• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 521
  • Last Modified:

Cisco DMZ to inside access on ASA 5510

My DMZ hosts 192.168.23.10 trough 192.168.23.15 need to acces the inside network
for testing without restrictions right now.
i want to add rules later

i think its someting with my NAT configuration or

can anyone help

thanks in advance



ASA Version 7.0(8)
!
hostname VUURMUUR
names
name 192.168.23.10 Wii description Wii
name 192.168.23.12 dispositie description dispositie
dns-guard
!
interface Ethernet0/0
 description interface facing the inside network
 nameif inside
 security-level 100
 ip address 192.168.22.100 255.255.255.0
!
interface Ethernet0/1
 description interface connected to kpn router
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/2
 description interface for terminal and webservers
 nameif dmz
 security-level 50
 ip address 192.168.23.1 255.255.255.0
!
interface Ethernet0/3
 description unused interface
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
banner login Authorised personal only
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service Userlogin tcp-udp
 description User login and authentication
 port-object eq 88
 port-object eq 389
 port-object eq 445
 port-object eq domain
access-list outside_access_in remark mail naar binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list outside_access_in remark RDP ( terminalserver ) naar binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list outside_access_in remark webserver binnen
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in remark dispositie website naar binnen
access-list outside_access_in extended permit tcp any eq www host xxx.xxx.xxx.xxx eq www
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN-REMOTE-POOL 192.168.4.1-192.168.4.254 mask 255.255.255.255
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.22.2 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx Wii netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx dispositie netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 145.4.80.0 255.255.255.0 192.168.22.2 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPNCLIENTS internal
group-policy VPNCLIENTS attributes
 dns-server value 145.4.80.212 145.4.80.205
 default-domain value amvest.nl
 webvpn
username VPNCLIENTS password 1gcmnHjmXHJN0mz4 encrypted privilege 0
username VPNCLIENTS attributes
 vpn-group-policy VPNCLIENTS
 webvpn
http server enable
http 192.168.22.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group VPNCLIENTS type ipsec-ra
tunnel-group VPNCLIENTS general-attributes
 address-pool VPN-REMOTE-POOL
 default-group-policy VPNCLIENTS
tunnel-group VPNCLIENTS ipsec-attributes
 pre-shared-key *
telnet 145.4.80.179 255.255.255.255 inside
telnet 192.168.22.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.22.2
Cryptochecksum:4fb99b4afd2cc58d8fafef0e24bf5e3e
: end
0
stephandavidse
Asked:
stephandavidse
  • 4
  • 3
1 Solution
 
JFrederick29Commented:
Give this a shot:

conf t
static (inside,dmz) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
access-list dmz_access_in extended permit ip any 192.168.22.0 255.255.255.0
access-group dmz_access_in in interface dmz
0
 
stephandavidseAuthor Commented:
JFrederick29
Making some progress
my dns requests are communicating to my inside but when im trying to set up the trust to the inside it fails

asa log shows the following  error

3|Nov 21 2008 16:01:56|305005: No translation group found for udp src dmz:192.168.23.13/1591 dst inside:145.4.80.72/389
0
 
JFrederick29Commented:
This host (145.4.80.72) is reachable via the inside I assume.  Do you have a subnet or just this one host?

0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
stephandavidseAuthor Commented:
the network looks like this

145.4.80.0    |  MS ISA 2006  |  192.168.22.0 | CISCO ASA
                                                                                   |
                                                                           DMZ 192.168.23.0
145.4.80.72 is reachable in the subnet and is one of the DC's  im tryint to reach but the traffic doesnt reach the ISA server.
0
 
stephandavidseAuthor Commented:
it has something to do that the asa doesnt know 145.4.80.72
if i try to ping 145.4.80.72 from 192.168.23.13 this is the result

No translation group found for icmp src dmz:192.168.23.13 dst inside:145.4.80.72
0
 
JFrederick29Commented:
Okay, you need to add a static for that subnet as well.

static (inside,dmz) 145.4.80.0 145.4.80.0 netmask 255.255.255.0
0
 
stephandavidseAuthor Commented:
thanks
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now