DMZ inside
This question is about the Pix Version 6.3 (3) on a 515E with three interfaces. My apologies if this topic is covered well elsewhere, I had no chance to find it.
I have configured three interfaces in a basic outside, inside, the mode dmz with the routable IP addresses and no need or desire to use NAT. No matter how to address the problem, if I try to configure rules to allow the guests to the DMZ access to specific services on the segment from the inside, the rule of implicit outgoing traffic to DMZ gets crushed and any other outbound traffic from the DMZ fell. If I try to overcome with a permitted any IP any ACL for DMZ outside, it allows all traffic from the DMZ to the inside - rather defeat the purpose of separating these segments.
I tried to come to the Pix from different angles and without making contact with the eyes, but no matter how I go about it, I can't seem to create rules to allow certain DMZ-> domestic traffic without blowing DMZ-> outside communication.
Am I missing something fundamental here? Any help will be most appreciated.
Graham
Hello Greyhame,
I understand the problem. you want to allow some host on the DMZ for access inside the servers and at the same time you want anything on the DMZ to access to the outside, but not inside except the specific host access. It is possible. Let me give you an example of configuration rules that you can modify according to your ip address.
lets take and example that inside is network 192.168.1.0 subnet and dmz on 172.16.1.0 and outside as 63.97.45.0
We have inside the server with ip address 192.168.1.10 is who should be the dmz 172.16.1.5 host access
Here is the access-list command, you need to apply on the dmz interface so that you can access inside the 192.198.1.10 172.16.1.5 dmz host server and you want to permit 172.16.1.0 to access the internet but no one else except 172.16.1.5 to gain access inside the subnet.
Please, try the following command:
access-list permits dmz_in tcp host 172.16.1.5 host 192.168.1.10 eq www
deny the dmz_in of the ip access list any 192.168.1.0
dmz_in ip access list allow a whole
Access-group dmz_in in dmz interface
If you see the first access list, it would allow access inside the dmz server host. The second command would deny the rest of the demilitarized zone to access the network except the one mentioned above, inside as access-list is read from top to bottom and then applied. The third command would only allow traffic from the DMZ go outside.
If you have any questions, feel free to contact me.
Thank you best regards &,.
Harish Tandon
Tags: Cisco Security
Similar Questions
-
Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE
I can't find any reference to anywhere else.
We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface.
We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels.
I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great.
When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time.
Is this a bug?
I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile?
I'm building a Rube Goldberg?
Thank you
George
Hi George,.
It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ? A package tracer could clarify wha that the ASA is actually sending.
In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly. For example; Source NAT (all, outside) static...
It may be useful
-Randy-
-
DMZ out OK; inside problems
I have a Web server on a demilitarized zone which I want to access the inside network.
Currently, I can access Internet from the DMZ Web server, the Web server of the Internet and the Web server would form inside.
Access one another inside the machine while ssh would be in the Web server is that I can't do.
This Web server will snapped a FTP mirror on the inside so I need this access.
I've searched the forums and found several relevant examples, but the solutions have not worked for me.
The example that I found was:
+++
"For the mail server (or any host on the DMZ) to access the inside to do the following:
static (inside, dmz) 128.100.0.0 128.100.0.0 255.255.0.0 subnet mask
fromDMZ list of allowed access host ip 192.168.0.2 128.100.0.0 255.255.0.0
Access-group fromDMZ in dmz interface
and for the zone demilitarized for access from the outside to do:
"NAT (dmz) 1 192.168.0.0 255.255.255.0.
+++
If I activate the access on the DMZ interface group, I lose outside connectivity...?
I currently have no liaison group on this CASE.
