gurnox
asked on
Cisco Pix 515e - Problems With Outside Access
Have a strange problem with my PIX 515E.
There are three interfaces - inside, outside and DMZ. I'm using static NAT to assign real IP addresses on the outside interface to hosts on the DMZ interface.
Am also running a VPN from the device. Two Lan-Lan ones and a dial in.
I tried to change the configuration on the device so that hosts in the DMZ would be visible to dial-in VPN users. I managed to do this without any problem. Since doing so, no hosts on the outside can talk to anything on the DMZ. It's got me a bit stumped to be honest.
The hosts on the DMZ can talk to hosts on the inside interface and outgoing to the Internet just fine. The logs are showing that outside connections in are being denied by the access list Outside_access_in.
Here's some of the conf:
access-list DMZ_nat0_inbound remark No NAT from DMZ - Internal. Use real IP
access-list DMZ_nat0_inbound extended permit ip any Loc1 255.255.255.0
access-list DMZ_nat0_inbound extended permit ip any Loc2 255.255.255.0
access-list Outside_access_in remark Block on South African spammer/virus spreader.
access-list Outside_access_in extended deny ip host 196.34.228.226 any
access-list Outside_access_in extended permit tcp any host host eq smtp
access-list Outside_access_in extended permit tcp any host host eq www
access-list Outside_access_in extended permit tcp any host host eq https
access-list Outside_access_in extended permit tcp any host host2 object-group services
access-list Outside_access_in extended permit tcp any host host3 eq domain
access-list Outside_access_in extended permit tcp any webhost eq www
access-list Outside_access_in extended permit tcp any host webhost eq https
access-list Outside_access_in extended permit tcp any host webmail eq www
access-list Outside_access_in extended permit tcp any host webmail eq https
access-list Outside_access_in extended permit udp any host nshost eq domain
global (Outside) 10 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (inside) 0 access-list to_DMZ
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 0 access-list DMZ_nat0_inbound outside
static (DMZ,Outside) ip1 host2 netmask 255.255.255.255
static (DMZ,Outside) ip2 nshost netmask 255.255.255.255
static (DMZ,Outside) ip3 webmail netmask 255.255.255.255
static (DMZ,Outside) ip4 webhost netmask 255.255.255.255
static (DMZ,Outside) ip5 192.168.2.14 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
Any help much appreciated!
If it means turning off DMZ access to the dialup VPN, so be it. Outside has priority :)
There are three interfaces - inside, outside and DMZ. I'm using static NAT to assign real IP addresses on the outside interface to hosts on the DMZ interface.
Am also running a VPN from the device. Two Lan-Lan ones and a dial in.
I tried to change the configuration on the device so that hosts in the DMZ would be visible to dial-in VPN users. I managed to do this without any problem. Since doing so, no hosts on the outside can talk to anything on the DMZ. It's got me a bit stumped to be honest.
The hosts on the DMZ can talk to hosts on the inside interface and outgoing to the Internet just fine. The logs are showing that outside connections in are being denied by the access list Outside_access_in.
Here's some of the conf:
access-list DMZ_nat0_inbound remark No NAT from DMZ - Internal. Use real IP
access-list DMZ_nat0_inbound extended permit ip any Loc1 255.255.255.0
access-list DMZ_nat0_inbound extended permit ip any Loc2 255.255.255.0
access-list Outside_access_in remark Block on South African spammer/virus spreader.
access-list Outside_access_in extended deny ip host 196.34.228.226 any
access-list Outside_access_in extended permit tcp any host host eq smtp
access-list Outside_access_in extended permit tcp any host host eq www
access-list Outside_access_in extended permit tcp any host host eq https
access-list Outside_access_in extended permit tcp any host host2 object-group services
access-list Outside_access_in extended permit tcp any host host3 eq domain
access-list Outside_access_in extended permit tcp any webhost eq www
access-list Outside_access_in extended permit tcp any host webhost eq https
access-list Outside_access_in extended permit tcp any host webmail eq www
access-list Outside_access_in extended permit tcp any host webmail eq https
access-list Outside_access_in extended permit udp any host nshost eq domain
global (Outside) 10 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (inside) 0 access-list to_DMZ
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 0 access-list DMZ_nat0_inbound outside
static (DMZ,Outside) ip1 host2 netmask 255.255.255.255
static (DMZ,Outside) ip2 nshost netmask 255.255.255.255
static (DMZ,Outside) ip3 webmail netmask 255.255.255.255
static (DMZ,Outside) ip4 webhost netmask 255.255.255.255
static (DMZ,Outside) ip5 192.168.2.14 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
Any help much appreciated!
