Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I create a route from the Inside Network to the DMZ Network?

Posted on 2008-06-25
3
Medium Priority
?
212 Views
Last Modified: 2010-04-17
Hello.  
     I am trying to gain access from the Inside Network (10.17.0.0) to the DMZ Network (192.168.2.0) so we can see our Web Server from the Inside.  The code snippet shows our current configuration with some slight mods for privacy.  Everything is currently working, the VPN connections are going to the VPN Server, the POP3 and IMAP4 connections are going to the Mail Server and even Web Requests for X.X.X.2 are being directed to the Web Server in the DMZ.  But I just can not seem to get the setup correct to gain access from the Inside Network to the DMZ Network.  I am sure I am making it way harder than it should be.  Can someone point me in the right direction?
: Saved
: Written by enable_15 at 11:33:14.721 CST Tue Jun 24 2008
!
ASA Version 7.0(7) 
!
hostname COMPANY
domain-name company.local
enable password XXXXXXXXXXXXXXXX encrypted
names
name 10.17.1.2 VPNServer
name 10.17.1.25 MailServer
name 192.168.2.2 WebServer
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address X.X.X.1 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.17.1.254 255.255.0.0 
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.2.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd XXXXXXXXXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
access-list inbound extended permit tcp any interface outside eq pop3 
access-list inbound extended permit udp any interface outside eq isakmp 
access-list inbound extended permit tcp any interface outside eq imap4 
access-list inbound extended permit tcp any interface outside eq pptp 
access-list inbound extended permit tcp any host X.X.X.2 eq www 
access-list outbound extended permit tcp host MailServer any eq smtp 
access-list outbound extended deny tcp any any eq smtp 
access-list outbound extended permit ip any any 
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside 10.17.1.50
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.17.1.0 255.255.255.0
nat (dmz) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface pptp VPNServer pptp netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 MailServer pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 MailServer imap4 netmask 255.255.255.255 
static (inside,outside) udp interface isakmp VPNServer isakmp netmask 255.255.255.255 
static (dmz,outside) X.X.X.2 WebServer netmask 255.255.255.255 
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 24.155.188.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
  inspect http 
!
service-policy global_policy global
tftp-server inside 10.17.1.50 /pix_config
Cryptochecksum:eaf24a639eab77ae0c64666a16388cfa
: end

Open in new window

0
Comment
Question by:RHebbe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 7

Expert Comment

by:naughton
ID: 21870131
you should eb able to get from inside to a lower security level by default.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21870181
0
 

Accepted Solution

by:
RHebbe earned 0 total points
ID: 21926183
Ok.  I had missed 2 things.  First, we are part of a WAN and our WAN router was grabbing the 192.168.X.X network and shooting it out to our WAN.  Once I fixed that, I was missing following line  

static (inside,dmz) 10.17.0.0 10.17.0.0 netmask 255.255.0.0

Once those 2 things were done, all is working correctly now.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question