• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3524
  • Last Modified:

Cisco Pix 515e - Problems With Outside Access

Have a strange problem with my PIX 515E.

There are three interfaces - inside, outside and DMZ. I'm using static NAT to assign real IP addresses on the outside interface to hosts on the DMZ interface.

Am also running a VPN from the device. Two Lan-Lan ones and a dial in.

I tried to change the configuration on the device so that hosts in the DMZ would be visible to dial-in VPN users. I managed to do this without any problem. Since doing so, no hosts on the outside can talk to anything on the DMZ. It's got me a bit stumped to be honest.

The hosts on the DMZ can talk to hosts on the inside interface and outgoing to the Internet just fine. The logs are showing that outside connections in are being denied by the access list Outside_access_in.

Here's some of the conf:

access-list DMZ_nat0_inbound remark No NAT from DMZ - Internal. Use real IP
access-list DMZ_nat0_inbound extended permit ip any Loc1 255.255.255.0
access-list DMZ_nat0_inbound extended permit ip any Loc2 255.255.255.0
access-list Outside_access_in remark Block on South African spammer/virus spreader.
access-list Outside_access_in extended deny ip host 196.34.228.226 any
access-list Outside_access_in extended permit tcp any host host eq smtp
access-list Outside_access_in extended permit tcp any host host eq www
access-list Outside_access_in extended permit tcp any host host eq https
access-list Outside_access_in extended permit tcp any host host2 object-group services
access-list Outside_access_in extended permit tcp any host host3 eq domain
access-list Outside_access_in extended permit tcp any webhost eq www
access-list Outside_access_in extended permit tcp any host webhost eq https
access-list Outside_access_in extended permit tcp any host webmail eq www
access-list Outside_access_in extended permit tcp any host webmail eq https
access-list Outside_access_in extended permit udp any host nshost eq domain

global (Outside) 10 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (inside) 0 access-list to_DMZ
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 0 access-list DMZ_nat0_inbound outside
static (DMZ,Outside) ip1 host2 netmask 255.255.255.255
static (DMZ,Outside) ip2 nshost netmask 255.255.255.255
static (DMZ,Outside) ip3 webmail netmask 255.255.255.255
static (DMZ,Outside) ip4 webhost netmask 255.255.255.255
static (DMZ,Outside) ip5 192.168.2.14 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ

Any help much appreciated!

If it means turning off DMZ access to the dialup VPN, so be it. Outside has priority :)
0
gurnox
Asked:
gurnox
  • 10
  • 7
  • 2
1 Solution
 
Rob WilliamsCommented:
0
 
lrmooreCommented:
I don't see a static entry for "host" as addressed in the acl, but I do see one for "host2"

>access-list Outside_access_in extended permit tcp any host host2 object-group services
>static (DMZ,Outside) ip1 host2 netmask 255.255.255.255

>access-list Outside_access_in extended permit tcp any host host eq smtp
>>> no static to match 'host'

This could account for no inbound traffic to that server.
0
 
Rob WilliamsCommented:
Sorry folks just realized post I inserted above was meant for another question:
http://www.experts-exchange.com/Networking/Q_21840556.html
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
gurnoxAuthor Commented:
The lack of a static entry for that server is more likley me being clumsy when replacing the real hostnames. I don't think it is a problem with the individual static maps as none of the statically mapped servers can be reached from the outside.

The problem only occured when I tried to make the DMZ accessible over a dialup VPN link (I realise now that split DNS would have been the way to do this. D'oh!). So I'm sure this is something simple that I've broken when doing this. I'm just banging my head against the wall trying to see what it is.  
0
 
lrmooreCommented:
If you can post your complete config, I might be able to assist. If you miss anything in an effort to sanitize, I can edit it out for you.

>access-group DMZ_access_in in interface DMZ
It could be a problem with this acl?
0
 
gurnoxAuthor Commented:
Here it is (External IPs and domains invented):

