Announcement

Collapse
No announcement yet.

Need help with DMZ access lists asa 5510

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need help with DMZ access lists asa 5510

    Hi i have setup asa 5510 and used ipv6.. i want to access dmz server from outside.. i have applied access lists but dont know where im going wrong pls help..


    show run
    : Saved
    :
    ASA Version 8.0(4)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    no ip address
    ipv6 address fc04::2/64
    ipv6 enable
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    ipv6 address fc06::1/64
    ipv6 enable
    !
    interface Ethernet0/2
    nameif dmz
    security-level 70
    no ip address
    ipv6 address fc05::1/64
    ipv6 enable
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_3 tcp
    port-object eq www
    port-object eq https
    pager lines 24
    mtu inside 1500
    mtu dmz 1500
    mtu outside 1500
    ipv6 route outside ::/0 fc04::1
    ipv6 access-list inside_access_ipv6_in permit ip any any
    ipv6 access-list inside_access_ipv6_in permit tcp any fc05::/64 object-group DM_
    INLINE_TCP_2
    ipv6 access-list dmz_access_ipv6_in permit ip any any
    ipv6 access-list dmz_access_ipv6_in permit tcp any fc05::/64 object-group DM_INL
    INE_TCP_1
    ipv6 access-list outside_access_ipv6_in permit ip any any
    ipv6 access-list outside_access_ipv6_in permit tcp any fc05::/64 object-group DM
    _INLINE_TCP_3
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711.bin
    no asdm history enable
    arp timeout 14400
    access-group inside_access_ipv6_in in interface inside
    access-group dmz_access_ipv6_in in interface dmz
    access-group outside_access_ipv6_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !
    !
    prompt hostname context
    Cryptochecksum:00000000000000000000000000000000
    : end

  • #2
    Re: Need help with DMZ access lists asa 5510

    Is this in a lab environment or going through your ISP? Does your ISP route ipv6? If not you may have to use a tunnel broker. Can you reach it via ipv4? Have you checked the logs or run packet tracer to see why its failing?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment

    Working...
    X