ptcis
asked on
Need help with setting up DMZ
I am trying to get a DMZ with a web server up and running. I've gone through the instructions on ASDM from the cisco web site, but I still am unable to communicate with the Web Server. Can you please let me know what I'm doing wrong. Thanks.
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name parmatube.com
enable password uwdQIX4kuXiD6gGn encrypted
names
name 192.168.5.0 PTCKZ description PTCKZ
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.6.3 255.255.255.0
!
interface Ethernet0/2
nameif guest
security-level 10
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.254.1 255.255.255.0
management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name parmatube.com
access-list outside_in extended permit icmp any any echo-reply
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit gre any host x.x.x.179
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit tcp any host x.x.x.180 eq https
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit 80 any host x.x.x.180
access-list outside_access_in extended permit tcp any host x.x.x.180 eq www
access-list outside_access_in extended permit tcp any eq www host x.x.x.178 eq www
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list DMZ_access_in extended permit tcp host 10.10.10.3 any eq www
access-list DMZ_access_in extended permit udp host 10.10.10.3 any eq domain
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list inside_dmz extended permit ip 192.168.6.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_dmz extended permit tcp any host 205.217.85.178 eq www
access-list inside_dmz extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
mtu DMZ 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.x.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 200 10.10.10.50-10.10.10.60 netmask 255.0.0.0
global (DMZ) 200 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp interface www 10.10.10.3 www netmask 255.255.255.255
static (inside,outside) x.x.x.179 192.168.1.119 netmask 255.255.255.255
static (inside,outside) x.x.x.180 192.168.1.4 netmask 255.255.255.255
static (DMZ,inside) 10.10.10.3 205.217.85.178 netmask 255.255.255.255
static (inside,DMZ) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.10
kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.10
nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.150.45.171
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 97.92.47.199
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100. 25 guest
dhcpd dns x.x.x.10 x.x.1x.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
enable outside
group-policy ptcremotevpn internal
group-policy ptcremotevpn attributes
dns-server value 192.168.1.10
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelall
default-domain value parmatube.com
webvpn
url-list value PTC_Workstations
port-forward enable Parmatube_LAN
username vpnuser password tAtXXvCxpjX0dUEC encrypted privilege 15
username vpnuser attributes
vpn-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-grou p ptc1208n
default-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization PTCWebVPN
tunnel-group ptcremotevpn type remote-access
tunnel-group ptcremotevpn general-attributes
address-pool VPNPool
authentication-server-grou p ptc1208n
authentication-server-grou p (inside) ptc1208n
default-group-policy ptcremotevpn
tunnel-group ptcremotevpn ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.171 type ipsec-l2l
tunnel-group x.x.x.171 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.199 type ipsec-l2l
tunnel-group x.x.x.199 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:084be7d49cf 59c613a5e5 c3524d1b14 7
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name parmatube.com
enable password uwdQIX4kuXiD6gGn encrypted
names
name 192.168.5.0 PTCKZ description PTCKZ
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.6.3 255.255.255.0
!
interface Ethernet0/2
nameif guest
security-level 10
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.254.1 255.255.255.0
management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name parmatube.com
access-list outside_in extended permit icmp any any echo-reply
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit gre any host x.x.x.179
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit tcp any host x.x.x.180 eq https
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit 80 any host x.x.x.180
access-list outside_access_in extended permit tcp any host x.x.x.180 eq www
access-list outside_access_in extended permit tcp any eq www host x.x.x.178 eq www
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list DMZ_access_in extended permit tcp host 10.10.10.3 any eq www
access-list DMZ_access_in extended permit udp host 10.10.10.3 any eq domain
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list inside_dmz extended permit ip 192.168.6.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_dmz extended permit tcp any host 205.217.85.178 eq www
access-list inside_dmz extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
mtu DMZ 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.x.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 200 10.10.10.50-10.10.10.60 netmask 255.0.0.0
global (DMZ) 200 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp interface www 10.10.10.3 www netmask 255.255.255.255
static (inside,outside) x.x.x.179 192.168.1.119 netmask 255.255.255.255
static (inside,outside) x.x.x.180 192.168.1.4 netmask 255.255.255.255
static (DMZ,inside) 10.10.10.3 205.217.85.178 netmask 255.255.255.255
static (inside,DMZ) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.10
kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.10
nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.150.45.171
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 97.92.47.199
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100.