Here are my relevant configuration lines:
access-list 100 permit tcp any host 206.xxx.xxx.xxx eq www
access-list 100 permit tcp any host 206.xxx.xxx.xxx eq ssh
access-list 100 permit tcp any host 206.xxx.xxx.xxx eq ftp
When I try to access machine and inside the demilitarized zone, I get the following error on the server logs:
Incoming TCP connection deny from 10.xxx.xxx.xxx/1152 to 192.168.xxx.xxx/22 SYN flags on DMZ interface.
static (DMZ, external) 206.xxx.xxx.xxx piggy netmask 255.255.255.255 0 0
static (inside, DMZ) piggy Notes netmask 255.255.255.255 0 0
FDPNATICK-2 FDPNATICK-2 static (inside, DMZ) mask of 255.255.0.0 subnet 0 0
206 ~ is the range outside.
192.168 ~ inside
10 ~ is DMZ
"piggy" is the DMZ server.
'Notes' are I want to connect to the FTP server.
TIA
I think that the solution you found on the net was the right. You have lost connectivity to the outside because the access group you have applied has an invisible specific ip deny everything at the bottom of this one. As soon as you have applied it, it allowed your DMZ inside because you put it in the acl, but you did not reference for your dmz be allowed outside, what is needed now that you have a list of access applied to your dmz interface. Your static and Nat seems good, just make the changes to your dmz acl to allow the incoming connection and the connection outdoors. Take note of this source for your ACLs on dmz will be your dmz hosts and destination will be on the outside.
-
Hi all
I need a few confirmations on PIX IP forwarding.
Order type "static (inside the dmz)" two-way communication between interfaces controlled by ACL.
During testing I did, if I walked in "nat + global" commands instead of the 'static' command, communication seems to be one-sided...
I would like to know if it is possible enter the command lines like below, just to establish a connection between safer less safe vs of interfaces:
static (dmz, inside) or static (less secure, more secure)
NAT (dmz) overall (inside) or global (less safe) nat (safer)
Concerning
Alberto Brivio
(a) ONLY staic allows two-way communication between the different levels of security as long as the ACL allow.
(b) NAT/Global combination allows only connections from the high level of low security. A host on the outside cannot trigger connections to internal hosts.
-
I set up a DMZ on an ASA 5500. I can access the web server from the internet and cannot be accessed from the inside network.
The DMZ is to use a network of 10 and static nat to a registered IP address. Inside network uses a network of 10 different. I can't access the web server with 10 net address or registered address. Inside users should not simply be able to enter the address of the web site and be able to get on the server?
I am doing the config using the ASDM program.
Any suggestions?
Thanx, Seth
I understand...
You will not be able to hit http://www.xxxxxx.com if it is resolved to an external ip address of the inside of the firewall. You should use dns doctoring (if your home users use an external dns server) or use destination NAT. Destination nat statement which I wrote above will allow internal users to use the public.ip from the inside of the firewall and the firewall will translate this the private address of the DMZ.
If www.xxxxx.com decides to 1.2.3.4 and the ip address of the server in the DMZ is 10.2.1.1 then you must...
static (dmz, inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255
-
To access the servers in the DMZ
People:
I have a PIX 515E and I need to access a SQL Server that is inside the network... I don't know if I should activate NAT on the demilitarized zone to be able to 'see' the servers inside...
I tried a
> static (dmz, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
to activate servers on the DMZ for access within the network without translation... but I can't create a static to a low security to a high security interface...
I wonder if anyone has the same configuration problem?
should I try to activate NAT on the DMZ also?
It's my current setup!
Thank you very much!