PIX Version 7.0(1)
names
name 192.168.4.0 Borehamwood
name 192.168.2.10 aco-ftp-1
name 192.168.2.2 Switch
name 192.168.2.11 ns0.somedomain.com
name 192.168.4.12 Aunt
name 192.168.3.13 Brother
name 192.168.3.0 London
name 192.168.4.19 ns1.somedomain.com
name 192.168.2.12 relay1.somedomain.com
name 192.168.3.14 son.somedomain.co.uk
name 192.168.5.0 WoolmerHouse
name 192.168.1.0 HongKong
name 192.168.2.13 dad.somedomain.com
name 192.168.3.12 mum.somedomain.co.uk
name 192.168.3.22 aco-backup-1.somedomain.co.uk
!
interface Ethernet0
 description External Interface
 nameif Outside
 security-level 0
 ip address 100.100.100.219 255.255.255.240
!
interface Ethernet1
 description Trusted Interface for internal LANS
 nameif inside
 security-level 100
 ip address 192.168.3.4 255.255.255.0
!
interface Ethernet2
 description DMZ
 nameif DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
enable password XFCW5lRGhPoeHq0Q encrypted
passwd XFCW5lRGhPoeHq0Q encrypted
hostname aco-firewall-1
domain-name somedomain.co.uk
banner login You are now connected to the SomeCompany PLC network.
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns retries 2
dns timeout 2
dns domain-lookup Outside
dns domain-lookup inside
dns domain-lookup DMZ
dns name-server Brother
dns name-server Aunt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service aco-ftp-1 tcp
 description TCP services for aco-ftp-1
 port-object eq ssh
 port-object eq ftp-data
 port-object eq ftp
object-group service outside-aco-ftp-1 tcp
 description External FTP access
 port-object eq ftp-data
 port-object eq ftp
object-group network Internal_DNS
 description Active directory servers Aunt and Brother
 network-object Brother 255.255.255.255
 network-object Aunt 255.255.255.255
access-list inside_nat0_outbound remark No NAT for internal network to DMZ. Use real IP.
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list SomeCompany_splitTunnelAcl standard permit London 255.255.255.0
access-list SomeCompany_splitTunnelAcl standard permit Borehamwood 255.255.255.0
access-list SomeCompany_splitTunnelAcl standard permit WoolmerHouse 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.3.96 255.255.255.240
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host son.somedomain.co.uk eq www host relay1.somedomain.com eq www
access-list inside_access_in extended permit tcp host son.somedomain.co.uk eq https host relay1.somedomain.com eq https
access-list inside_access_in remark Outgoing mail relay hole
access-list inside_access_in extended permit tcp host son.somedomain.co.uk host relay1.somedomain.com eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp host aco-backup-1.somedomain.co.uk host dad.somedomain.com eq 10000
access-list inside_access_in extended permit tcp host aco-backup-1.somedomain.co.uk host dad.somedomain.com range 12000 12100
access-list DMZ_nat0_inbound remark No NAT from DMZ - Internal. Use real IP
access-list DMZ_nat0_inbound extended permit ip any London 255.255.255.0
access-list DMZ_nat0_inbound extended permit ip any Borehamwood 255.255.255.0
access-list Outside_access_in remark Block on South African spammer/virus spreader.
access-list Outside_access_in extended deny ip host 196.34.228.226 any
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq smtp
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq www
access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq https
access-list Outside_access_in extended permit tcp any host aco-ftp-1 object-group outside-aco-ftp-1
access-list Outside_access_in extended permit tcp any host ns0.somedomain.com eq domain
access-list Outside_access_in extended permit tcp any host dad.somedomain.com eq www
access-list Outside_access_in extended permit tcp any host dad.somedomain.com eq https
access-list Outside_access_in extended permit tcp any host 192.168.2.14 eq www
access-list Outside_access_in extended permit tcp any host 192.168.2.14 eq https
access-list Outside_access_in extended permit udp any host ns0.somedomain.com eq domain
access-list DMZ_access_in remark Name resolution - Temporary until DNS moved into DMZ
access-list DMZ_access_in extended permit tcp host aco-ftp-1 object-group Internal_DNS eq domain
access-list DMZ_access_in remark Name resolution
access-list DMZ_access_in extended permit udp host aco-ftp-1 object-group Internal_DNS eq domain
access-list DMZ_access_in remark Allow FTP traffic and SSH to Internal Network
access-list DMZ_access_in extended permit tcp host aco-ftp-1 object-group aco-ftp-1 any
access-list DMZ_access_in remark Internal DNS forwarding (TCP)
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in remark Internal DNS Forwarding (UDP)
access-list DMZ_access_in extended permit udp host ns0.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in remark SSH access for internal network
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq ssh any
access-list DMZ_access_in remark ICMP from Aunt and Brother
access-list DMZ_access_in extended permit icmp host ns0.somedomain.com object-group Internal_DNS
access-list DMZ_access_in remark Allow DNS replies to outside world (TCP)
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq domain any eq domain
access-list DMZ_access_in remark Allow DNS replies to outside world (UDP)
access-list DMZ_access_in extended permit udp host ns0.somedomain.com eq domain any eq domain
access-list DMZ_access_in remark TCP access to ns1 for notifies and zone transfers
access-list DMZ_access_in extended permit tcp host ns0.somedomain.com eq domain host ns1.somedomain.com eq domain
access-list DMZ_access_in remark UDP access to ns1 for zone notifies and transfers
access-list DMZ_access_in extended permit udp host ns0.somedomain.com eq domain host ns1.somedomain.com eq domain
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com eq www any
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com eq https any
access-list DMZ_access_in remark OWA relay from relay1 to Son
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq www
access-list DMZ_access_in remark OWA proxying
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq https
access-list DMZ_access_in remark Outgoing mail relay
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com any eq smtp
access-list DMZ_access_in remark SMTP incoming mail relay hole
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com host son.somedomain.co.uk eq smtp
access-list DMZ_access_in remark Holes to Allow communication between Mum and Dad
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 9899
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq sunrpc
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 2049
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 32771
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host mum.somedomain.co.uk eq 32772
access-list DMZ_access_in extended permit tcp host dad.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in extended permit udp host dad.somedomain.com object-group Internal_DNS eq domain
access-list DMZ_access_in extended permit tcp host dad.somedomain.com any eq www
access-list DMZ_access_in extended permit tcp host dad.somedomain.com any eq https
access-list DMZ_access_in extended permit icmp host dad.somedomain.com any
access-list DMZ_access_in extended permit udp host dad.somedomain.com host 192.168.4.102 eq syslog
access-list DMZ_access_in remark backup exec