dhcpd dns x.x.x.10 x.x.1x.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
enable outside
group-policy ptcremotevpn internal
group-policy ptcremotevpn attributes
dns-server value 192.168.1.10
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelall
default-domain value parmatube.com
webvpn
url-list value PTC_Workstations
port-forward enable Parmatube_LAN
username vpnuser password tAtXXvCxpjX0dUEC encrypted privilege 15
username vpnuser attributes
vpn-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-grou
default-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization PTCWebVPN
tunnel-group ptcremotevpn type remote-access
tunnel-group ptcremotevpn general-attributes
address-pool VPNPool
authentication-server-grou
authentication-server-grou
default-group-policy ptcremotevpn
tunnel-group ptcremotevpn ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.171 type ipsec-l2l
tunnel-group x.x.x.171 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.199 type ipsec-l2l
tunnel-group x.x.x.199 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:084be7d49cf
ASKER
I cannot communicate with the web sever at all. Its like all channels of communication is being block, but I cannot figure out why.
ASKER
Okay, Now I think I'm getting closer but I keep receiving this in my logs when I try to access the web Server from outside.
4 Jul 01 2008 07:40:08 106023 12.150.45.171 205.217.85.178 Deny tcp src outside:xx.xx.45.171/3269 dst guest:xx.xx.85.178/80 by access-group "outside_access_in" [0x0, 0x0]
And this is when I try to access from the inside.
3 Jul 01 2008 07:41:30 710003 192.168.1.69 205.217.85.178 TCP access denied by ACL from 192.168.1.69/4762 to inside:x.x.85.178/80
Here is my config:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name parmatube.com
enable password uwdQIX4kuXiD6gGn encrypted
names
name 192.168.5.0 PTCKZ description PTCKZ
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.85.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.6.3 255.255.255.0
!
interface Ethernet0/2
nameif guest
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.254.1 255.255.255.0
management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name parmatube.com
access-list outside_in extended permit icmp any any echo-reply
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit gre any host x.x.85.179
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit tcp any host x.x.85.180 eq https
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit 80 any host x.x.85.180
access-list outside_access_in extended permit tcp any host x.x.85.180 eq www
access-list outside_access_in extended permit tcp any eq www host x.x.85.178 eq www
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.85.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (guest,outside) tcp interface www 192.168.100.10 www netmask 255.255.255.255
static (inside,outside) x.x.85.179 192.168.1.119 netmask 255.255.255.255
static (inside,outside)x.x.85.180 192.168.1.4 netmask 255.255.255.255
static (inside,guest) 192.168.100.0 192.168.1.0 netmask 255.255.255.0
static (guest,inside) 192.168.100.10 x.x.85.178 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.85.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.10
kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.10
nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.45.171
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer x.x.47.199
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
x
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100. 25 guest
dhcpd dns x.x.x.10 x.x.x.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!
Let me know if you can see anything I'm missing! Thanks!
4 Jul 01 2008 07:40:08 106023 12.150.45.171 205.217.85.178 Deny tcp src outside:xx.xx.45.171/3269 dst guest:xx.xx.85.178/80 by access-group "outside_access_in" [0x0, 0x0]
And this is when I try to access from the inside.
3 Jul 01 2008 07:41:30 710003 192.168.1.69 205.217.85.178 TCP access denied by ACL from 192.168.1.69/4762 to inside:x.x.85.178/80
Here is my config:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name parmatube.com
enable password uwdQIX4kuXiD6gGn encrypted
names
name 192.168.5.0 PTCKZ description PTCKZ
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.85.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.6.3 255.255.255.0
!
interface Ethernet0/2
nameif guest
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.254.1 255.255.255.0
management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name parmatube.com
access-list outside_in extended permit icmp any any echo-reply
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit gre any host x.x.85.179
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit tcp any host x.x.85.180 eq https
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit 80 any host x.x.85.180
access-list outside_access_in extended permit tcp any host x.x.85.180 eq www
access-list outside_access_in extended permit tcp any eq www host x.x.85.178 eq www
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.85.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (guest,outside) tcp interface www 192.168.100.10 www netmask 255.255.255.255
static (inside,outside) x.x.85.179 192.168.1.119 netmask 255.255.255.255
static (inside,outside)x.x.85.180
static (inside,guest) 192.168.100.0 192.168.1.0 netmask 255.255.255.0
static (guest,inside) 192.168.100.10 x.x.85.178 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.85.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.10
kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.10
nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.45.171
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer x.x.47.199
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
x
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100.
dhcpd dns x.x.x.10 x.x.x.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!
Let me know if you can see anything I'm missing! Thanks!
ASKER
Okay I got the first part working. But I am still having problems when accessing the site from inside. Any one please help. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what is happening that is different to what you expect?
Cheers.