If it means turning off DMZ access to the dialup VPN, so be it. Outside has priority :)
I don't see a static entry for "host" as addressed in the acl, but I do see one for "host2"
>access-list Outside_access_in extended permit tcp any host host2 object-group services
>static (DMZ,Outside) ip1 host2 netmask 255.255.255.255
>access-list Outside_access_in extended permit tcp any host host eq smtp
>>> no static to match 'host'
This could account for no inbound traffic to that server.
>access-list Outside_access_in extended permit tcp any host host2 object-group services
>static (DMZ,Outside) ip1 host2 netmask 255.255.255.255
>access-list Outside_access_in extended permit tcp any host host eq smtp
>>> no static to match 'host'
This could account for no inbound traffic to that server.
Sorry folks just realized post I inserted above was meant for another question:
https://www.experts-exchange.com/questions/21840556/wireless-lan.html
https://www.experts-exchange.com/questions/21840556/wireless-lan.html
ASKER
The lack of a static entry for that server is more likley me being clumsy when replacing the real hostnames. I don't think it is a problem with the individual static maps as none of the statically mapped servers can be reached from the outside.
The problem only occured when I tried to make the DMZ accessible over a dialup VPN link (I realise now that split DNS would have been the way to do this. D'oh!). So I'm sure this is something simple that I've broken when doing this. I'm just banging my head against the wall trying to see what it is.
The problem only occured when I tried to make the DMZ accessible over a dialup VPN link (I realise now that split DNS would have been the way to do this. D'oh!). So I'm sure this is something simple that I've broken when doing this. I'm just banging my head against the wall trying to see what it is.
If you can post your complete config, I might be able to assist. If you miss anything in an effort to sanitize, I can edit it out for you.
>access-group DMZ_access_in in interface DMZ
It could be a problem with this acl?
>access-group DMZ_access_in in interface DMZ
It could be a problem with this acl?
ASKER
Here it is (External IPs and domains invented):
PIX Version 7.0(1)
names
name 192.168.4.0 Borehamwood
name 192.168.2.10 aco-ftp-1
name 192.168.2.2 Switch
name 192.168.2.11 ns0.somedomain.com
name 192.168.4.12 Aunt
name 192.168.3.13 Brother
name 192.168.3.0 London
name 192.168.4.19 ns1.somedomain.com
name 192.168.2.12 relay1.somedomain.com
name 192.168.3.14 son.somedomain.co.uk
name 192.168.5.0 WoolmerHouse
name 192.168.1.0 HongKong
name 192.168.2.13 dad.somedomain.com
name 192.168.3.12 mum.somedomain.co.uk
name 192.168.3.22 aco-backup-1.somedomain.co .uk
!
interface Ethernet0
description External Interface
nameif Outside
security-level 0
ip address 100.100.100.219 255.255.255.240
!
interface Ethernet1
description Trusted Interface for internal LANS
nameif inside
security-level 100
ip address 192.168.3.4 255.255.255.0
!
interface Ethernet2
description DMZ
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
enable password XFCW5lRGhPoeHq0Q encrypted
passwd XFCW5lRGhPoeHq0Q encrypted
hostname aco-firewall-1
domain-name somedomain.co.uk
banner login You are now connected to the SomeCompany PLC network.
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns retries 2
dns timeout 2
dns domain-lookup Outside
dns domain-lookup inside
dns domain-lookup DMZ
dns name-server Brother
dns name-server Aunt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service aco-ftp-1 tcp
description TCP services for aco-ftp-1
port-object eq ssh
port-object eq ftp-data
port-object eq ftp
object-group service outside-aco-ftp-1 tcp
description External FTP access
port-object eq ftp-data
port-object eq ftp
object-group network Internal_DNS
description Active directory servers Aunt and Brother
network-object Brother 255.255.255.255
network-object Aunt 255.255.255.255
access-list inside_nat0_outbound remark No NAT for internal network to DMZ. Use real IP.
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list SomeCompany_splitTunnelAcl standard permit London 255.255.255.0
access-list SomeCompany_splitTunnelAcl standard permit Borehamwood 255.255.255.0
access-list SomeCompany_splitTunnelAcl standard permit WoolmerHouse 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.3.96 255.255.255.240
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host son.somedomain.co.uk eq www host relay1.somedomain.com eq www
access-list inside_access_in extended permit tcp host son.somedomain.co.uk eq https host relay1.somedomain.com eq https
access-list inside_access_in remark Outgoing mail relay hole
access-list inside_access_in extended permit tcp host son.somedomain.co.uk host relay1.somedomain.com eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp host aco-backup-1.somedomain.co .uk host dad.somedomain.com eq 10000
access-list inside_access_in extended permit tcp host aco-backup-1.somedomain.co .uk host dad.somedomain.com range 12000 12100
access-list DMZ_nat0_inbound remark No NAT from DMZ - Internal. Use real IP
access-list DMZ_nat0_inbound extended permit ip any London 255.255.255.0
access-list DMZ_nat0_inbound extended permit ip any Borehamwood 255.255.255.0
access-list Outside_access_in remark Block on South African spammer/virus spreader.
