?
Solved

outside to DMZ

Posted on 2011-10-10
20
Medium Priority
?
461 Views
Last Modified: 2012-05-12
dear

I have server in DMZ zone his IP 10.10.10.11

i want each one from outside see this ip by this Public IP 40.40.40.11 and also can access to it

please write to me what need with access if want in interface outside
0
Comment
Question by:memo12345678
  • 10
  • 7
  • 3
20 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 2000 total points
ID: 36942325
Depends on what ports you want to open.

For example http:
static (dmz,outside) tcp 40.40.40.11 80 10.10.10.11 80 netmask 255.255.255.255
access-list outside permit tcp any host 40.40.40.11 eq 80
access-group outside in interface outside
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36942336
Oh,
assuming here that the interfaces are named: dmz and outside. And there is no outside access list (yet). Otherwise rename access-list and access-group to the name that you use.
0
 

Author Comment

by:memo12345678
ID: 36942419
dear
still doesn't work , this is config


access-list 101 extended permit icmp 40.40.40.128 255.255.255.128 any echo
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 time-exceeded
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 echo
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 echo-reply
access-list 101 extended permit icmp 40.40.40.128 255.255.255.128 any echo-reply
access-list 101 extended permit ip any host 40.40.40.11

access-group 101 in interface outside


static (dmz,outside) 40.40.40.11 10.10.10.11 netmask 255.255.255.255  


interface GigabitEthernet3/0
 nameif outside
 security-level 0
 ip address 40.40.40.1 255.255.255.248 standby 40.40.40.2
!
interface GigabitEthernet3/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3/1.10
 vlan 10
 nameif dmz
 security-level 50
 ip address 10.10.10.2 255.255.255.0 standby 10.200.200.3
!
0
Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 2000 total points
ID: 36942447
Is that netmask correct:
 ip address 40.40.40.1 255.255.255.248 standby 40.40.40.2 ?
because then you can only use 40.40.40.1-40.40.40.7
0
 

Expert Comment

by:fwed29
ID: 36942932
Hi,

What about your DMZ ? Do you have some NAT (global, nat (dmz), etc.), and some access-list ?

Can your DMZ go to Internet ?

If your DMZ hasn't access-list/access-group, it will not work.


0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36942956
No need for access list/group, you going from a higher to a lower security interface.
0
 

Author Comment

by:memo12345678
ID: 36947403
Dear erniebeek

I change to
interface GigabitEthernet3/0
 nameif outside
 security-level 0
 ip address 40.40.40.1 255.255.255.192 standby 40.40.40.2

but still i cannot connect ping from out side to this IP 40.40.40.11  but from my router (40.40.40.3 )that connect to interface outside ASA I can make ping to 40.40.40.11!!!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36947636
Ok, that looks like we have to have a look at the router as wel. Could you post a (sanitized) config?
0
 

Expert Comment

by:fwed29
ID: 36947743
@erniebeek : you're right :)

@memo : you talk about your router, does it redirect the trafic to the ASA (bridging ?) ?

For your ASA,  think you must follow the config of erniebeek who redirect just one port, ex. 80  :

static (dmz,outside) tcp 40.40.40.11 80 10.10.10.11 80 netmask 255.255.255.255
0
 

Author Comment

by:memo12345678
ID: 36950469

Dear erniebeek

router config

interface GigabitEthernet0/1
description lin to internet
 ip address 40.40.40.230 255.255.255.192
 duplex auto
 speed auto
 standby 11 ip 40.40.40.231
 standby 11 timers 3 9
 standby 11 priority 120
 standby 11 preempt
 standby 11 track 1 decrement 25
!
interface GigabitEthernet0/2
 description Link ASA firewall
 ip address 40.40.40.4 255.255.255.192
 duplex auto
 speed auto
 standby 10 ip 40.40.40.6
 standby 10 timers 3 9
 standby 10 priority 120
 standby 10 preempt
 standby 10 track 1 decrement 25


!
ip route 0.0.0.0 0.0.0.0 40.40.40.200
ip route 40.40.40.0 255.255.255.192 40.40.40.1


there no problem in router why I still from outside why cannot make ping to 40.40.40.11 but they can ping to 40.40.40.1 (interface ASA outside ) !!!!
please check if need some thing to add
static (dmz,outside) 40.40.40.11 10.10.10.11 netmask 255.255.255.255   (mean all port open )!!
help me
0
 

