[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

The server is not accessable through the cisco ASA Firewall?

Posted on 2008-11-10
4
Medium Priority
?
859 Views
Last Modified: 2012-05-05
Hello!

I have 2 ASA firewall that is deployed in active standby design and I have configured 3 iterfaces one inside one out side and one for DMZ and I connected my server to DMZ port and I published a rule in the firewall opening my desied port to be accessable from out side, also I have made a NAT rule to map the public IP address to my server DMZ IP address... Bt not I am trying to access my servers from outside from the specifed ports that I have opened but I cant!? I can also ping my service public IP address, and when I try to access internet from the server it is showing me the correct public IP address, but when I run the packt-tracer the diagram shows that there is something wrong in the NAT lookup

Please help me out the issue is very important to be solved.. I have attached images of the diagram and fire wall
ciscoasa/CTX# sh run
: Saved
:
ASA Version 7.2(1) <context>
!
hostname WatanASA
domain-name Daralwatan.local
enable password xzkTqfsB.LL86smU encrypted
names
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 62.215.163.2 255.255.255.224
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet0/2
 nameif Dmz
 security-level 50
 ip address 172.17.1.1 255.255.255.0 standby 172.17.1.2
!
passwd 2KFQnbNIdI.2KYOU encrypted
dns server-group DefaultDNS
 domain-name Daralwatan.local
object-group service mail tcp
 port-object eq smtp
 port-object eq https
 port-object eq domain
 port-object eq www
object-group network internal
 network-object 192.168.10.0 255.255.255.0
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.20.0 255.255.255.0
 network-object host 192.168.20.222
 network-object 192.168.21.0 255.255.255.0
 network-object 192.168.22.0 255.255.255.0
 network-object 192.168.23.0 255.255.255.0
 network-object 192.168.24.0 255.255.255.0
 network-object 192.168.25.0 255.255.255.0
 network-object 192.168.26.0 255.255.255.0
 network-object 192.168.27.0 255.255.255.0
 network-object 192.168.28.0 255.255.255.0
 network-object 192.168.29.0 255.255.255.0
 network-object 192.168.30.0 255.255.255.0
 network-object 192.168.50.0 255.255.255.0
 network-object 172.100.10.0 255.255.255.0
 network-object 172.19.0.0 255.255.0.0
object-group icmp-type ICMP1
 icmp-object echo
 icmp-object echo-reply
 icmp-object traceroute
 icmp-object unreachable
object-group network IT
 network-object 192.168.20.0 255.255.255.0
object-group service EmailSeries tcp
 description collection of protocols for mail server
 port-object eq pop3
 port-object eq login
 port-object eq kerberos
 group-object mail
 port-object eq imap4
object-group service FtpSeries tcp
 port-object eq ftp-data
 port-object eq ftp
object-group service Baracuda tcp
 port-object eq ssh
 port-object eq smtp
 port-object eq pop2
 port-object eq pop3
 port-object eq imap4
object-group service LiveStream tcp
 port-object range 7007 7007
 port-object range 9007 9007
object-group service VPNSeries udp
 port-object range 1701 1702
 port-object range 4500 4500
 port-object eq isakmp
access-list Inside_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host 192.168.10.36 eq 310
 
access-list Outside_access_in extended permit icmp any any object-group ICMP1
access-list Outside_access_in extended deny icmp any any
access-list Outside_access_in extended permit tcp any host 192.168.10.35 object
group EmailSeries
access-list Outside_access_in extended permit tcp any any eq domain
access-list Outside_access_in extended permit udp any any eq domain
access-list Outside_access_in extended permit tcp any host 192.168.10.29 eq 338
 
access-list Outside_access_in extended permit tcp any host 192.168.10.32 object
group Baracuda
access-list Outside_access_in extended permit tcp any host 172.17.1.20 object-g
oup LiveStream
access-list Outside_access_in extended permit tcp any host 192.168.10.66 eq ppt
 
