cjrcomputers
asked on
Setting up DMZ on ASA 5505
I have an ASA 5505 with the security plus package and would like to setup a DMZ for an ISA server and a web server. Right now I have been able to setup a vlan for the dmz, was able to setup an external ip address for one of the dmz servers, and able to get out to the internet on both dmz servers. The problem I'm having is pinging either dmz servers from the inside network and pinging the inside from the dmz network. Of course I am also not able to connect to any of the websites on the web server from the inside. Your help would be greatly appreciated.
ASKER
x=outside ip address. Thanks.
ASA Version 7.2(3)
!
hostname brookpix
domain-name cjrcomputers.domain
enable password xxxxxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxxxxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd xxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name cjrcomputers.domain
object-group network CJR_BROOKHILL_LAN
description network at 9B Brook HIll Lane
network-object 192.168.1.0 255.255.255.0
object-group network CJR_BROOKHILL_DMZ
description dmz network at brookhill
network-object 10.10.200.0 255.255.255.0
object-group network CJR_LEHIGH_LAN
description network at 1700 lehigh
network-object 192.168.2.0 255.255.255.0
object-group network LYNN_LAN
description network at lynns apartment
network-object 192.168.5.0 255.255.255.0
object-group network CJR_DMZ_ISA
network-object host 10.10.200.3
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 26
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit udp any interface outside eq 1494
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface inside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_access_in extended permit ip any any
access-list acl_mdc_outside_access extended permit tcp any host xxxxx eq smtp
access-list acl_mdc_outside_access extended permit esp any any
access-list acl_mdc_outside_access extended permit udp any any eq 4500
access-list acl_mdc_outside_access extended permit udp any any eq isakmp
access-list inside_nat0_outbound extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list outside_cryptomap_1 extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.180 255.255.255.252
access-list CJR_VPN_NEW_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list acl_mdc_inside_nat0 extended permit ip any 192.168.1.180 255.255.255.252
access-list acl_mdc_DMZ_access extended permit esp any any
access-list acl_mdc_DMZ_access extended permit udp any any eq 4500
access-list acl_mdc_DMZ_access extended permit udp any any eq isakmp
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq https
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1645
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1646
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1812
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1813
access-list acl_mdc_DMZ_access extended permit ip any any
access-list acl_mdc_DMZ_access extended permit icmp any any
access-list outside_cryptomap_65535.20 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.180 255.255.255.252
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.180 255.255.255.252
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 192.168.1.180-192.168.1.18 2
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-523.bin
asdm location 192.168.1.22 255.255.255.255 inside
asdm group CJR_BROOKHILL_LAN inside
asdm group CJR_LEHIGH_LAN outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 26 192.168.1.250 26 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.244 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.201 8080 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 192.168.1.201 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.1.201 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.250 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.21 ftp netmask 255.255.255.255
static (inside,outside) xxxxxxxxx 192.168.1.22 netmask 255.255.255.255
static (inside,dmz) 10.10.200.0 10.10.200.0 netmask 255.255.255.0
static (dmz,inside) 10.10.200.3 xxxxxxxx netmask 255.255.255.255
static (dmz,outside) xxxxxxxxx 10.10.200.3 netmask 255.255.255.255
static (dmz,inside) xxxxxxxxxx 10.10.200.3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group acl_mdc_DMZ_access in interface dmz
route outside 0.0.0.0 0.0.0.0 208.125.131.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.244
timeout 5
key cjr123
aaa-server SERVER protocol radius
aaa-server SERVER host 192.168.1.244
timeout 5
key cjr123
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cryptod_mdc_outside 30 set pfs
crypto dynamic-map cryptod_mdc_outside 30 set transform-set ESP-3DES-SHA
crypto dynamic-map cryptod_mdc_outside 30 set security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer xxxxxxxxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_mdc_outside 65535 ipsec-isakmp dynamic cryptod_mdc_outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.45-192.168.1.47 inside
dhcpd dns 192.168.1.244 interface inside
dhcpd domain cjrcomputers.domain interface inside
dhcpd enable inside
!
!