access-list Outside_access_in extended deny ip host 196.34.228.226 any
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq smtp
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq www
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq https
access-list Outside_access_in extended permit tcp any host aco-ftp-1 object-group outside-aco-ftp-1
access-list Outside_access_in extended permit tcp any host ns0.somedomain.com eq domain
access-list Outside_access_in extended permit tcp any host dad.somedomain.com eq www
access-list Outside_access_in extended permit tcp any host dad.somedomain.com eq https
access-list Outside_access_in extended permit tcp any host 192.168.2.14 eq www
access-list Outside_access_in extended permit tcp any host 192.168.2.14 eq https
access-list Outside_access_in extended permit udp any host ns0.somedomain.com eq domain
access-list DMZ_access_in remark Name resolution - Temporary until DNS moved into DMZ
access-list DMZ_access_in extended permit tcp host aco-ftp-1 object-group Internal_DNS eq domain
access-list DMZ_access_in remark Name resolution
access-list DMZ_access_in extended permit udp host aco-ftp-1 object-group Internal_DNS eq domain
access-list DMZ_access_in remark Allow FTP traffic and SSH to Internal Network
access-list DMZ_access_in extended permit tcp host aco-ftp-1 object-group aco-ftp-1 any
access-list DMZ_access_in remark Internal DNS forwarding (TCP)
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in remark Internal DNS Forwarding (UDP)
access-list DMZ_access_in extended permit udp host ns0.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in remark SSH access for internal network
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq ssh any
access-list DMZ_access_in remark ICMP from Aunt and Brother
access-list DMZ_access_in extended permit icmp host ns0.somedomain.com object-group Internal_DNS
access-list DMZ_access_in remark Allow DNS replies to outside world (TCP)
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq domain any eq domain
access-list DMZ_access_in remark Allow DNS replies to outside world (UDP)
access-list DMZ_access_in extended permit udp host ns0.somedomain.com eq domain any eq domain
access-list DMZ_access_in remark TCP access to ns1 for notifies and zone transfers
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq domain host ns1.somedomain.com eq domain
access-list DMZ_access_in remark UDP access to ns1 for zone notifies and transfers
access-list DMZ_access_in extended permit udp host ns0.somedomain.com eq domain host ns1.somedomain.com eq domain
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com eq www any
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com eq https any
access-list DMZ_access_in remark OWA relay from relay1 to Son
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq www
access-list DMZ_access_in remark OWA proxying
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq https
access-list DMZ_access_in remark Outgoing mail relay
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com any eq smtp
access-list DMZ_access_in remark SMTP incoming mail relay hole
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq smtp
access-list DMZ_access_in remark Holes to Allow communication between Mum and Dad
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 9899
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq sunrpc
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 2049
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 32771
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 32772
access-list DMZ_access_in extended permit tcp host dad.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in extended permit udp host dad.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in extended permit tcp host dad.somedomain.com any eq www
access-list DMZ_access_in extended permit tcp host dad.somedomain.com any eq https
access-list DMZ_access_in extended permit icmp host dad.somedomain.com any
access-list DMZ_access_in extended permit udp host dad.somedomain.com host 192.168.4.102 eq syslog
access-list DMZ_access_in remark backup exec
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host aco-backup-1.somedomain.co .uk range 12000 12100
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host aco-backup-1.somedomain.co .uk eq 6101
access-list DMZ_access_in remark NTP time syncronisation services
access-list DMZ_access_in extended permit udp host relay1.somedomain.com any eq ntp
access-list DMZ_access_in remark Hole to allow http access for AV updates.
