memo12345678
asked on
outside to DMZ
dear
I have server in DMZ zone his IP 10.10.10.11
i want each one from outside see this ip by this Public IP 40.40.40.11 and also can access to it
please write to me what need with access if want in interface outside
I have server in DMZ zone his IP 10.10.10.11
i want each one from outside see this ip by this Public IP 40.40.40.11 and also can access to it
please write to me what need with access if want in interface outside
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
dear
still doesn't work , this is config
access-list 101 extended permit icmp 40.40.40.128 255.255.255.128 any echo
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 time-exceeded
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 echo
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 echo-reply
access-list 101 extended permit icmp 40.40.40.128 255.255.255.128 any echo-reply
access-list 101 extended permit ip any host 40.40.40.11
access-group 101 in interface outside
static (dmz,outside) 40.40.40.11 10.10.10.11 netmask 255.255.255.255
interface GigabitEthernet3/0
nameif outside
security-level 0
ip address 40.40.40.1 255.255.255.248 standby 40.40.40.2
!
interface GigabitEthernet3/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/1.10
vlan 10
nameif dmz
security-level 50
ip address 10.10.10.2 255.255.255.0 standby 10.200.200.3
!
still doesn't work , this is config
access-list 101 extended permit icmp 40.40.40.128 255.255.255.128 any echo
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 time-exceeded
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 echo
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 echo-reply
access-list 101 extended permit icmp 40.40.40.128 255.255.255.128 any echo-reply
access-list 101 extended permit ip any host 40.40.40.11
access-group 101 in interface outside
static (dmz,outside) 40.40.40.11 10.10.10.11 netmask 255.255.255.255
interface GigabitEthernet3/0
nameif outside
security-level 0
ip address 40.40.40.1 255.255.255.248 standby 40.40.40.2
!
interface GigabitEthernet3/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/1.10
vlan 10
nameif dmz
security-level 50
ip address 10.10.10.2 255.255.255.0 standby 10.200.200.3
!
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi,
What about your DMZ ? Do you have some NAT (global, nat (dmz), etc.), and some access-list ?
Can your DMZ go to Internet ?
If your DMZ hasn't access-list/access-group, it will not work.
What about your DMZ ? Do you have some NAT (global, nat (dmz), etc.), and some access-list ?
Can your DMZ go to Internet ?
If your DMZ hasn't access-list/access-group, it will not work.
No need for access list/group, you going from a higher to a lower security interface.
ASKER
Dear erniebeek
I change to
interface GigabitEthernet3/0
nameif outside
security-level 0
ip address 40.40.40.1 255.255.255.192 standby 40.40.40.2
but still i cannot connect ping from out side to this IP 40.40.40.11 but from my router (40.40.40.3 )that connect to interface outside ASA I can make ping to 40.40.40.11!!!!
I change to
interface GigabitEthernet3/0
nameif outside
security-level 0
ip address 40.40.40.1 255.255.255.192 standby 40.40.40.2
but still i cannot connect ping from out side to this IP 40.40.40.11 but from my router (40.40.40.3 )that connect to interface outside ASA I can make ping to 40.40.40.11!!!!
Ok, that looks like we have to have a look at the router as wel. Could you post a (sanitized) config?
@erniebeek : you're right :)
@memo : you talk about your router, does it redirect the trafic to the ASA (bridging ?) ?
For your ASA, think you must follow the config of erniebeek who redirect just one port, ex. 80 :
static (dmz,outside) tcp 40.40.40.11 80 10.10.10.11 80 netmask 255.255.255.255
@memo : you talk about your router, does it redirect the trafic to the ASA (bridging ?) ?