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host aco-backup-1.somedomain.co.uk range 12000 12100
access-list DMZ_access_in extended permit tcp host dad.somedomain.com host aco-backup-1.somedomain.co.uk eq 6101
access-list DMZ_access_in remark NTP time syncronisation services
access-list DMZ_access_in extended permit udp host relay1.somedomain.com any eq ntp
access-list DMZ_access_in remark Hole to allow http access for AV updates.
access-list DMZ_access_in extended permit tcp host relay1.somedomain.com any eq www
access-list 222 extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list 222 extended permit ip Borehamwood 255.255.255.0 192.168.3.96 255.255.255.240
access-list 222 extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list 222 extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list 222 extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list 222 extended permit ip any 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20_1 extended permit ip any 192.168.3.96 255.255.255.240
access-list 222_V1 remark David Wyndhams home network
access-list 222_V1 extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list 222_V1 extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list Outside_cryptomap_242_1 extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list Outside_cryptomap_242_1 extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co.uk range 800 899
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co.uk range 4800 4899
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 900 999 host aco-backup-1.somedomain.co.uk range 13720 13721
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co.uk range 800 899
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co.uk range 4800 4899
access-list DMZ_access-in extended permit tcp host dad.somedomain.com range 4900 4999 host aco-backup-1.somedomain.co.uk range 13720 13721
access-list to_DMZ extended permit ip London 255.255.255.0 192.168.2.0 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 192.168.2.0 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 WoolmerHouse 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 WoolmerHouse 255.255.255.0
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 HongKong 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 HongKong 255.255.255.0
access-list to_DMZ extended permit ip London 255.255.255.0 192.168.3.96 255.255.255.240
access-list to_DMZ extended permit ip Borehamwood 255.255.255.0 192.168.3.96 255.255.255.240
access-list to_DMZ extended permit ip WoolmerHouse 255.255.255.0 192.168.3.96 255.255.255.240
access-list Outside_nat0_outbound extended permit ip WoolmerHouse 255.255.255.0 192.168.3.96 255.255.255.240
no pager
logging enable
logging trap notifications
logging asdm informational
logging from-address firewall@somedomain.co.uk
logging recipient-address me@somedomain.com level errors
logging host inside 192.168.4.61
logging host inside 192.168.4.102
logging flash-bufferwrap
logging ftp-bufferwrap
logging ftp-server aco-ftp-1 / firewall ****
logging permit-hostdown
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface Outside
ip verify reverse-path interface DMZ
ip local pool DialUpIPs 192.168.3.100-192.168.3.110 mask 255.255.255.255
ip local pool TestPool 192.168.3.240-192.168.3.254 mask 255.255.255.0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no failover
monitor-interface Outside
monitor-interface inside
monitor-interface DMZ
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (inside) 0 access-list to_DMZ
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_inbound outside
static (DMZ,Outside) 100.100.100.215 aco-ftp-1 netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.217 ns0.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.213 relay1.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.212 dad.somedomain.com netmask 255.255.255.255
static (DMZ,Outside) 100.100.100.216 192.168.2.14 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 100.100.100.209 1
route inside Borehamwood 255.255.255.0 192.168.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner value You are connected to SomeCompany PLC.
 banner value
 banner value Unauthorised access is prohibited and may result in prosecution. Unless you have
 banner value express permission to use this facility, please disconnect immediately.
 wins-server value Brother Aunt
 dns-server value Brother Aunt
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SomeCompany_splitTunnelAcl
 default-domain value somedomain.co.uk
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
group-policy SomeCompany internal
group-policy SomeCompany attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SomeCompany_splitTunnelAcl
 default-domain value somedomain.co.uk
username someone password ** encrypted privilege 0
username someoneelse password ** encrypted privilege 0
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http London 255.255.255.0 inside
http Borehamwood 255.255.255.0 inside
snmp-server host inside 192.168.4.56 poll community this_snmp_ch65w
snmp-server location Madeup Court
snmp-server contact Someone
snmp-server community this_snmp_ch65w
snmp-server enable traps snmp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set Tunnel-ESPDES-MD5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map_1 20 match address Outside_cryptomap_dyn_20_1
crypto dynamic-map Outside_dyn_map_1 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map ForInternet 222 match address 222_V1
crypto map ForInternet 222 set peer 99.99.99.167
crypto map ForInternet 222 set transform-set Tunnel-ESPDES-MD5
crypto map ForInternet 222 set nat-t-disable
crypto map ForInternet 242 match address Outside_cryptomap_242_1
crypto map ForInternet 242 set pfs
crypto map ForInternet 242 set peer 123.123.123.123
crypto map ForInternet 242 set transform-set ESP-3DES-SHA
crypto map ForInternet 242 set nat-t-disable
crypto map ForInternet 65535 ipsec-isakmp dynamic Outside_dyn_map_1
crypto map ForInternet interface Outside
isakmp identity auto
isakmp enable Outside
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption 3des
isakmp policy 22 hash md5
isakmp policy 22 group 1
isakmp policy 22 lifetime 28800
isakmp policy 42 authentication pre-share
isakmp policy 42 encryption 3des
isakmp policy 42 hash sha
isakmp policy 42 group 2
isakmp policy 42 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
telnet London 255.255.255.0 inside
telnet Borehamwood 255.255.255.0 inside
telnet timeout 5
ssh Borehamwood 255.255.255.0 inside
ssh London 255.255.255.0 inside
ssh timeout 25
console timeout 0
dhcpd dns Brother Aunt
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain somedomain.co.uk
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group SomeCompany type ipsec-ra
tunnel-group SomeCompany general-attributes
 address-pool DialUpIPs
 default-group-policy SomeCompany
tunnel-group SomeCompany ipsec-attributes
 pre-shared-key *
tunnel-group 99.99.99.167 type ipsec-l2l
tunnel-group 99.99.99.167 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect dns
  inspect http
  inspect icmp
!
service-policy global_policy global
ntp server relay1.somedomain.com source DMZ prefer
ntp server Brother source inside
smtp-server 192.168.3.14
management-access inside
Cryptochecksum:8fb9539f55dc4a8f715fe96e63438cdd
: end
0
 