Author Comment

by:memo12345678
ID: 36950527
this is traceroute from outside to IP 40.40.40.11

C:\Users\tracert -d 40.40.40.11


  1     *        *        *     Request timed out.
  2   109 ms   128 ms   128 ms  10.64.0.17
  3   101 ms    88 ms   123 ms  10.20.20.1
  4   112 ms   208 ms   118 ms  X.X.X.97
  5   101 ms   123 ms   138 ms  Y.Y.Y.146
  6   106 ms     *      190 ms  10.10.0.1
  7    94 ms   187 ms   129 ms  172.29.0.2
  8    82 ms   133 ms   133 ms  10.193.193.6
  9   110 ms   168 ms   158 ms  172.17.1.1
 10   111 ms   152 ms   203 ms  10.254.3.29
 11   106 ms   128 ms   123 ms  40.40.40.230
 12     *        *        *     Request timed out.


!!! why it cannot ping to ASA
 but when tracert  to 40.40.40.1  
C:\Users\tracert -d 40.40.40.11


  1     *        *        *     Request timed out.
  2   109 ms   128 ms   128 ms  10.64.0.17
  3   101 ms    88 ms   123 ms  10.20.20.1
  4   112 ms   208 ms   118 ms  X.X.X.97
  5   101 ms   123 ms   138 ms  Y.Y.Y.146
  6   106 ms     *      190 ms  10.10.0.1
  7    94 ms   187 ms   129 ms  172.29.0.2
  8    82 ms   133 ms   133 ms  10.193.193.6
  9   110 ms   168 ms   158 ms  172.17.1.1
 10   111 ms   152 ms   203 ms  10.254.3.29
 11   106 ms   128 ms   123 ms  40.40.40.230
 12   101 ms   133 ms   128 ms   40.40.40.1
0
 

Author Comment

by:memo12345678
ID: 36950556
sorry

C:\Users\tracert -d 40.40.40.1


  1     *        *        *     Request timed out.
  2   109 ms   128 ms   128 ms  10.64.0.17
  3   101 ms    88 ms   123 ms  10.20.20.1
  4   112 ms   208 ms   118 ms  X.X.X.97
  5   101 ms   123 ms   138 ms  Y.Y.Y.146
  6   106 ms     *      190 ms  10.10.0.1
  7    94 ms   187 ms   129 ms  172.29.0.2
  8    82 ms   133 ms   133 ms  10.193.193.6
  9   110 ms   168 ms   158 ms  172.17.1.1
 10   111 ms   152 ms   203 ms  10.254.3.29
 11   106 ms   128 ms   123 ms  40.40.40.230
 12   101 ms   133 ms   128 ms   40.40.40.1
0
 

Expert Comment

by:fwed29
ID: 36950907
I think you need some NAT on your router to redirect trafic from the router to your ASA.

For example :

ip nat inside source static <local ip> <global ip>
ip nat inside source static 10.10.10.11 40.40.40.11

Open in new window


You'll need an ACL on your router like
access-list 10 permit ip any 40.40.40.11

Open in new window


And finally configure your interfaces with NAT :

interface GigabitEthernet0/1
ip nat outside

interface GigabitEthernet0/2
ip nat inside

Open in new window


Hope I make no error, i think erniebeek will see :)
0
 

Accepted Solution

by:
memo12345678 earned 0 total points
ID: 36951001
dear

I have this network Just I want any one  from internet access to server 10.10.10.11 (all port ) by using this Public IP  40.40.40.11  !

How it can do please send me config ASA  of it


ASA.jpg
0
 

Author Comment

by:memo12345678
ID: 36954409
sorry solve there is mistake ip Getaway of server
0
 

Author Closing Comment

by:memo12345678
ID: 36978164
thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36954462
Ok, glad you solved it :)
Thx for the points.
0
 

Author Comment

by:memo12345678
ID: 36954473
I have another problem  
Dear I have this network diagram

from pc (10.10.10.2) can ping to 10.10.10.1 (dmz firewall) and pc 192.168.1.2 can ping to 10.10.10.1

But pc 10.10.10.2 cannot ping to ip 192.168.1.1 or 192.168.1.2

I think need add access or nat to permit plz send to me this config


Note :-

from firewall can ping to both ips 10.10.10.2 and 192.168.1.2
test.jpg
0
 

Author Comment

by:memo12345678
ID: 36954477
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36954974
I'll see you there then ;)
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question