For your ASA, think you must follow the config of erniebeek who redirect just one port, ex. 80 :
static (dmz,outside) tcp 40.40.40.11 80 10.10.10.11 80 netmask 255.255.255.255
ASKER
Dear erniebeek
router config
interface GigabitEthernet0/1
description lin to internet
ip address 40.40.40.230 255.255.255.192
duplex auto
speed auto
standby 11 ip 40.40.40.231
standby 11 timers 3 9
standby 11 priority 120
standby 11 preempt
standby 11 track 1 decrement 25
!
interface GigabitEthernet0/2
description Link ASA firewall
ip address 40.40.40.4 255.255.255.192
duplex auto
speed auto
standby 10 ip 40.40.40.6
standby 10 timers 3 9
standby 10 priority 120
standby 10 preempt
standby 10 track 1 decrement 25
!
ip route 0.0.0.0 0.0.0.0 40.40.40.200
ip route 40.40.40.0 255.255.255.192 40.40.40.1
there no problem in router why I still from outside why cannot make ping to 40.40.40.11 but they can ping to 40.40.40.1 (interface ASA outside ) !!!!
please check if need some thing to add
static (dmz,outside) 40.40.40.11 10.10.10.11 netmask 255.255.255.255 (mean all port open )!!
help me
ASKER
this is traceroute from outside to IP 40.40.40.11
C:\Users\tracert -d 40.40.40.11
1 * * * Request timed out.
2 109 ms 128 ms 128 ms 10.64.0.17
3 101 ms 88 ms 123 ms 10.20.20.1
4 112 ms 208 ms 118 ms X.X.X.97
5 101 ms 123 ms 138 ms Y.Y.Y.146
6 106 ms * 190 ms 10.10.0.1
7 94 ms 187 ms 129 ms 172.29.0.2
8 82 ms 133 ms 133 ms 10.193.193.6
9 110 ms 168 ms 158 ms 172.17.1.1
10 111 ms 152 ms 203 ms 10.254.3.29
11 106 ms 128 ms 123 ms 40.40.40.230
12 * * * Request timed out.
!!! why it cannot ping to ASA
but when tracert to 40.40.40.1
C:\Users\tracert -d 40.40.40.11
1 * * * Request timed out.
2 109 ms 128 ms 128 ms 10.64.0.17
3 101 ms 88 ms 123 ms 10.20.20.1
4 112 ms 208 ms 118 ms X.X.X.97
5 101 ms 123 ms 138 ms Y.Y.Y.146
6 106 ms * 190 ms 10.10.0.1
7 94 ms 187 ms 129 ms 172.29.0.2
8 82 ms 133 ms 133 ms 10.193.193.6
9 110 ms 168 ms 158 ms 172.17.1.1
10 111 ms 152 ms 203 ms 10.254.3.29
11 106 ms 128 ms 123 ms 40.40.40.230
12 101 ms 133 ms 128 ms 40.40.40.1
C:\Users\tracert -d 40.40.40.11
1 * * * Request timed out.
2 109 ms 128 ms 128 ms 10.64.0.17
3 101 ms 88 ms 123 ms 10.20.20.1
4 112 ms 208 ms 118 ms X.X.X.97
5 101 ms 123 ms 138 ms Y.Y.Y.146
6 106 ms * 190 ms 10.10.0.1
7 94 ms 187 ms 129 ms 172.29.0.2
8 82 ms 133 ms 133 ms 10.193.193.6
9 110 ms 168 ms 158 ms 172.17.1.1
10 111 ms 152 ms 203 ms 10.254.3.29
11 106 ms 128 ms 123 ms 40.40.40.230
12 * * * Request timed out.
!!! why it cannot ping to ASA
but when tracert to 40.40.40.1
C:\Users\tracert -d 40.40.40.11
1 * * * Request timed out.
2 109 ms 128 ms 128 ms 10.64.0.17
3 101 ms 88 ms 123 ms 10.20.20.1
4 112 ms 208 ms 118 ms X.X.X.97
5 101 ms 123 ms 138 ms Y.Y.Y.146
6 106 ms * 190 ms 10.10.0.1
7 94 ms 187 ms 129 ms 172.29.0.2
8 82 ms 133 ms 133 ms 10.193.193.6
9 110 ms 168 ms 158 ms 172.17.1.1
10 111 ms 152 ms 203 ms 10.254.3.29
11 106 ms 128 ms 123 ms 40.40.40.230
12 101 ms 133 ms 128 ms 40.40.40.1
ASKER
sorry
C:\Users\tracert -d 40.40.40.1
1 * * * Request timed out.
