Cisco DMZ to inside access on ASA 5510

My DMZ hosts 192.168.23.10 trough 192.168.23.15 need to acces the inside network
for testing without restrictions right now.
i want to add rules later

i think its someting with my NAT configuration or

can anyone help

thanks in advance



ASA Version 7.0(8)
!
hostname VUURMUUR
names
name 192.168.23.10 Wii description Wii
name 192.168.23.12 dispositie description dispositie
dns-guard
!
interface Ethernet0/0
 description interface facing the inside network
 nameif inside
 security-level 100
 ip address 192.168.22.100 255.255.255.0
!
interface Ethernet0/1
 description interface connected to kpn router
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/2
 description interface for terminal and webservers
 nameif dmz
 security-level 50
 ip address 192.168.23.1 255.255.255.0
!
interface Ethernet0/3
 description unused interface
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
banner login Authorised personal only
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service Userlogin tcp-udp
 description User login and authentication
 port-object eq 88
 port-object eq 389
 port-object eq 445
 port-object eq domain
access-list outside_access_in remark mail naar binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list outside_access_in remark RDP ( terminalserver ) naar binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list outside_access_in remark webserver binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in remark dispositie website naar binnen
access-list outside_access_in extended permit tcp any eq www host xxx.xxx.xxx.xxx eq www
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN-REMOTE-POOL 192.168.4.1-192.168.4.254 mask 255.255.255.255
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.22.2 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx Wii netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx dispositie netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 145.4.80.0 255.255.255.0 192.168.22.2 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPNCLIENTS internal
group-policy VPNCLIENTS attributes
 dns-server value 145.4.80.212 145.4.80.205
 default-domain value amvest.nl
 webvpn
username VPNCLIENTS password 1gcmnHjmXHJN0mz4 encrypted privilege 0
username VPNCLIENTS attributes
 vpn-group-policy VPNCLIENTS
 webvpn
http server enable
http 192.168.22.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group VPNCLIENTS type ipsec-ra
tunnel-group VPNCLIENTS general-attributes
 address-pool VPN-REMOTE-POOL
 default-group-policy VPNCLIENTS
tunnel-group VPNCLIENTS ipsec-attributes
 pre-shared-key *
telnet 145.4.80.179 255.255.255.255 inside
telnet 192.168.22.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.22.2
Cryptochecksum:4fb99b4afd2cc58d8fafef0e24bf5e3e
: end
stephandavidseAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JFrederick29Commented:
Give this a shot:

conf t
static (inside,dmz) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
access-list dmz_access_in extended permit ip any 192.168.22.0 255.255.255.0
access-group dmz_access_in in interface dmz
0
stephandavidseAuthor Commented:
JFrederick29
Making some progress
my dns requests are communicating to my inside but when im trying to set up the trust to the inside it fails

asa log shows the following  error

3|Nov 21 2008 16:01:56|305005: No translation group found for udp src dmz:192.168.23.13/1591 dst inside:145.4.80.72/389
0
JFrederick29Commented:
This host (145.4.80.72) is reachable via the inside I assume.  Do you have a subnet or just this one host?

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

stephandavidseAuthor Commented:
the network looks like this

145.4.80.0    |  MS ISA 2006  |  192.168.22.0 | CISCO ASA
                                                                                   |
                                                                           DMZ 192.168.23.0
145.4.80.72 is reachable in the subnet and is one of the DC's  im tryint to reach but the traffic doesnt reach the ISA server.
0
stephandavidseAuthor Commented:
it has something to do that the asa doesnt know 145.4.80.72
if i try to ping 145.4.80.72 from 192.168.23.13 this is the result

No translation group found for icmp src dmz:192.168.23.13 dst inside:145.4.80.72
0
JFrederick29Commented:
Okay, you need to add a static for that subnet as well.

static (inside,dmz) 145.4.80.0 145.4.80.0 netmask 255.255.255.0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stephandavidseAuthor Commented:
thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.