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com any eq www
access-list 222 extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list 222 extended permit ip Borehamwood 255.255.255.0 192.168.3.96 255.255.255.240
access-list 222 extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list 222 extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list 222 extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list 222 extended permit ip any 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20_1 extended permit ip any 192.168.3.96 255.255.255.240
access-list 222_V1 remark David Wyndhams home network
access-list 222_V1 extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list 222_V1 extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list Outside_cryptomap_242_1 extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list Outside_cryptomap_242_1 extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co .uk range 800 899
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co .uk range 4800 4899
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co .uk range 13720 13721
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co .uk range 800 899
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co .uk range 4800 4899
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co .uk range 13720 13721
access-list to_DMZ extended permit ip London 255.255.255.0 192.168.2.0 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 192.168.2.0 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 WoolmerHouse 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 192.168.3.96 255.255.255.240
access-list to_DMZ extended permit ip WoolmerHouse 255.255.255.0 192.168.3.96 255.255.255.240
access-list Outside_nat0_outbound extended permit ip WoolmerHouse 255.255.255.0 192.168.3.96 255.255.255.240
no pager
logging enable
logging trap notifications
logging asdm informational
logging from-address firewall@somedomain.co.uk
logging recipient-address me@somedomain.com level errors
logging host inside 192.168.4.61
logging host inside 192.168.4.102
logging flash-bufferwrap
logging ftp-bufferwrap
logging ftp-server aco-ftp-1 / firewall ****
logging permit-hostdown
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface Outside
ip verify reverse-path interface DMZ
ip local pool DialUpIPs 192.168.3.100-192.168.3.11 0 mask 255.255.255.255
ip local pool TestPool 192.168.3.240-192.168.3.25 4 mask 255.255.255.0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no failover
monitor-interface Outside
monitor-interface inside
monitor-interface DMZ
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (inside) 0 access-list to_DMZ
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_inbound outside
static (DMZ,Outside) 100.100.100.215 aco-ftp-1 netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.217 ns0.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.213 relay1.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.212 dad.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.216 192.168.2.14 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 100.100.100.209 1
route inside Borehamwood 255.255.255.0 192.168.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner value You are connected to SomeCompany PLC.
banner value
banner value Unauthorised access is prohibited and may result in prosecution. Unless you have
banner value express permission to use this facility, please disconnect immediately.
wins-server value Brother Aunt
dns-server value Brother Aunt
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SomeCompany_splitTunnelAcl
default-domain value somedomain.co.uk
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy SomeCompany internal
group-policy SomeCompany attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SomeCompany_splitTunnelAcl
default-domain value somedomain.co.uk
username someone password ** encrypted privilege 0
username someoneelse password ** encrypted privilege 0
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http London 255.255.255.0 inside
http Borehamwood 255.255.255.0 inside
snmp-server host inside 192.168.4.56 poll community this_snmp_ch65w
snmp-server location Madeup Court
snmp-server contact Someone
snmp-server community this_snmp_ch65w
snmp-server enable traps snmp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set Tunnel-ESPDES-MD5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map_1 20 match address Outside_cryptomap_dyn_20_1
crypto dynamic-map Outside_dyn_map_1 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map ForInternet 222 match address 222_V1
crypto map ForInternet 222 set peer 99.99.99.167
crypto map ForInternet 222 set transform-set Tunnel-ESPDES-MD5
crypto map ForInternet 222 set nat-t-disable
crypto map ForInternet 242 match address Outside_cryptomap_242_1
crypto map ForInternet 242 set pfs
crypto map ForInternet 242 set peer 123.123.123.123
crypto map ForInternet 242 set transform-set ESP-3DES-SHA
crypto map ForInternet 242 set nat-t-disable
crypto map ForInternet 65535 ipsec-isakmp dynamic Outside_dyn_map_1
crypto map ForInternet interface Outside
isakmp identity auto
isakmp enable Outside
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption 3des
isakmp policy 22 hash md5
isakmp policy 22 group 1
isakmp policy 22 lifetime 28800
isakmp policy 42 authentication pre-share
isakmp policy 42 encryption 3des
isakmp policy 42 hash sha
isakmp policy 42 group 2
isakmp policy 42 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
telnet London 255.255.255.0 inside
telnet Borehamwood 255.255.255.0 inside
telnet timeout 5
ssh Borehamwood 255.255.255.0 inside
ssh London 255.255.255.0 inside
ssh timeout 25
console timeout 0
dhcpd dns Brother Aunt
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain somedomain.co.uk
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group SomeCompany type ipsec-ra
tunnel-group SomeCompany general-attributes
address-pool DialUpIPs
default-group-policy SomeCompany
tunnel-group SomeCompany ipsec-attributes
pre-shared-key *
tunnel-group 99.99.99.167 type ipsec-l2l
tunnel-group 99.99.99.167 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect dns
inspect http
inspect icmp
!
service-policy global_policy global
ntp server relay1.somedomain.com source DMZ prefer
ntp server Brother source inside
smtp-server 192.168.3.14
management-access inside
Cryptochecksum:8fb9539f55d c4a8f715fe 96e63438cd d
: end
PIX Version 7.0(1)
names
name 192.168.4.0 Borehamwood
name 192.168.2.10 aco-ftp-1
name 192.168.2.2 Switch
name 192.168.2.11 ns0.somedomain.com
name 192.168.4.12 Aunt
name 192.168.3.13 Brother
name 192.168.3.0 London
name 192.168.4.19 ns1.somedomain.com
name 192.168.2.12 relay1.somedomain.com
name 192.168.3.14 son.somedomain.co.uk
name 192.168.5.0 WoolmerHouse
name 192.168.1.0 HongKong
name 192.168.2.13 dad.somedomain.com
name 192.168.3.12 mum.somedomain.co.uk
name 192.168.3.22 aco-backup-1.somedomain.co
!
interface Ethernet0
description External Interface
nameif Outside
security-level 0
ip address 100.100.100.219 255.255.255.240
!
interface Ethernet1
description Trusted Interface for internal LANS
nameif inside
security-level 100
ip address 192.168.3.4 255.255.255.0
!
interface Ethernet2
description DMZ
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
enable password XFCW5lRGhPoeHq0Q encrypted
passwd XFCW5lRGhPoeHq0Q encrypted
hostname aco-firewall-1
domain-name somedomain.co.uk
banner login You are now connected to the SomeCompany PLC network.