Luis
-------------------------------------------
PIX Version 6.1 (2)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security10 ethernet2
access-list 100 permit tcp any host 200.200.200.37 eq smtp
access-list 100 permit tcp any host 200.200.200.37 eq pop3
access list 100 permit tcp any host 200.200.200.37 EQ field
access-list 100 permit udp any host 200.200.200.37 EQ field
access-list 100 permit tcp any host 200.200.200.35 eq www
access-list 100 permit tcp any host 200.200.200.35 eq 443
access-list 100 permit tcp any host 200.200.200.36 eq www
access-list 100 permit tcp any host 200.200.200.36 eq 443
access-list 100 permit icmp any one
access-list 100 permit tcp any host 200.200.200.35 eq ftp
access-list 100 permit tcp any host 200.200.200.36 eq ftp
access-list 100 permit tcp any host 200.200.200.36 eq 3389
access-list 100 permit tcp any host 200.200.200.35 eq 3389
access list 100 permit tcp any host 200.200.200.36 EQ field
access-list 100 permit udp any host 200.200.200.36 EQ field
access-list 100 permit tcp any host 200.200.200.38 eq www
access-list 100 permit tcp any host 200.200.200.38 eq 443
access-list 100 permit tcp any host 200.200.200.38 eq 3389
access-list 100 permit tcp any host 200.200.200.37 eq www
access-list 100 permit tcp any host 200.200.200.38 eq 1547
access-list 100 permit tcp any host 200.200.200.39 eq 3389
access-list 100 permit tcp any host 200.200.200.39 eq ftp
access-list 100 permit tcp any host 200.200.200.39 eq 1433
IP outdoor 200.200.200.34 255.255.255.224
IP address inside 192.168.1.1 255.255.255.0
IP dmz 192.168.2.1 255.255.255.0
Global (outside) 1 200.200.200.45 - 200.200.200.61 netmask 255.255.255.224
Global (outside) 1 200.200.200.62 netmask 255.255.255.224
NAT (inside) 1 192.168.1.0 255.255.255.0 0 0
alias (inside) 192.168.1.2 200.200.200.38 255.255.255.255
alias (inside) 200.200.200.36 192.168.2.11 255.255.255.255
alias (inside) 200.200.200.35 192.168.2.10 255.255.255.255
alias (inside) 200.200.200.37 192.168.2.12 255.255.255.255
static (dmz, external) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0 0
static (dmz, external) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0 0
public static 200.200.200.38 (inside, outside) 192.168.1.2 mask subnet 255.255.255.255 0 0
public static 200.200.200.39 (Interior, exterior) 192.168.1.186 netmask 255.255.255.255 0 0
static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz, external) 200.200.200.37 192.168.2.12 netmask 255.255.255.255 0 0
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 200.200.200.33 1
Did you apply an access list to allow traffic from the dmz to the inside interface?
Also, try to be specific with the server you are trying to provide access to the.
static (inside, dmz) xx.xx.xx.xx xx.xx.xx.xx 255.255.255.255 netmask (where two groups of xx.xx.xx.xx represent your address of sql server)
Then add the following list of access
access-list 101 permit tcp any host xx.xx.xx.xx eq sql (again, xx.xx.xx.xx is sql server)
Access-group 101 in the dmz interface
(test you can do initially access list permit all traffic instead of just sql, then tighten it to the top when you are sure that the static command works)
Hope that helps. Allowing less than an interface on a security interface traffic higher security is carried out with controls static and ACL (or ducts), so you seem to be on the right track.
~ rls
-
The ASA 5510 DMZ configuration
I currently have an ASA 5510 with which I am configuring a HTTP/FTP host on a demilitarized zone. Currently the DMZ host is accessible outside but the hosts on the internal network can not access. I have a dedicated IP address for the host (1.1.1.228) DMZ and another IP for the PAT interface for internal clients (1.1.1.238). I know I'm missing a piece, either a statement nat() or a static(), please advise.
interface Ethernet0/0
Description Interface Outside
nameif outside
security-level 0
IP 1.1.1.238 255.255.255.240
!
interface Ethernet0/1
Inside the Interface Description
nameif inside
security-level 100
the IP 10.0.0.1 255.255.0.0
!
interface Ethernet0/2
DMZ Interface Description
nameif dmz
security-level 50
the IP 192.168.0.1 255.255.255.0
-partial outside the inbound ACL.