!
group-policy CJR_VPN_NEW internal
group-policy CJR_VPN_NEW attributes
dns-server value 192.168.1.244
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CJR_VPN_NEW_splitTunnelAcl
default-domain value cjrcomputers.domain
group-policy cjrvpn internal
group-policy cjrvpn attributes
vpn-tunnel-protocol IPSec
default-domain value cjrcomputers.domain
username crice password P78ljucnWDQdEvgV encrypted privilege 15
username crice attributes
vpn-group-policy CJR_VPN_NEW
group-lock value CJR_VPN_NEW
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 5
tunnel-group xxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key 7402501
isakmp keepalive threshold 10 retry 5
tunnel-group CJR_VPN_NEW type ipsec-ra
tunnel-group CJR_VPN_NEW general-attributes
address-pool remote
default-group-policy CJR_VPN_NEW
tunnel-group CJR_VPN_NEW ipsec-attributes
pre-shared-key cjr123
tunnel-group cjrvpn type ipsec-ra
tunnel-group cjrvpn general-attributes
address-pool remote
default-group-policy cjrvpn
tunnel-group cjrvpn ipsec-attributes
pre-shared-key cjr1234
prompt hostname context
Cryptochecksum:aac8ea7b4cf bc201189a1 fa00c9606b 0
: end
ASA Version 7.2(3)
!
hostname brookpix
domain-name cjrcomputers.domain
enable password xxxxxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxxxxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd xxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name cjrcomputers.domain
object-group network CJR_BROOKHILL_LAN
description network at 9B Brook HIll Lane
network-object 192.168.1.0 255.255.255.0
object-group network CJR_BROOKHILL_DMZ
description dmz network at brookhill
network-object 10.10.200.0 255.255.255.0
object-group network CJR_LEHIGH_LAN
description network at 1700 lehigh
network-object 192.168.2.0 255.255.255.0
object-group network LYNN_LAN
description network at lynns apartment
network-object 192.168.5.0 255.255.255.0
object-group network CJR_DMZ_ISA
network-object host 10.10.200.3
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 26
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit udp any interface outside eq 1494
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface inside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_access_in extended permit ip any any
access-list acl_mdc_outside_access extended permit tcp any host xxxxx eq smtp
access-list acl_mdc_outside_access extended permit esp any any
access-list acl_mdc_outside_access extended permit udp any any eq 4500
access-list acl_mdc_outside_access extended permit udp any any eq isakmp
access-list inside_nat0_outbound extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list outside_cryptomap_1 extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.180 255.255.255.252
access-list CJR_VPN_NEW_splitTunnelAcl
access-list acl_mdc_inside_nat0 extended permit ip any 192.168.1.180 255.255.255.252
access-list acl_mdc_DMZ_access extended permit esp any any
access-list acl_mdc_DMZ_access extended permit udp any any eq 4500
access-list acl_mdc_DMZ_access extended permit udp any any eq isakmp
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq https
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1645
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1646
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1812
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1813
access-list acl_mdc_DMZ_access extended permit ip any any
access-list acl_mdc_DMZ_access extended permit icmp any any
access-list outside_cryptomap_65535.20
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.180 255.255.255.252
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 192.168.1.180-192.168.1.18
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-523.bin
asdm location 192.168.1.22 255.255.255.255 inside
asdm group CJR_BROOKHILL_LAN inside
asdm group CJR_LEHIGH_LAN outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 26 192.168.1.250 26 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.244 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.201 8080 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 192.168.1.201 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.1.201 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.250 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.21 ftp netmask 255.255.255.255
static (inside,outside) xxxxxxxxx 192.168.1.22 netmask 255.255.255.255
static (inside,dmz) 10.10.200.0 10.10.200.0 netmask 255.255.255.0
static (dmz,inside) 10.10.200.3 xxxxxxxx netmask 255.255.255.255
static (dmz,outside) xxxxxxxxx 10.10.200.3 netmask 255.255.255.255
static (dmz,inside) xxxxxxxxxx 10.10.200.3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group acl_mdc_DMZ_access in interface dmz
route outside 0.0.0.0 0.0.0.0 208.125.131.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.244
timeout 5
key cjr123
aaa-server SERVER protocol radius
aaa-server SERVER host 192.168.1.244
timeout 5
key cjr123
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cryptod_mdc_outside 30 set pfs
crypto dynamic-map cryptod_mdc_outside 30 set transform-set ESP-3DES-SHA
crypto dynamic-map cryptod_mdc_outside 30 set security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer xxxxxxxxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_mdc_outside 65535 ipsec-isakmp dynamic cryptod_mdc_outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.45-192.168.1.47 inside
dhcpd dns 192.168.1.244 interface inside
dhcpd domain cjrcomputers.domain interface inside
dhcpd enable inside
!