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns retries 2
dns timeout 2
dns domain-lookup Outside
dns domain-lookup inside
dns domain-lookup DMZ
dns name-server Brother
dns name-server Aunt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service aco-ftp-1 tcp
description TCP services for aco-ftp-1
port-object eq ssh
port-object eq ftp-data
port-object eq ftp
object-group service outside-aco-ftp-1 tcp
description External FTP access
port-object eq ftp-data
port-object eq ftp
object-group network Internal_DNS
description Active directory servers Aunt and Brother
network-object Brother 255.255.255.255
network-object Aunt 255.255.255.255
access-list inside_nat0_outbound remark No NAT for internal network to DMZ. Use real IP.
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list SomeCompany_splitTunnelAcl
access-list SomeCompany_splitTunnelAcl
access-list SomeCompany_splitTunnelAcl
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.3.96 255.255.255.240
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host son.somedomain.co.uk eq www host relay1.somedomain.com eq www
access-list inside_access_in extended permit tcp host son.somedomain.co.uk eq https host relay1.somedomain.com eq https
access-list inside_access_in remark Outgoing mail relay hole
access-list inside_access_in extended permit tcp host son.somedomain.co.uk host relay1.somedomain.com eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp host aco-backup-1.somedomain.co
access-list inside_access_in extended permit tcp host aco-backup-1.somedomain.co
access-list DMZ_nat0_inbound remark No NAT from DMZ - Internal. Use real IP
access-list DMZ_nat0_inbound extended permit ip any London 255.255.255.0
access-list DMZ_nat0_inbound extended permit ip any Borehamwood 255.255.255.0
access-list Outside_access_in remark Block on South African spammer/virus spreader.
access-list Outside_access_in extended deny ip host 196.34.228.226 any
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq smtp
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq www
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq https
access-list Outside_access_in extended permit tcp any host aco-ftp-1 object-group outside-aco-ftp-1
access-list Outside_access_in extended permit tcp any host ns0.somedomain.com eq domain
access-list Outside_access_in extended permit tcp any host dad.somedomain.com eq www
access-list Outside_access_in extended permit tcp any host dad.somedomain.com eq https
access-list Outside_access_in extended permit tcp any host 192.168.2.14 eq www
access-list Outside_access_in extended permit tcp any host 192.168.2.14 eq https
access-list Outside_access_in extended permit udp any host ns0.somedomain.com eq domain
access-list DMZ_access_in remark Name resolution - Temporary until DNS moved into DMZ
access-list DMZ_access_in extended permit tcp host aco-ftp-1 object-group Internal_DNS eq domain
access-list DMZ_access_in remark Name resolution
access-list DMZ_access_in extended permit udp host aco-ftp-1 object-group Internal_DNS eq domain
access-list DMZ_access_in remark Allow FTP traffic and SSH to Internal Network
access-list DMZ_access_in extended permit tcp host aco-ftp-1 object-group aco-ftp-1 any
access-list DMZ_access_in remark Internal DNS forwarding (TCP)
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in remark Internal DNS Forwarding (UDP)
access-list DMZ_access_in extended permit udp host ns0.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in remark SSH access for internal network
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq ssh any
access-list DMZ_access_in remark ICMP from Aunt and Brother
access-list DMZ_access_in extended permit icmp host ns0.somedomain.com object-group Internal_DNS
access-list DMZ_access_in remark Allow DNS replies to outside world (TCP)
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq domain any eq domain
access-list DMZ_access_in remark Allow DNS replies to outside world (UDP)
access-list DMZ_access_in extended permit udp host ns0.somedomain.com eq domain any eq domain
access-list DMZ_access_in remark TCP access to ns1 for notifies and zone transfers
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq domain host ns1.somedomain.com eq domain
access-list DMZ_access_in remark UDP access to ns1 for zone notifies and transfers
access-list DMZ_access_in extended permit udp host ns0.somedomain.com eq domain host ns1.somedomain.com eq domain
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com eq www any
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com eq https any
access-list DMZ_access_in remark OWA relay from relay1 to Son
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq www
access-list DMZ_access_in remark OWA proxying
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq https
access-list DMZ_access_in remark Outgoing mail relay
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com any eq smtp
access-list DMZ_access_in remark SMTP incoming mail relay hole
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq smtp
access-list DMZ_access_in remark Holes to Allow communication between Mum and Dad
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 9899
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq sunrpc
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 2049
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 32771
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 32772
access-list DMZ_access_in extended permit tcp host dad.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in extended permit udp host dad.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in extended permit tcp host dad.somedomain.com any eq www
access-list DMZ_access_in extended permit tcp host dad.somedomain.com any eq https
access-list DMZ_access_in extended permit icmp host dad.somedomain.com any
access-list DMZ_access_in extended permit udp host dad.somedomain.com host 192.168.4.102 eq syslog
access-list DMZ_access_in remark backup exec
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host aco-backup-1.somedomain.co
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host aco-backup-1.somedomain.co
access-list DMZ_access_in remark NTP time syncronisation services
access-list DMZ_access_in extended permit udp host relay1.somedomain.com any eq ntp
access-list DMZ_access_in remark Hole to allow http access for AV updates.
