Solved

How do I create a route from the Inside Network to the DMZ Network?

Posted on 2008-06-25
3
196 Views
Last Modified: 2010-04-17
Hello.  
     I am trying to gain access from the Inside Network (10.17.0.0) to the DMZ Network (192.168.2.0) so we can see our Web Server from the Inside.  The code snippet shows our current configuration with some slight mods for privacy.  Everything is currently working, the VPN connections are going to the VPN Server, the POP3 and IMAP4 connections are going to the Mail Server and even Web Requests for X.X.X.2 are being directed to the Web Server in the DMZ.  But I just can not seem to get the setup correct to gain access from the Inside Network to the DMZ Network.  I am sure I am making it way harder than it should be.  Can someone point me in the right direction?
: Saved
: Written by enable_15 at 11:33:14.721 CST Tue Jun 24 2008
!
ASA Version 7.0(7) 
!
hostname COMPANY
domain-name company.local
enable password XXXXXXXXXXXXXXXX encrypted
names
name 10.17.1.2 VPNServer
name 10.17.1.25 MailServer
name 192.168.2.2 WebServer
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address X.X.X.1 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.17.1.254 255.255.0.0 
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.2.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd XXXXXXXXXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
access-list inbound extended permit tcp any interface outside eq pop3 
access-list inbound extended permit udp any interface outside eq isakmp 
access-list inbound extended permit tcp any interface outside eq imap4 
access-list inbound extended permit tcp any interface outside eq pptp 
access-list inbound extended permit tcp any host X.X.X.2 eq www 
access-list outbound extended permit tcp host MailServer any eq smtp 
access-list outbound extended deny tcp any any eq smtp 
access-list outbound extended permit ip any any 
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside 10.17.1.50
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.17.1.0 255.255.255.0
nat (dmz) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface pptp VPNServer pptp netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 MailServer pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 MailServer imap4 netmask 255.255.255.255 
static (inside,outside) udp interface isakmp VPNServer isakmp netmask 255.255.255.255 
static (dmz,outside) X.X.X.2 WebServer netmask 255.255.255.255 
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 24.155.188.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
  inspect http 
!
service-policy global_policy global
tftp-server inside 10.17.1.50 /pix_config
Cryptochecksum:eaf24a639eab77ae0c64666a16388cfa
: end

Open in new window

0
Comment
Question by:RHebbe
3 Comments
 
LVL 7

Expert Comment

by:naughton
ID: 21870131
you should eb able to get from inside to a lower security level by default.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21870181
0
 

Accepted Solution

by:
RHebbe earned 0 total points
ID: 21926183
Ok.  I had missed 2 things.  First, we are part of a WAN and our WAN router was grabbing the 192.168.X.X network and shooting it out to our WAN.  Once I fixed that, I was missing following line  

static (inside,dmz) 10.17.0.0 10.17.0.0 netmask 255.255.0.0

Once those 2 things were done, all is working correctly now.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GBIC "Gi0/25 notconnect 1auto auto unknown" 3 56
Cisco SPA525G2 - Stuck on Cisco Screen 3 21
Extended ping 6 31
Cisco HSRP - Do i need more than one WAN IP ? 7 14
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question