lrmooreCommented:
Wow. Lots of issues here...

>nat (Outside) 0 access-list Outside_nat0_outbound
You must first remove that entry.

  no nat (Outside) 0 access-list Outside_nat0_outbound
  clear xlate

>nat (inside) 0 access-list to_DMZ
Remove that line, too, and replace it with a static
  no nat (inside) 0 access-list to_DMZ
  static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
  static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

  access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

Given the following information:

>interface Ethernet1
> nameif inside
>> ip address 192.168.3.4 255.255.255.0

>ip local pool DialUpIPs 192.168.3.100-192.168.3.110 mask 255.255.255.255
>ip local pool TestPool 192.168.3.240-192.168.3.254 mask 255.255.255.0

You need to use a separate IP subnet for the client pool(s). Then the access-lists actually make sense and you can separate your internal lan subnet from the client subnet.

For example:
 ip local pool VPNPOOL 192.168.122.1-192.168.122.127 mask 255.255.255.128
  access-list inside_nat0 permit 192.168.3.0 255.255.255.0 192.168.122.0 255.255.255.128
  access-list dmz_nat0 permit 192.168.2.0 255.255.255.0 192.168.122.0 255.255.255.128
  nat (inside) 0 access-list inside_nat0
  nat (dmz) 0 access-list dmz_nat0
 tunnel-group SomeCompany general-attributes
 address-pool VPNPOOL


 
0
 
gurnoxAuthor Commented:
Thanks for the help.