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com any eq www
access-list 222 extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list 222 extended permit ip Borehamwood 255.255.255.0 192.168.3.96 255.255.255.240
access-list 222 extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list 222 extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list 222 extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list 222 extended permit ip any 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20_1
access-list 222_V1 remark David Wyndhams home network
access-list 222_V1 extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list 222_V1 extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list Outside_cryptomap_242_1 extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list Outside_cryptomap_242_1 extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co
access-list to_DMZ extended permit ip London 255.255.255.0 192.168.2.0 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 192.168.2.0 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 WoolmerHouse 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 192.168.3.96 255.255.255.240
access-list to_DMZ extended permit ip WoolmerHouse 255.255.255.0 192.168.3.96 255.255.255.240
access-list Outside_nat0_outbound extended permit ip WoolmerHouse 255.255.255.0 192.168.3.96 255.255.255.240
no pager
logging enable
logging trap notifications
logging asdm informational
logging from-address firewall@somedomain.co.uk
logging recipient-address me@somedomain.com level errors
logging host inside 192.168.4.61
logging host inside 192.168.4.102
logging flash-bufferwrap
logging ftp-bufferwrap
logging ftp-server aco-ftp-1 / firewall ****
logging permit-hostdown
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface Outside
ip verify reverse-path interface DMZ
ip local pool DialUpIPs 192.168.3.100-192.168.3.11
ip local pool TestPool 192.168.3.240-192.168.3.25
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no failover
monitor-interface Outside
monitor-interface inside
monitor-interface DMZ
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (inside) 0 access-list to_DMZ
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_inbound outside
static (DMZ,Outside) 100.100.100.215 aco-ftp-1 netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.217 ns0.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.213 relay1.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.212 dad.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.216 192.168.2.14 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 100.100.100.209 1
route inside Borehamwood 255.255.255.0 192.168.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner value You are connected to SomeCompany PLC.
banner value
banner value Unauthorised access is prohibited and may result in prosecution. Unless you have
banner value express permission to use this facility, please disconnect immediately.
wins-server value Brother Aunt
dns-server value Brother Aunt
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SomeCompany_splitTunnelAcl
default-domain value somedomain.co.uk
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy SomeCompany internal
group-policy SomeCompany attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SomeCompany_splitTunnelAcl
default-domain value somedomain.co.uk
username someone password ** encrypted privilege 0
username someoneelse password ** encrypted privilege 0
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http London 255.255.255.0 inside
http Borehamwood 255.255.255.0 inside
snmp-server host inside 192.168.4.56 poll community this_snmp_ch65w
snmp-server location Madeup Court
snmp-server contact Someone
snmp-server community this_snmp_ch65w
snmp-server enable traps snmp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set Tunnel-ESPDES-MD5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map_1 20 match address Outside_cryptomap_dyn_20_1
crypto dynamic-map Outside_dyn_map_1 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map ForInternet 222 match address 222_V1
crypto map ForInternet 222 set peer 99.99.99.167
crypto map ForInternet 222 set transform-set Tunnel-ESPDES-MD5
crypto map ForInternet 222 set nat-t-disable
crypto map ForInternet 242 match address Outside_cryptomap_242_1
crypto map ForInternet 242 set pfs
crypto map ForInternet 242 set peer 123.123.123.123
crypto map ForInternet 242 set transform-set ESP-3DES-SHA
crypto map ForInternet 242 set nat-t-disable
crypto map ForInternet 65535 ipsec-isakmp dynamic Outside_dyn_map_1
crypto map ForInternet interface Outside
isakmp identity auto
isakmp enable Outside
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption 3des
isakmp policy 22 hash md5
isakmp policy 22 group 1
isakmp policy 22 lifetime 28800
isakmp policy 42 authentication pre-share
isakmp policy 42 encryption 3des
isakmp policy 42 hash sha
isakmp policy 42 group 2
isakmp policy 42 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
telnet London 255.255.255.0 inside
telnet Borehamwood 255.255.255.0 inside
telnet timeout 5
ssh Borehamwood 255.255.255.0 inside
ssh London 255.255.255.0 inside
ssh timeout 25
console timeout 0
dhcpd dns Brother Aunt
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain somedomain.co.uk
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group SomeCompany type ipsec-ra
tunnel-group SomeCompany general-attributes
address-pool DialUpIPs
default-group-policy SomeCompany
tunnel-group SomeCompany ipsec-attributes
pre-shared-key *
tunnel-group 99.99.99.167 type ipsec-l2l
tunnel-group 99.99.99.167 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect dns
inspect http
inspect icmp
!