access-list Outside_access_in extended permit udp any host 192.168.10.66 object
group VPNSeries
access-list Outside_access_in extended permit ip host 168.187.168.110 host 192.
68.10.38
access-list Outside_access_in extended permit ip host 168.187.168.110 host 192.
68.10.39
access-list Outside_access_in extended permit ip host 62.215.231.77 host 192.16
.10.39
access-list Dmz_access_in extended permit icmp 172.17.1.0 255.255.255.0 any
access-list Dmz_access_in extended permit ip 172.17.1.0 255.255.255.0 any
pager lines 24
logging enable
logging standby
logging console critical
logging monitor alerts
logging buffered debugging
logging asdm informational
logging permit-hostdown
logging class ip buffered debugging console critical monitor alerts
logging class snmp history warnings
mtu Outside 1500
mtu Inside 1500
mtu Dmz 1500
icmp permit any Outside
icmp permit host 172.17.1.1 echo Inside
icmp permit host 62.215.163.2 echo Inside
icmp permit any Inside
no asdm history enable
arp timeout 14400
global (Outside) 2 62.215.163.28 netmask 255.255.255.224
global (Outside) 2 62.215.163.27 netmask 255.255.255.224
global (Outside) 2 62.215.163.29 netmask 255.255.255.224
global (Outside) 2 62.215.163.26 netmask 255.255.255.224
global (Outside) 1 62.215.163.22 netmask 255.255.255.224
global (Outside) 1 62.215.163.23 netmask 255.255.255.224
global (Outside) 1 62.215.163.24 netmask 255.255.255.224
global (Outside) 1 62.215.163.25 netmask 255.255.255.224
global (Dmz) 1 172.17.1.100-172.17.1.250 netmask 255.255.255.0
nat (Inside) 1 172.100.10.0 255.255.255.0
nat (Inside) 1 192.168.10.0 255.255.255.0
nat (Inside) 1 192.168.20.0 255.255.255.0
nat (Inside) 1 192.168.21.0 255.255.255.0
nat (Inside) 1 192.168.22.0 255.255.255.0
nat (Inside) 1 192.168.23.0 255.255.255.0
nat (Inside) 1 192.168.24.0 255.255.255.0
nat (Inside) 1 192.168.25.0 255.255.255.0
nat (Inside) 1 192.168.26.0 255.255.255.0
nat (Inside) 1 192.168.27.0 255.255.255.0
nat (Inside) 1 192.168.28.0 255.255.255.0
nat (Inside) 1 192.168.29.0 255.255.255.0
nat (Inside) 1 192.168.30.0 255.255.255.0
nat (Inside) 1 192.168.50.0 255.255.255.0
nat (Inside) 1 192.168.100.0 255.255.255.0
nat (Inside) 1 172.19.0.0 255.255.0.0
static (Inside,Outside) 62.215.163.3 192.168.10.50 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.4 192.168.10.54 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.5 192.168.10.56 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.6 192.168.10.29 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.7 192.168.10.38 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.8 192.168.10.39 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.9 192.168.10.48 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.13 192.168.10.66 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.10 192.168.10.35 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.11 192.168.10.32 netmask 255.255.255.255
static (Inside,Outside) 62.215.163.14 192.168.10.36 netmask 255.255.255.255
static (Dmz,Outside) 62.215.163.17 172.17.1.20 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Dmz_access_in in interface Dmz
route Outside 0.0.0.0 0.0.0.0 62.215.163.1 1
route Inside 172.100.10.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.20.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.21.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.22.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.23.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.24.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.25.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.26.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.27.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.28.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.29.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.30.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.50.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.100.0 255.255.255.0 192.168.2.1 1
route Inside 192.168.10.0 255.255.255.0 192.168.2.1 1
route Inside 172.19.0.0 255.255.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 Inside
http 192.168.10.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
telnet 192.168.20.0 255.255.255.0 Inside
telnet 192.168.10.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect im jeel
 parameters
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:2ef082857b3ce088d3187ba1436ca2aa
: end
ciscoasa/CTX#

Open in new window

firewall1.JPG
firewall2.JPG
firewall3.JPG
0
Comment
Question by:wrefai
  • 2
  • 2
4 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22923013
The problem is the outside_access_in access-list is specifying the "real" IP address of the server (172.17.1.20) instead of the public IP address (62.215.163.17).  Change the access-list rule to include the public (62.215.163.17) IP address instead of the private/real.
0
 

Author Comment

by:wrefai
ID: 22923412
Thanks JFrederick29 !   Now it is working perfect. i configured it based on my knowledge about ASA 5510 series so now i found out that ASA 5520 is quite different !
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 22923581
Glad to hear.  5510 and 5520 should be the same as far as NAT and access-lists are concerned (as long as they are running the same code anyway).
0
 

Author Closing Comment

by:wrefai
ID: 31515091
This is exactly what I wanted Thanks man!
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month17 days, 14 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question