!
!
group-policy CJR_VPN_NEW internal
group-policy CJR_VPN_NEW attributes
dns-server value 192.168.1.244
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CJR_VPN_NEW_splitTunnelAcl
default-domain value cjrcomputers.domain
group-policy cjrvpn internal
group-policy cjrvpn attributes
vpn-tunnel-protocol IPSec
default-domain value cjrcomputers.domain
username crice password P78ljucnWDQdEvgV encrypted privilege 15
username crice attributes
vpn-group-policy CJR_VPN_NEW
group-lock value CJR_VPN_NEW
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 5
tunnel-group xxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key 7402501
isakmp keepalive threshold 10 retry 5
tunnel-group CJR_VPN_NEW type ipsec-ra
tunnel-group CJR_VPN_NEW general-attributes
address-pool remote
default-group-policy CJR_VPN_NEW
tunnel-group CJR_VPN_NEW ipsec-attributes
pre-shared-key cjr123
tunnel-group cjrvpn type ipsec-ra
tunnel-group cjrvpn general-attributes
address-pool remote
default-group-policy cjrvpn
tunnel-group cjrvpn ipsec-attributes
pre-shared-key cjr1234
prompt hostname context
Cryptochecksum:aac8ea7b4cf
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Didn't work...
Please specify what exactly didn't work and what the source and destionation IP's are in your connectivity test. Also, post your current running configuration...
ASKER
I just found out that I now am able to ping the inside from the dmz but cannot ping the dmz from the inside. Here is the current configuration:
: Saved
: Written by enable_15 at 19:57:16.989 UTC Sat Feb 9 2008
!
ASA Version 7.2(3)
!
hostname brookpix
domain-name cjrcomputers.domain
enable password 3jrnPxArBAohuBx9 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 3jrnPxArBAohuBx9 encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name cjrcomputers.domain
object-group network CJR_BROOKHILL_LAN
description network at 9B Brook HIll Lane
network-object 192.168.1.0 255.255.255.0
object-group network CJR_BROOKHILL_DMZ
description dmz network at brookhill
network-object 10.10.200.0 255.255.255.0
object-group network CJR_LEHIGH_LAN
description network at 1700 lehigh
network-object 192.168.2.0 255.255.255.0
object-group network LYNN_LAN
description network at lynns apartment
network-object 192.168.5.0 255.255.255.0
object-group network CJR_DMZ_ISA
network-object host 10.10.200.3
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 26
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit udp any interface outside eq 1494
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface inside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_access_in extended permit ip any any
access-list acl_mdc_outside_access extended permit tcp any host xxxx eq smtp
access-list acl_mdc_outside_access extended permit esp any any
access-list acl_mdc_outside_access extended permit udp any any eq 4500
access-list acl_mdc_outside_access extended permit udp any any eq isakmp
access-list inside_nat0_outbound extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list outside_cryptomap_1 extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.180 255.255.255.252
access-list CJR_VPN_NEW_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list acl_mdc_inside_nat0 extended permit ip any 192.168.1.180 255.255.255.252
access-list acl_mdc_DMZ_access extended permit esp any any
access-list acl_mdc_DMZ_access extended permit udp any any eq 4500
access-list acl_mdc_DMZ_access extended permit udp any any eq isakmp
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq https
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1645
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1646
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1812
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1813
access-list acl_mdc_DMZ_access extended permit ip any any
access-list acl_mdc_DMZ_access extended permit icmp any any
access-list acl_mdc_DMZ_access extended permit icmp any any echo-reply
access-list outside_cryptomap_65535.20 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.180 255.255.255.252
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.180 255.255.255.252
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 192.168.1.180-192.168.1.18 2
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-523.bin
asdm location 192.168.1.22 255.255.255.255 inside
asdm group CJR_BROOKHILL_LAN inside
asdm group CJR_LEHIGH_LAN outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 26 192.168.1.250 26 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.244 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.201 8080 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 192.168.1.201 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.1.201 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.250 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.21 ftp netmask 255.255.255.255
static (inside,outside) xxx 192.168.1.22 netmask 255.255.255.255
static (dmz,outside) xxx 10.10.200.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group acl_mdc_DMZ_access in interface dmz
route outside 0.0.0.0 0.0.0.0 208.125.131.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.244
timeout 5
key cjr123
aaa-server SERVER protocol radius
aaa-server SERVER host 192.168.1.244
timeout 5
key cjr123
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cryptod_mdc_outside 30 set pfs
crypto dynamic-map cryptod_mdc_outside 30 set transform-set ESP-3DES-SHA
crypto dynamic-map cryptod_mdc_outside 30 set security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_mdc_outside 65535 ipsec-isakmp dynamic cryptod_mdc_outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.45-192.168.1.47 inside
dhcpd dns 192.168.1.244 interface inside
dhcpd domain cjrcomputers.domain interface inside
dhcpd enable inside
!