2 109 ms 128 ms 128 ms 10.64.0.17
3 101 ms 88 ms 123 ms 10.20.20.1
4 112 ms 208 ms 118 ms X.X.X.97
5 101 ms 123 ms 138 ms Y.Y.Y.146
6 106 ms * 190 ms 10.10.0.1
7 94 ms 187 ms 129 ms 172.29.0.2
8 82 ms 133 ms 133 ms 10.193.193.6
9 110 ms 168 ms 158 ms 172.17.1.1
10 111 ms 152 ms 203 ms 10.254.3.29
11 106 ms 128 ms 123 ms 40.40.40.230
12 101 ms 133 ms 128 ms 40.40.40.1
C:\Users\tracert -d 40.40.40.1
1 * * * Request timed out.
2 109 ms 128 ms 128 ms 10.64.0.17
3 101 ms 88 ms 123 ms 10.20.20.1
4 112 ms 208 ms 118 ms X.X.X.97
5 101 ms 123 ms 138 ms Y.Y.Y.146
6 106 ms * 190 ms 10.10.0.1
7 94 ms 187 ms 129 ms 172.29.0.2
8 82 ms 133 ms 133 ms 10.193.193.6
9 110 ms 168 ms 158 ms 172.17.1.1
10 111 ms 152 ms 203 ms 10.254.3.29
11 106 ms 128 ms 123 ms 40.40.40.230
12 101 ms 133 ms 128 ms 40.40.40.1
I think you need some NAT on your router to redirect trafic from the router to your ASA.
For example :
You'll need an ACL on your router like
And finally configure your interfaces with NAT :
Hope I make no error, i think erniebeek will see :)
For example :
ip nat inside source static <local ip> <global ip>
ip nat inside source static 10.10.10.11 40.40.40.11
You'll need an ACL on your router like
access-list 10 permit ip any 40.40.40.11
And finally configure your interfaces with NAT :
interface GigabitEthernet0/1
ip nat outside
interface GigabitEthernet0/2
ip nat inside
Hope I make no error, i think erniebeek will see :)
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
sorry solve there is mistake ip Getaway of server
ASKER
thx
Ok, glad you solved it :)
Thx for the points.
Thx for the points.
ASKER
I have another problem
Dear I have this network diagram
from pc (10.10.10.2) can ping to 10.10.10.1 (dmz firewall) and pc 192.168.1.2 can ping to 10.10.10.1
But pc 10.10.10.2 cannot ping to ip 192.168.1.1 or 192.168.1.2
I think need add access or nat to permit plz send to me this config
Note :-
from firewall can ping to both ips 10.10.10.2 and 192.168.1.2
test.jpg
Dear I have this network diagram
from pc (10.10.10.2) can ping to 10.10.10.1 (dmz firewall) and pc 192.168.1.2 can ping to 10.10.10.1
But pc 10.10.10.2 cannot ping to ip 192.168.1.1 or 192.168.1.2
I think need add access or nat to permit plz send to me this config
Note :-
from firewall can ping to both ips 10.10.10.2 and 192.168.1.2
test.jpg
ASKER
if u want answer me by new question
please see this link answer me
https://www.experts-exchange.com/questions/27392404/ip-route-doesn't-work-in-ASA.html
Regard
please see this link answer me
https://www.experts-exchange.com/questions/27392404/ip-route-doesn't-work-in-ASA.html
Regard
I'll see you there then ;)
assuming here that the interfaces are named: dmz and outside. And there is no outside access list (yet). Otherwise rename access-list and access-group to the name that you use.