remark the above allows domain lookup from anything inside to anything outside
access-list inside permit tcp object-group local-lan object-group all-subnets object-group www
access-list inside permit tcp object-group local-lan object-group dmz- www
access-list inside permit tcp object-group smtp-server-inside object-group all-subnets object-group smtp
access-list inside remark the above permits outgoing smtp to all addresses externally
access-list inside permit tcp object-group local-lan object-group all-subnets object-group pop3
access-list inside remark the above permits outgoing pop3 to all addresses externally


access-list outside permit icmp object-group all-subnets object-group outside-interface object-group ping
access-list outside permit tcp object-group all-subnets object-group object-group www
access-list outside remark allows all outside to the dmz servers
access-list outside remark the above permits packets from everything outside to IPs
access-list outside permit tcp object-group all-subnets object-group smtp-server-outside object-group smtp
access-list outside remark the above permits incoming smtp to the outside static to mail server



access-list dmz extended permit tcp object-group dmz- all-subnets
access-list dmz remark allow anything from the dmz servers to anything outside



access-list split-list permit ip object-group local-lan object-group vpn-client

access-list nonat permit ip object-group local-lan object-group no-nat
access-list nonat remark do not nat any traffic from the local lan to anything in the no-nat object-group




nat (inside) 0 access-list nonat


access-group inside in interface inside
access-group outside in interface outside
access-group dmz in interface dmz


Let me know how it goes, I am away tonight, back on line late tomorrow.
 
Upvote 0 Downvote
Use the packet tracer option in the ASDM or the Command line and that should give you a hint to where the problem is.
 
Upvote 0 Downvote
Thanks,

When i use the packet tracer it all comes back ok.


Daniel.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
139
Johnkite
Johnkite
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
40
Garbear
Garbear
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top