!
!
group-policy CJR_VPN_NEW internal
group-policy CJR_VPN_NEW attributes
dns-server value 192.168.1.244
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CJR_VPN_NEW_splitTunnelAcl
default-domain value cjrcomputers.domain
group-policy cjrvpn internal
group-policy cjrvpn attributes
vpn-tunnel-protocol IPSec
default-domain value cjrcomputers.domain
username crice password P78ljucnWDQdEvgV encrypted privilege 15
username crice attributes
vpn-group-policy CJR_VPN_NEW
group-lock value CJR_VPN_NEW
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 5
tunnel-group xx type ipsec-l2l
tunnel-group xxx ipsec-attributes
pre-shared-key 7402501
isakmp keepalive threshold 10 retry 5
tunnel-group CJR_VPN_NEW type ipsec-ra
tunnel-group CJR_VPN_NEW general-attributes
address-pool remote
default-group-policy CJR_VPN_NEW
tunnel-group CJR_VPN_NEW ipsec-attributes
pre-shared-key cjr123
tunnel-group cjrvpn type ipsec-ra
tunnel-group cjrvpn general-attributes
address-pool remote
default-group-policy cjrvpn
tunnel-group cjrvpn ipsec-attributes
pre-shared-key cjr1234
prompt hostname context
Cryptochecksum:29df6e3eb09 25492d37cd fbd7ed28d8 3
: end
: Saved
: Written by enable_15 at 19:57:16.989 UTC Sat Feb 9 2008
!
ASA Version 7.2(3)
!
hostname brookpix
domain-name cjrcomputers.domain
enable password 3jrnPxArBAohuBx9 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 3jrnPxArBAohuBx9 encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name cjrcomputers.domain
object-group network CJR_BROOKHILL_LAN
description network at 9B Brook HIll Lane
network-object 192.168.1.0 255.255.255.0
object-group network CJR_BROOKHILL_DMZ
description dmz network at brookhill
network-object 10.10.200.0 255.255.255.0
object-group network CJR_LEHIGH_LAN
description network at 1700 lehigh
network-object 192.168.2.0 255.255.255.0
object-group network LYNN_LAN
description network at lynns apartment
network-object 192.168.5.0 255.255.255.0
object-group network CJR_DMZ_ISA
network-object host 10.10.200.3
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 26
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit udp any interface outside eq 1494
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface inside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_access_in extended permit ip any any
access-list acl_mdc_outside_access extended permit tcp any host xxxx eq smtp
access-list acl_mdc_outside_access extended permit esp any any
access-list acl_mdc_outside_access extended permit udp any any eq 4500
access-list acl_mdc_outside_access extended permit udp any any eq isakmp
access-list inside_nat0_outbound extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list outside_cryptomap_1 extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.180 255.255.255.252
access-list CJR_VPN_NEW_splitTunnelAcl
access-list acl_mdc_inside_nat0 extended permit ip any 192.168.1.180 255.255.255.252
access-list acl_mdc_DMZ_access extended permit esp any any
access-list acl_mdc_DMZ_access extended permit udp any any eq 4500
access-list acl_mdc_DMZ_access extended permit udp any any eq isakmp
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq https
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1645
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1646
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1812
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1813
access-list acl_mdc_DMZ_access extended permit ip any any
access-list acl_mdc_DMZ_access extended permit icmp any any
access-list acl_mdc_DMZ_access extended permit icmp any any echo-reply
access-list outside_cryptomap_65535.20
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.180 255.255.255.252
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 192.168.1.180-192.168.1.18
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-523.bin
asdm location 192.168.1.22 255.255.255.255 inside
asdm group CJR_BROOKHILL_LAN inside