outside_access_in list extended access permit tcp any host 1.1.1.228 eq www
outside_access_in list extended access permit tcp any host 1.1.1.228 eq https
-ACL DMZ-
DMZ list extended access permit icmp any one
access-list extended DMZ permit tcp host 192.168.0.11 eq www everything
access-list extended DMZ permit tcp host 192.168.0.11 eq https all
access-list extended DMZ permit tcp host 192.168.0.11 eq ftp - data all
DMZ list extended access permit tcp host 192.168.0.11 eq ftp everything
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0
public static 1.1.1.231 (Interior, exterior) 10.0.0.85 netmask 255.255.255.255
static (dmz, outside) 1.1.1.228 192.168.0.11 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Access-group interface dmz DMZ
Add:
static (inside, dmz) 10.0.0.0 mask 10.0.0.0 subnet 255.255.0.0
The statement above will allow the host to access DMZ hosts inside using DMZ devices own IPs and vice versa.
And, if necessary, use the ACL to restrict access to inside the DMZ, or DMZ inside.
See you soon!
AK
-
Hello
If anyone can offer you please, you will enjoy
We have 2 ASA 5520 with SSM modules in. behind ASA is a CSS load balancer. This load balancer have ssl and ssl certificate installed module. communication from the internet to the VIP loadbalancer is SSL, the SSM module configured to control communication is limited because everythng is encrypted.
communication between the LB farm and the server is not encryted, but there is no IPS inbetween. can you suggest if someone used the design below
int 1 (public) - ASA1 - LB 1 interface (dmz) - inside (inside) ASA1 interface where all the web server resides
Therefore, the traffic is on port 443 to the virtual IP address. Static on ASA 1forwards traffic to its dmz interface where 1 LB, then clear the 1 LB traffic goes to the inside interface where all the serverfarm web resides. by doing so, we can configure the SSM module to monitor the traffic of LB to webserverfarm since its between 2 interfaces of ASA. and also we can have access - list on ASA to allow traffic only between LB and Web servers
This will be a concern on the performance of the ASA?
What is a recommended design
Thank you
It is a valid design and it should work.
The ASA will see traffic twice and the interface that is in front of the LB will see traffic entering the lb twice so I'm not sure that it is effective. Please check the amount of traffic will see interfaces to see if the ASAs can manage it.
Since the LB will be the one actually pulling pages and to talk to your servers, why did you not pass by the ASA, but external users from do not by it, when speaking of LB?
If you are worried about BACK against LB and you do not have another firewall to use so I assume that it is valid.
I hope it helps.
PK
-
Dear all,
I applied ASA 5510 in my network,
I configured 3 DMZ, inside and outside interfaces
ASA, I can access the Interior, DMZ and outside (Internet)
Inside users can communicate with the servers in the DMZ
Inside users goto Internet via the external interface
DMZ servers can goto Internet via the external interface
The DMZ servers cannot Ping inside the network
I've been using IpSec VPN on my router,
clients connect to the router using the Cisco VPN Client software,
NOW, when I understood ASA in the network, VPN clients are unable to communicate with the servers in the DMZ
security level 0 for outside
DMZ 50
100 for the inside
NAT is disabled with no command nat control
What I need to ON the NAT and some ACL must be put in place...
Please advise me what ACL I should implement, interface? Direction?
Which statement NAT should I include?
I want to access my network via VPN...
Help, please
Kind regards
Junaid
ICMP pings are not stateful. The firewall needs special treatment to dynamically allow pings back, this is done through the "ICMP inspection." The ICMP inspection is disabled by default. You can activate the inspection or use an ACL to allow ICMP traffic. Here is a useful link:
Please rate if useful.
Concerning
Farrukh
-
Replacement of the ALIAS statements
I am updating a configuration inherited at 6.3 and use PDM, for ease of maintenance. The configuration is a step 3 515, with servers face outwards on the DMZ.
