August 29, 2008 09:22pm pdt

Member Login

Hall of Fame

Yearly

1batry_boy 592,926
2lrmoore 265,875
3Voltz-dk 105,920
4mkielar 104,919
5MrHusy 100,345
6PeteLong 93,300
7Cyclops3... 83,840
8JFrederic... 47,350
9raptorjb007 42,800
10grblades 40,275
11nodisco 38,900
12ck459 37,775
13_jesper_ 33,375
14rsivanandan 32,755
15from_exp 32,120
16mabutterfi... 31,425
172PiFL 29,575
18naughton 26,880
19clearacid 26,725
20arnold 25,823
21stuknhaw... 25,425
22RPPreacher 25,121
23harbor235 22,530
24debuggerau 21,932
25AugustTen 20,500

	[x] Attachment Details

DMZ access to inside

Zones: Cisco PIX Firewall, Networking Hardware Firewalls, Enterprise Firewalls

I am swapping my PIX 515 for a new ASA 5510 and am having a DMZ issue. The DMZ on my PIX was a not a real DMZ as it had more hole punched in it than swiss cheese. I want the new ASA to be a real DMZ so I locked it down when I did the config, only allowing websites that need to communicate back to the LAN through on the necessary ports. The problem is that none of those websites were passing traffic back to the inside to collect info.

Inside network - 192.168.200.0/21
DMZ network - 192.168.2.0/24

Currently I can ping from the inside network and get a response from the webserver in the DMZ but I can't ping from the DMZ webserver and get a response from the LAN server. I think it may have something to do with NAT but I'm not sure. I'm not sure what I need to do here and would appreciate some help.

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:

           
           