service-policy global_policy global
ntp server relay1.somedomain.com source DMZ prefer
ntp server Brother source inside
smtp-server 192.168.3.14
management-access inside
Cryptochecksum:8fb9539f55d
: end
Wow. Lots of issues here...
>nat (Outside) 0 access-list Outside_nat0_outbound
You must first remove that entry.
no nat (Outside) 0 access-list Outside_nat0_outbound
clear xlate
>nat (inside) 0 access-list to_DMZ
Remove that line, too, and replace it with a static
no nat (inside) 0 access-list to_DMZ
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
Given the following information:
>interface Ethernet1
> nameif inside
>> ip address 192.168.3.4 255.255.255.0
>ip local pool DialUpIPs 192.168.3.100-192.168.3.11 0 mask 255.255.255.255
>ip local pool TestPool 192.168.3.240-192.168.3.25 4 mask 255.255.255.0
You need to use a separate IP subnet for the client pool(s). Then the access-lists actually make sense and you can separate your internal lan subnet from the client subnet.
For example:
ip local pool VPNPOOL 192.168.122.1-192.168.122. 127 mask 255.255.255.128
access-list inside_nat0 permit 192.168.3.0 255.255.255.0 192.168.122.0 255.255.255.128
access-list dmz_nat0 permit 192.168.2.0 255.255.255.0 192.168.122.0 255.255.255.128
nat (inside) 0 access-list inside_nat0
nat (dmz) 0 access-list dmz_nat0
tunnel-group SomeCompany general-attributes
address-pool VPNPOOL
>nat (Outside) 0 access-list Outside_nat0_outbound
You must first remove that entry.
no nat (Outside) 0 access-list Outside_nat0_outbound
clear xlate
>nat (inside) 0 access-list to_DMZ
Remove that line, too, and replace it with a static
no nat (inside) 0 access-list to_DMZ
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
Given the following information:
>interface Ethernet1
> nameif inside
>> ip address 192.168.3.4 255.255.255.0
>ip local pool DialUpIPs 192.168.3.100-192.168.3.11
>ip local pool TestPool 192.168.3.240-192.168.3.25
You need to use a separate IP subnet for the client pool(s). Then the access-lists actually make sense and you can separate your internal lan subnet from the client subnet.
For example:
ip local pool VPNPOOL 192.168.122.1-192.168.122.
access-list inside_nat0 permit 192.168.3.0 255.255.255.0 192.168.122.0 255.255.255.128
access-list dmz_nat0 permit 192.168.2.0 255.255.255.0 192.168.122.0 255.255.255.128
nat (inside) 0 access-list inside_nat0
nat (dmz) 0 access-list dmz_nat0
tunnel-group SomeCompany general-attributes
address-pool VPNPOOL
ASKER
Thanks for the help.
At the moment, I am connecting to the device via one of the dial up IP addresses, so I'm loathe to make changes to the IP pools at the moment. Your way does make a LOT more sense, I just can't risk losing a connection to the device.
I have applied:
no nat (Outside) 0 access-list Outside_nat0_outbound
clear xlate
And still cannot access the DMZ based hosts from the outside (If I acheive this and nothing else, I will be happy :) ).
Won't the commands:
no nat (inside) 0 access-list to_DMZ
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
Grant IP access to the entire inside network via the DMZ interface? I don't really want to allow this. Sorry if I'm missing something here.
At the moment, I am connecting to the device via one of the dial up IP addresses, so I'm loathe to make changes to the IP pools at the moment. Your way does make a LOT more sense, I just can't risk losing a connection to the device.
I have applied:
no nat (Outside) 0 access-list Outside_nat0_outbound
clear xlate
And still cannot access the DMZ based hosts from the outside (If I acheive this and nothing else, I will be happy :) ).
Won't the commands:
no nat (inside) 0 access-list to_DMZ
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
Grant IP access to the entire inside network via the DMZ interface? I don't really want to allow this. Sorry if I'm missing something here.
