stephandavidse
asked on
Cisco DMZ to inside access on ASA 5510
My DMZ hosts 192.168.23.10 trough 192.168.23.15 need to acces the inside network
for testing without restrictions right now.
i want to add rules later
i think its someting with my NAT configuration or
can anyone help
thanks in advance
ASA Version 7.0(8)
!
hostname VUURMUUR
names
name 192.168.23.10 Wii description Wii
name 192.168.23.12 dispositie description dispositie
dns-guard
!
interface Ethernet0/0
description interface facing the inside network
nameif inside
security-level 100
ip address 192.168.22.100 255.255.255.0
!
interface Ethernet0/1
description interface connected to kpn router
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/2
description interface for terminal and webservers
nameif dmz
security-level 50
ip address 192.168.23.1 255.255.255.0
!
interface Ethernet0/3
description unused interface
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner login Authorised personal only
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service Userlogin tcp-udp
description User login and authentication
port-object eq 88
port-object eq 389
port-object eq 445
port-object eq domain
access-list outside_access_in remark mail naar binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list outside_access_in remark RDP ( terminalserver ) naar binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list outside_access_in remark webserver binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in remark dispositie website naar binnen
access-list outside_access_in extended permit tcp any eq www host xxx.xxx.xxx.xxx eq www
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN-REMOTE-POOL 192.168.4.1-192.168.4.254 mask 255.255.255.255
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.22.2 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx Wii netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx dispositie netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 145.4.80.0 255.255.255.0 192.168.22.2 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPNCLIENTS internal
group-policy VPNCLIENTS attributes
dns-server value 145.4.80.212 145.4.80.205
default-domain value amvest.nl
webvpn
username VPNCLIENTS password 1gcmnHjmXHJN0mz4 encrypted privilege 0
username VPNCLIENTS attributes
vpn-group-policy VPNCLIENTS
webvpn
http server enable
http 192.168.22.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group VPNCLIENTS type ipsec-ra
tunnel-group VPNCLIENTS general-attributes
address-pool VPN-REMOTE-POOL
default-group-policy VPNCLIENTS
tunnel-group VPNCLIENTS ipsec-attributes
pre-shared-key *
telnet 145.4.80.179 255.255.255.255 inside
telnet 192.168.22.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.22.2
Cryptochecksum:4fb99b4afd2 cc58d8fafe f0e24bf5e3 e
: end
for testing without restrictions right now.
i want to add rules later
i think its someting with my NAT configuration or
can anyone help
thanks in advance
ASA Version 7.0(8)
!
hostname VUURMUUR
names
name 192.168.23.10 Wii description Wii
name 192.168.23.12 dispositie description dispositie
dns-guard
!
interface Ethernet0/0
description interface facing the inside network
nameif inside
security-level 100
ip address 192.168.22.100 255.255.255.0
!
interface Ethernet0/1
description interface connected to kpn router
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/2
description interface for terminal and webservers
nameif dmz
security-level 50
ip address 192.168.23.1 255.255.255.0
!
interface Ethernet0/3
description unused interface
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner login Authorised personal only
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service Userlogin tcp-udp
description User login and authentication
port-object eq 88
port-object eq 389
port-object eq 445
port-object eq domain
access-list outside_access_in remark mail naar binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list outside_access_in remark RDP ( terminalserver ) naar binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list outside_access_in remark webserver binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in remark dispositie website naar binnen
access-list outside_access_in extended permit tcp any eq www host xxx.xxx.xxx.xxx eq www
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN-REMOTE-POOL 192.168.4.1-192.168.4.254 mask 255.255.255.255
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.22.2 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx Wii netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx dispositie netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 145.4.80.0 255.255.255.0 192.168.22.2 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPNCLIENTS internal
group-policy VPNCLIENTS attributes
dns-server value 145.4.80.212 145.4.80.205
default-domain value amvest.nl
webvpn
username VPNCLIENTS password 1gcmnHjmXHJN0mz4 encrypted privilege 0
username VPNCLIENTS attributes
vpn-group-policy VPNCLIENTS
webvpn
http server enable
http 192.168.22.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group VPNCLIENTS type ipsec-ra
tunnel-group VPNCLIENTS general-attributes
address-pool VPN-REMOTE-POOL
default-group-policy VPNCLIENTS
tunnel-group VPNCLIENTS ipsec-attributes
pre-shared-key *
telnet 145.4.80.179 255.255.255.255 inside
telnet 192.168.22.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.22.2
Cryptochecksum:4fb99b4afd2
: end
ASKER
JFrederick29
Making some progress
my dns requests are communicating to my inside but when im trying to set up the trust to the inside it fails
asa log shows the following error
3|Nov 21 2008 16:01:56|305005: No translation group found for udp src dmz:192.168.23.13/1591 dst inside:145.4.80.72/389
Making some progress
my dns requests are communicating to my inside but when im trying to set up the trust to the inside it fails
asa log shows the following error
3|Nov 21 2008 16:01:56|305005: No translation group found for udp src dmz:192.168.23.13/1591 dst inside:145.4.80.72/389
This host (145.4.80.72) is reachable via the inside I assume. Do you have a subnet or just this one host?
ASKER
the network looks like this
145.4.80.0 | MS ISA 2006 | 192.168.22.0 | CISCO ASA
|
DMZ 192.168.23.0
145.4.80.72 is reachable in the subnet and is one of the DC's im tryint to reach but the traffic doesnt reach the ISA server.
145.4.80.0 | MS ISA 2006 | 192.168.22.0 | CISCO ASA
|
DMZ 192.168.23.0
145.4.80.72 is reachable in the subnet and is one of the DC's im tryint to reach but the traffic doesnt reach the ISA server.
ASKER
it has something to do that the asa doesnt know 145.4.80.72
if i try to ping 145.4.80.72 from 192.168.23.13 this is the result
No translation group found for icmp src dmz:192.168.23.13 dst inside:145.4.80.72
if i try to ping 145.4.80.72 from 192.168.23.13 this is the result
No translation group found for icmp src dmz:192.168.23.13 dst inside:145.4.80.72
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
conf t
static (inside,dmz) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
access-list dmz_access_in extended permit ip any 192.168.22.0 255.255.255.0
access-group dmz_access_in in interface dmz