Announcement

Collapse
No announcement yet.

ASA 5505 - connections from inside to dmz not working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5505 - connections from inside to dmz not working

    Hello,

    I have the following configuration on our company firewall (ASA 5505). VPN users can login and use resources in 192.168.0.0/24 network, but can't access DMZ (10.1.1.0/24). Connection from inside network to DMZ network doesn't work either.

    I think this somehow refers to nat configuration, but I can't figure it out. Please, help!

    ASA Version 7.2(4)
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    names
    name 192.168.2.96 VPN-network
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0
    ospf cost 10
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address <PUBLICIP> 255.255.255.248
    ospf cost 10
    !
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address 10.1.1.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    switchport access vlan 3
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    switchport access vlan 3
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive

    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group service TCP_2222 tcp
    port-object eq 2222
    object-group service rdp tcp
    port-object eq 3389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
    access-list VPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN-network 255.255.255.240
    access-list dmz_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 VPN-network 255.255.255.240
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool company_vpn_users 192.168.2.100-192.168.2.110 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 0 access-list dmz_nat0_outbound
    static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    static (dmz,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 <PUBLICIP> 1
    .
    .
    .

    Best regards,
    Markku

  • #2
    Re: ASA 5505 - connections from inside to dmz not working

    Have you checked your logs or packet tracer to see why the flow is getting dropped?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: ASA 5505 - connections from inside to dmz not working

      Hello,

      today I checked my server's network configuration in dmz area and noticed that there were a typo in gateway configuration. Packet went through but it never came back.

      So, config works, but I lost at least 1 day while figuring it out.

      Thanks auglan, your comment helped me to the right direction.

      Best regards,
      Markku

      Comment

      Working...
      X