asdm group CJR_LEHIGH_LAN outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 26 192.168.1.250 26 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.244 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.201 8080 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 192.168.1.201 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.1.201 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.250 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.21 ftp netmask 255.255.255.255
static (inside,outside) xxx 192.168.1.22 netmask 255.255.255.255
static (dmz,outside) xxx 10.10.200.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group acl_mdc_DMZ_access in interface dmz
route outside 0.0.0.0 0.0.0.0 208.125.131.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.244
timeout 5
key cjr123
aaa-server SERVER protocol radius
aaa-server SERVER host 192.168.1.244
timeout 5
key cjr123
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cryptod_mdc_outside 30 set pfs
crypto dynamic-map cryptod_mdc_outside 30 set transform-set ESP-3DES-SHA
crypto dynamic-map cryptod_mdc_outside 30 set security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_mdc_outside 65535 ipsec-isakmp dynamic cryptod_mdc_outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.45-192.168.1.47 inside
dhcpd dns 192.168.1.244 interface inside
dhcpd domain cjrcomputers.domain interface inside
dhcpd enable inside
!
!
!
group-policy CJR_VPN_NEW internal
group-policy CJR_VPN_NEW attributes
dns-server value 192.168.1.244
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CJR_VPN_NEW_splitTunnelAcl
default-domain value cjrcomputers.domain
group-policy cjrvpn internal
group-policy cjrvpn attributes
vpn-tunnel-protocol IPSec
default-domain value cjrcomputers.domain
username crice password P78ljucnWDQdEvgV encrypted privilege 15
username crice attributes
vpn-group-policy CJR_VPN_NEW
group-lock value CJR_VPN_NEW
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 5
tunnel-group xx type ipsec-l2l
tunnel-group xxx ipsec-attributes
pre-shared-key 7402501
isakmp keepalive threshold 10 retry 5
tunnel-group CJR_VPN_NEW type ipsec-ra
tunnel-group CJR_VPN_NEW general-attributes
address-pool remote
default-group-policy CJR_VPN_NEW
tunnel-group CJR_VPN_NEW ipsec-attributes
pre-shared-key cjr123
tunnel-group cjrvpn type ipsec-ra
tunnel-group cjrvpn general-attributes
address-pool remote
default-group-policy cjrvpn
tunnel-group cjrvpn ipsec-attributes
pre-shared-key cjr1234
prompt hostname context
Cryptochecksum:29df6e3eb09
: end
For the dmz host you can't ping from the inside, can you ping that same dmz host from the firewall CLI? What are the source and destination IP addresses that you are using for this ping test?
ASKER
I was pinging from 10.10.200.3(Soon to be an ISA server) to one of the servers at 192.168.1.250.
I am not able to ping 10.10.200.3 from 192.168.1.250.
I am not able to ping 10.10.200.3 from the firewall CLI.
I am not able to ping 10.10.200.3 from 192.168.1.250.
I am not able to ping 10.10.200.3 from the firewall CLI.
If you can't ping 10.10.200.3 from the firewall, you surely won't be able to ping it from any inside hosts.
If you can't ping 10.10.200.3 from 10.10.200.1 (the firewall's dmz interface), then I would be looking at that dmz host to see if will respond to pings from other dmz hosts. Can you get it to respond to pings from another host on the 10.10.200.0/24 network segment (the dmz)?
If you can't ping 10.10.200.3 from 10.10.200.1 (the firewall's dmz interface), then I would be looking at that dmz host to see if will respond to pings from other dmz hosts. Can you get it to respond to pings from another host on the 10.10.200.0/24 network segment (the dmz)?
ASKER
Geeze I figured out the problem. The windows firewall was turned on at 10.10.200.3. I am now able to ping between two dmz hosts and able to ping from the inside as well. Thank you very much for your help.
Glad to help!
If you post your config, I can give exact commands to make it work (sanitized, please)