[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Implementing email, webserver and DNS in a DMZ, cannot ping from DMZ and inside to natted IP and outside interface

Posted on 2014-07-10
1
Medium Priority
?
443 Views
Last Modified: 2014-08-20
I am implementing a DNS, a webserver and an email server in a DMZ. I mounted those services on a windows 2008 standard but my NS does not recognize external IP. I assume because i cannot ping form DMZ/inside to outside interface or natted IP. Someone can help. Here's my configuration:

 

: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 200.87.226.123 255.255.255.248
!
interface Ethernet0/1
 nameif Branch_Office
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 10
 ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.0.2 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network POSLINKSER
 network-object host 192.168.41.101
 network-object host 192.168.41.102
 network-object host 192.168.41.103
 network-object host 192.168.41.104
 network-object host 192.168.41.105
 network-object host 192.168.41.106
 network-object host 192.168.27.101
 network-object host 192.168.27.102
 network-object host 192.168.27.103
 network-object host 192.168.27.104
 network-object host 192.168.27.105
 network-object host 192.168.27.106
 network-object host 192.168.42.101
 network-object host 192.168.42.102
 network-object host 192.168.42.103
 network-object host 192.168.42.104
 network-object host 192.168.42.105
 network-object host 192.168.42.106
 network-object host 192.168.23.101
 network-object host 192.168.23.102
 network-object host 192.168.23.103
 network-object host 192.168.23.104
 network-object host 192.168.23.105
 network-object host 192.168.23.106
 network-object host 192.168.39.101
 network-object host 192.168.39.102
 network-object host 192.168.39.103
 network-object host 192.168.39.104
 network-object host 192.168.39.105
 network-object host 192.168.39.106
 network-object host 192.168.40.101
 network-object host 192.168.40.102
 network-object host 192.168.40.103
 network-object host 192.168.40.104
 network-object host 192.168.40.105
 network-object host 192.168.40.106
 network-object host 192.168.0.62
access-list dmz_in extended permit ip any host 172.16.31.2
access-list dmz_in extended permit tcp any host 172.16.31.2
access-list dmz_in extended permit udp any host 172.16.31.2
access-list dmz_in extended permit tcp any host 172.16.31.2 eq 3000
access-list dmz_in extended permit tcp any host 172.16.31.2 eq https
access-list dmz_in extended permit udp any host 172.16.31.2 eq domain
access-list dmz_in extended permit tcp any host 172.16.31.2 eq pop3
access-list dmz_in extended permit tcp any host 172.16.31.2 eq smtp
access-list dmz_in extended permit tcp any host 172.16.31.2 eq www
access-list dmz_in extended permit tcp any host 172.16.31.2 eq 1000
access-list dmz_in extended permit tcp any host 172.16.31.2 eq echo
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list Inside extended permit tcp any any
access-list 100 extended permit ip any host 200.87.226.122
access-list 100 extended permit tcp any host 200.87.226.122
access-list 100 extended permit udp any host 200.87.226.122
access-list linkser extended permit ip any 193.168.1.0 255.255.255.0
access-list linkser extended permit ip 193.168.1.0 255.255.255.0 any
access-list linkser extended permit tcp 193.168.1.0 255.255.255.0 any
access-list linkser extended permit tcp any 193.168.1.0 255.255.255.0
access-list ping extended permit icmp any any echo-reply
access-list ping extended permit icmp any any source-quench
access-list ping extended permit icmp any any unreachable
access-list ping extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Branch_Office 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.168.0.43 Outside
icmp permit any Outside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (DMZ) 101 interface
global (Inside) 102 192.168.0.3
nat (Branch_Office) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Branch_Office,Inside) 193.168.1.0 193.168.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.25.0 192.168.25.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.34.0 192.168.34.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.23.0 192.168.23.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.39.0 192.168.39.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.29.0 192.168.29.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (DMZ,Outside) 200.87.226.122 172.16.31.2 netmask 255.255.255.255
access-group ping in interface Outside
access-group ping in interface DMZ
route Outside 0.0.0.0 0.0.0.0 200.87.226.121 20
route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.1.0.0 255.255.192.0 192.168.2.2 1
route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.22.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.23.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.25.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.26.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.27.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.29.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.32.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.34.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.39.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1
route Inside 193.168.1.0 255.255.255.0 192.168.0.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 Branch_Office
telnet 172.16.31.0 255.255.255.0 DMZ
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username eguerra password dr6zkC4iOPQHLH5f encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:316ae9cbc1ea6482776a8766720c307f
: end
ASAFCHFW#
0
Comment
Question by:edumatico
1 Comment
 
LVL 14

Accepted Solution

by:
anoopkmr earned 2000 total points
ID: 40192707
add the below commands and see

access-list ACL_dmz_in extended permit tcp host 172.16.31.2 eq 443 any
 access-list ACL_dmz_in extended permit tcp host 172.16.31.2 eq 80 any
access-list ACL_dmz_in extended permit tcp host 172.16.31.2 eq 25 any
access-list ACL_dmz_in extended permit tcp host 172.16.31.2 eq 110 any
access-list ACL_dmz_in extended permit udp host 172.16.31.2 eq 53 any
access-list ACL_dmz_in extended permit udp host 172.16.31.2  any eq 53
access-group ACL_dmz_in in interface DMZ


access-list ACL_out_in extended permit tcp any host 200.87.226.122 eq 443 any
access-list ACL_out_in extended permit tcp any host 200.87.226.122 eq 25 any
access-list ACL_out_in extended permit tcp any host 200.87.226.122 eq 110 any
access-list ACL_out_in extended permit tcp any host 200.87.226.122 eq 80 any
access-list ACL_out_in extended permit udp any host 200.87.226.122 eq 53 any
access-group ACL_out_in in interface Outside
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question