             ASA Version 8.0(3)
!
terminal width 131
hostname DAYASA
domain-name npsdomain.local
enable password 9zmSKcQfBpIIJG2D encrypted
names
dns-guard
!
interface Ethernet0/0
 description External to border router
 nameif Outside
 security-level 0
 ip address 65.1.1.1 255.255.255.128
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.200.211 255.255.248.0
!
interface Ethernet0/2
 nameif xxx
 security-level 50
 no ip address 
!
interface Ethernet0/3
 nameif DMZ2
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 9zmSKcQfBpIIJG2D encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name npsdomain.local
access-list DAYVPN_splitTunnelAcl standard permit any
access-list Inside_nat0_outbound extended permit ip any 192.168.205.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.200.0 255.255.248.0 192.168.205.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.205.0 255.255.255.0
access-list outside extended permit tcp any host 65.118.6.147 eq www
access-list outside extended permit tcp any host 65.118.6.147 eq https
access-list outside extended permit tcp any host 65.118.6.149 eq https
access-list outside extended permit tcp any host 65.118.6.149 eq www
access-list outside extended permit tcp any host 65.118.6.148 eq 8132
access-list outside extended permit tcp any host 65.118.6.148 eq 8133
access-list outside extended permit tcp any host 65.118.6.135 eq ftp
access-list outside extended permit tcp any host 65.118.6.135 eq www
access-list outside extended permit tcp any host 65.118.6.143 eq www
access-list outside extended permit tcp any host 65.118.6.140 eq https
access-list outside extended permit tcp any host 65.118.6.140 eq www
access-list outside extended permit tcp any host 65.118.6.137 eq https
access-list outside extended permit tcp any host 65.118.6.137 eq www
access-list outside extended permit tcp any host 65.118.6.133 eq www
access-list outside extended permit tcp any host 65.118.6.145 eq www
access-list outside extended permit tcp any host 65.118.6.138 eq 3389
access-list outside extended permit tcp any host 65.118.6.138 eq 5900
access-list outside extended permit tcp any host 65.118.6.142 eq 5900
access-list outside extended permit tcp any host 65.118.6.144 eq www
access-list outside extended permit tcp any host 65.118.6.144 eq smtp
access-list outside extended permit tcp any host 65.118.6.144 eq pop3
access-list outside extended permit tcp any host 65.118.6.134 eq ftp
access-list outside extended permit tcp any host 65.118.6.136 eq 3389
access-list outside extended permit tcp any host 65.118.6.132 eq ftp
access-list outside extended permit tcp any host 65.118.6.132 eq www
access-list outside extended permit tcp any host 65.118.6.141 eq ftp
access-list outside extended permit tcp any host 65.118.6.146 eq www
access-list outside extended permit tcp any host 65.118.6.139 eq www
access-list outside extended permit tcp any host 65.118.6.139 eq ftp
access-list outside extended permit tcp any host 65.118.6.150 eq 3389
access-list outside extended permit icmp any any echo-reply
access-list IPS-LIST extended permit ip any any
access-list DAYVPN_splitTunnelAcl_2 standard permit 192.168.200.0 255.255.248.0
access-list dmz2 extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.200.7 eq domain
access-list dmz2 extended permit udp 192.168.2.0 255.255.255.0 host 192.168.200.7 eq domain
access-list dmz2 extended permit icmp any any echo-reply
access-list dmz2 extended deny ip 192.168.2.0 255.255.255.0 192.168.16.0 255.255.248.0
access-list dmz2 extended deny ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.248.0
access-list dmz2 extended deny ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz2 extended deny ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list dmz2 extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging device-id hostname
logging host Inside 192.168.200.69 17/1514
mtu Outside 1500
mtu Inside 1500
mtu DMZ1 1500
mtu management 1500
mtu DMZ2 1500
ip local pool DAYPOOL 192.168.205.1-192.168.205.254 mask 255.255.248.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ1,Outside) 65.118.6.133 192.168.0.45 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.134 192.168.0.57 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.135 192.168.0.69 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.137 192.168.0.63 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.139 192.168.0.49 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.140 192.168.0.64 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.143 192.168.0.68 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.145 192.168.0.70 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.146 192.168.0.53 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.147 192.168.0.55 netmask 255.255.255.255
static (DMZ1,Outside) 65.118.6.149 192.168.0.67 netmask 255.255.255.255
static (Inside,Outside) 65.118.6.132 192.168.200.94 netmask 255.255.255.255
static (Inside,Outside) 65.118.6.136 192.168.200.36 netmask 255.255.255.255
static (Inside,Outside) 65.118.6.138 192.168.200.3 netmask 255.255.255.255
static (Inside,Outside) 65.118.6.141 192.168.200.66 netmask 255.255.255.255
static (Inside,Outside) 65.118.6.142 192.168.200.90 netmask 255.255.255.255
static (Inside,Outside) 65.118.6.144 192.168.200.28 netmask 255.255.255.255
static (Inside,Outside) 65.118.6.148 192.168.200.53 netmask 255.255.255.255
static (Inside,DMZ2) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (Inside,DMZ2) 192.168.16.0 192.168.16.0 netmask 255.255.248.0
static (Inside,DMZ2) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Inside,DMZ2) 192.168.200.0 192.168.200.0 netmask 255.255.248.0
access-group outside in interface Outside
access-group dmz2 in interface DMZ2
route Outside 0.0.0.0 0.0.0.0 65.118.6.129 1
route Inside 10.10.0.0 255.255.0.0 192.168.200.5 1
route Inside 192.168.16.0 255.255.248.0 192.168.200.4 1
route Inside 192.168.100.0 255.255.255.0 192.168.200.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.200.0 255.255.248.0 Inside
http 192.168.100.0 255.255.255.0 Inside
snmp-server host Inside 192.168.200.53 community public
snmp-server location Dayton
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.100.0 255.255.255.0 Inside
telnet 192.168.200.0 255.255.248.0 Inside
telnet timeout 15
ssh 192.168.200.0 255.255.248.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
vpn load-balancing
 interface lbpublic DMZ1
 interface lbprivate DMZ1
threat-detection basic-threat
threat-detection statistics access-list
group-policy DAYVPN internal
group-policy DAYVPN attributes
 dns-server value 192.168.200.21
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DAYVPN_splitTunnelAcl_2
 default-domain value npsdomain.local
username conexiots password 1RF2VUwj3scfBG6q encrypted privilege 15
username conexiots attributes
 vpn-group-policy DAYVPN
tunnel-group DAYVPN type remote-access
tunnel-group DAYVPN general-attributes
 address-pool DAYPOOL
 default-group-policy DAYVPN
tunnel-group DAYVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
class-map IDS-CLASS
 match access-list IPS-LIST
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map IDS-POLICY
 class IDS-CLASS
  ips inline fail-close
!
service-policy global_policy global
service-policy IDS-POLICY interface Outside
prompt hostname context
Cryptochecksum:96fbd3cae7326cab66a2165006cfb435
: end

           
         

Start your free trial to view this solution

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.2

Question Stats

Zone: Security

Question Asked By: qbakies

Solution Provided By: prueconsulting

Participating Experts: 4

Solution Grade: A

Translate:

Loading Advertisement...

Open Discussion

Comment by qbakies

The problem with accessing the SQL DB was that I wasn't using port 1433. Unfortunately there is still a problem but it has to do with IIS application pools not running with local credentials so I need to get my devs to help fix it.

20080723-EE-VQP-34 / EE_QW_2_20070628