At the moment, I am connecting to the device via one of the dial up IP addresses, so I'm loathe to make changes to the IP pools at the moment. Your way does make a LOT more sense, I just can't risk losing a connection to the device.

I have applied:

no nat (Outside) 0 access-list Outside_nat0_outbound
clear xlate

And still cannot access the DMZ based hosts from the outside (If I acheive this and nothing else, I will be happy :) ).

Won't the commands:

no nat (inside) 0 access-list to_DMZ
  static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
  static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
  access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list DMZ_access-in permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

Grant IP access to the entire inside network via the DMZ interface? I don't really want to allow this. Sorry if I'm missing something here.
0
 
lrmooreCommented:
>Grant IP access to the entire inside network via the DMZ interface? I don't really want to allow this.
Yes, it will grant full ip access, but you can adjust the acl's if you want.
However, this line is already doing that same thing. All traffic from DMZ to London is already allowed, you're just fudging the nat with a different acl which only complicates matters.

>access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
>access-list to_DMZ extended permit ip London 255.255.255.0 192.168.2.0 255.255.255.0

 You need a nat (inside) 0 acl for the VPN to work. This is what nat0 was designed to do.

>I am connecting to the device via one of the dial up IP addresses
Try using SSH or HTTPS to the PDM ?
0
 
gurnoxAuthor Commented:
OK, I have a connection without the VPN.

I've applied all of the changes and this is what has happened:

Still no access to DMZ from Outside (Internet)
Dial Up VPN no longer working
Lan to Lan VPNs no longer working

:)
0
 
gurnoxAuthor Commented:
D'oh! Forgot to change the access list to let the new VPN pool connect. Can now get VPN dialup connection.

Suspect I just need to re-add the address exceptions for the .1 and .5 subnets to get lan-lan back too.
0
 
lrmooreCommented:
>Suspect I just need to re-add the address exceptions for the .1 and .5 subnets to get lan-lan back too.
Add these subnets to the nat0 acl:

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound


0
 
gurnoxAuthor Commented:
Thanks again for spending so much time helping me with this.

OK. Lan-Lan access is back.

I'd already started adding them before I read your last post. So I've added the .1 and .5 subnets to the inside_nat0 acl that is already there. I don't really need to give access to the DMZ to either of these subnets, so is it OK to leave out the commands from your last post?

Incidentally, I still have the acl:

access-list inside_nat0_outbound permit ip any 192.168.2.0 255.255.255.0

In the config. OK to delete this now?

Still no access from outside (Internet) to the DMZ. Everything else now seems OK.
0
 
gurnoxAuthor Commented:
Stupid me. Of course I need them to have access. Am adding those lines now. OK to delete the line I gave in the last post.  
0
 
gurnoxAuthor Commented:
OK. All internal/VPN config is now working.

Any idea on why hosts on the Internet cannot access the hosts on the DMZ interface?
0
 
gurnoxAuthor Commented:
The logs are saying that access is being denied by the acl 'Outside_access_in'.
0
 
lrmooreCommented:
I've never seen name entries and hosts used like this. I don't know if the pix likes the "." dots

>access-list Outside_access_in extended permit tcp any host relay1.somedomain.com eq smtp
>name 192.168.2.12 relay1.somedomain.com

Your access-list has to address the public IP, not the private IP of the server.
Given:
>static (DMZ,Outside) 100.100.100.213 relay1.somedomain.com netmask 255.255.255.255

Acl should read:
 access-list Outside_access_in extended permit tcp any host 100.100.100.213 eq smtp
 
0
 
gurnoxAuthor Commented:
All working perfectly. THANK YOU!

As you can tell, I'm a bit of a Cisco newbie. My initial configuration was all done via the web/java interface and it worked perfectly. Or so I thought...

Anyone reading this should learn from the living hell I've endured this weekend. Learn the command line for these devices first. The web interface will only take you so far.......

Thanks again!

0
 
lrmooreCommented:
Glad you got it going.
Yes, the GUI is a bit of a departure for Cisco and is a "work in progress". The ASDM is leaps and bounds better than the first PDM, but you still really need to know the command line to troubleshoot.
Here's a tip - use the Options setting to Preview commands before applying them. This will let you review what commands will be applied. They don't always make sense, but it can help you learn.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 10
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now