>Grant IP access to the entire inside network via the DMZ interface? I don't really want to allow this.
Yes, it will grant full ip access, but you can adjust the acl's if you want.
However, this line is already doing that same thing. All traffic from DMZ to London is already allowed, you're just fudging the nat with a different acl which only complicates matters.
>access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
>access-list to_DMZ extended permit ip London 255.255.255.0 192.168.2.0 255.255.255.0
You need a nat (inside) 0 acl for the VPN to work. This is what nat0 was designed to do.
>I am connecting to the device via one of the dial up IP addresses
Try using SSH or HTTPS to the PDM ?
Yes, it will grant full ip access, but you can adjust the acl's if you want.
However, this line is already doing that same thing. All traffic from DMZ to London is already allowed, you're just fudging the nat with a different acl which only complicates matters.
>access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
>access-list to_DMZ extended permit ip London 255.255.255.0 192.168.2.0 255.255.255.0
You need a nat (inside) 0 acl for the VPN to work. This is what nat0 was designed to do.
>I am connecting to the device via one of the dial up IP addresses
Try using SSH or HTTPS to the PDM ?
ASKER
OK, I have a connection without the VPN.
I've applied all of the changes and this is what has happened:
Still no access to DMZ from Outside (Internet)
Dial Up VPN no longer working
Lan to Lan VPNs no longer working
:)
I've applied all of the changes and this is what has happened:
Still no access to DMZ from Outside (Internet)
Dial Up VPN no longer working
Lan to Lan VPNs no longer working
:)
ASKER
D'oh! Forgot to change the access list to let the new VPN pool connect. Can now get VPN dialup connection.
Suspect I just need to re-add the address exceptions for the .1 and .5 subnets to get lan-lan back too.
Suspect I just need to re-add the address exceptions for the .1 and .5 subnets to get lan-lan back too.
>Suspect I just need to re-add the address exceptions for the .1 and .5 subnets to get lan-lan back too.
Add these subnets to the nat0 acl:
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Add these subnets to the nat0 acl:
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
ASKER
Thanks again for spending so much time helping me with this.
OK. Lan-Lan access is back.
I'd already started adding them before I read your last post. So I've added the .1 and .5 subnets to the inside_nat0 acl that is already there. I don't really need to give access to the DMZ to either of these subnets, so is it OK to leave out the commands from your last post?
Incidentally, I still have the acl:
access-list inside_nat0_outbound permit ip any 192.168.2.0 255.255.255.0
In the config. OK to delete this now?
Still no access from outside (Internet) to the DMZ. Everything else now seems OK.
OK. Lan-Lan access is back.
I'd already started adding them before I read your last post. So I've added the .1 and .5 subnets to the inside_nat0 acl that is already there. I don't really need to give access to the DMZ to either of these subnets, so is it OK to leave out the commands from your last post?
Incidentally, I still have the acl:
access-list inside_nat0_outbound permit ip any 192.168.2.0 255.255.255.0
In the config. OK to delete this now?
Still no access from outside (Internet) to the DMZ. Everything else now seems OK.
ASKER
Stupid me. Of course I need them to have access. Am adding those lines now. OK to delete the line I gave in the last post.
ASKER
OK. All internal/VPN config is now working.
Any idea on why hosts on the Internet cannot access the hosts on the DMZ interface?
Any idea on why hosts on the Internet cannot access the hosts on the DMZ interface?
ASKER
The logs are saying that access is being denied by the acl 'Outside_access_in'.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All working perfectly. THANK YOU!
As you can tell, I'm a bit of a Cisco newbie. My initial configuration was all done via the web/java interface and it worked perfectly. Or so I thought...
Anyone reading this should learn from the living hell I've endured this weekend. Learn the command line for these devices first. The web interface will only take you so far.......
Thanks again!
As you can tell, I'm a bit of a Cisco newbie. My initial configuration was all done via the web/java interface and it worked perfectly. Or so I thought...
Anyone reading this should learn from the living hell I've endured this weekend. Learn the command line for these devices first. The web interface will only take you so far.......
Thanks again!
Glad you got it going.
Yes, the GUI is a bit of a departure for Cisco and is a "work in progress". The ASDM is leaps and bounds better than the first PDM, but you still really need to know the command line to troubleshoot.
Here's a tip - use the Options setting to Preview commands before applying them. This will let you review what commands will be applied. They don't always make sense, but it can help you learn.
Yes, the GUI is a bit of a departure for Cisco and is a "work in progress". The ASDM is leaps and bounds better than the first PDM, but you still really need to know the command line to troubleshoot.
Here's a tip - use the Options setting to Preview commands before applying them. This will let you review what commands will be applied. They don't always make sense, but it can help you learn.
http://www.linuxhomenetworking.com/linux-hn/wmp11-linux.htm