The inherited configuration using ALIAS' are to allow internal users to access the servers in the DMZ using their global IPs rather than their local IP addresses. The ALIAS' are are also applied to the DMZ itself allowing a server DMZ talk to one another using IP Global of the latter. Statements of typical aliases for a given server would be:
ALIAS (INSIDE) 192.168.2.1 x.x.x.x 255.255.255.255
ALIAS (DMZ) 192.168.2.1 x.x.x.x 255.255.255.255
192.168.2.1 is the IP address of a server on the DMZ where x.x.x.x is the global address.
PDM does not support alias commands so I replaced the old statement with DNAT:
static (DMZ, inside) x.x.x.x 192.168.2.1 netmask 255.255.255.255
This method works fine to allow internal users to access the DMZ servers with their global IP address.
However I can't see how to apply this approach to servers on the DMZ.
Can anyone help please?
Looks like you have a very good understanding of the work of the alias command. Is not an easy thing for most people...
But I would point out an error in your post. My guess is the alias command is doing what we call "DNS Doctoring" destination NAT. Which means that as servers on the DMZ has a DNS reverse lookup for other servers on the DMZ, the DNS server responds with x.x.x.x. The PIX intercepted this answer and replaced the address in the answer DNS with 192.168.2.1 for servers on the DMZ could access other servers through their local address, and not the global address.
Make sense? Your first static is so perfect for destination NAT for internal users trying to hit the DMZ servers via their global addresses. To do this work for "DNS Doctoring" all you have to do is to add "dns" at the static (s) on the PIX you need to access from other servers on the DMZ. Using your address examples, something like this:
static (dmz, outside) 192.168.2.1 x.x.x.x dns netmask 255.255.255.255
Take a look at the Ref order here:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/s.htm#wp1026694
I hope this helps.
Scott
-
Hello
My script is
Inside (LAN) (172.16.x.x) - DMZ (172.29.1.x)
I would like to provide access to internal network to the DMZ. In addition to the ACL configuration, I can do this by using the following two methods. What are the advantage\dis advantage of each method
static (inside, dmz) 172.16.0.0 172.16.0.0 255.255.0.0 subnet mask
OR
access-list ip 172.16.0.0 sheep allow 255.255.0.0 172.29.1.0 255.255.255.0
NAT (inside) 0 access-list sheep
What is the difference between these two?
Hello
Function of static and nat (inside) ACL 0 is the same, that is, traffic from inside the demilitarized zone and the opposite would be allowed. The real difference is, when configuring nat (inside) ACL 0, you are really turn off the nat for this traffic engine altogther. Using the static, you disable the nat on the pix engine, turn PIX translations sort of mistakes, as real sense his translation TI. Note: nat (inside) 0 0 0 is different from nat (inside) ACL 0. With ACL option, you can connect the two sector, with only nat (inside) 0 0 its only from the inside to the dmz, dmz inside No. In a moderated network environment, you won't see much difference in terms of performance. It's just depends on condition, you prefer one over the other.
I hope that its clear! Thank you
Renault
-
replacement of the alias command
I would use the MDP to manage my PIX. My config is currently using the alias command. Can I replace the alias with static controls?
Thank you
Alias of (internal) exodus 192.195.176.17 174.18.2.20 255.255.255.255
In fact, the keyword "dns" on the second static shouln t be there. You need the 'dns' on the first static for hosts on the DMZ are the real IP and not the NATted in DNS answers. Make sure that you "clea xlate" after these changes, clear dns caches (ipconfig/flushdns on win2k/xp), and that there is not the host entries in the affected machines. For your configuration, you should have this:
static (dmz, outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [keyword dns tells the pix to DNS doctoring for this translation because DNS resolves the public IP address]
static (dmz, inside) 123.123.123.123 192.168.1.1 subnet 255.255.255.255 mask [allows the internal hosts to connect to the public IP found in DNS and it translates the private IP on the way to the demilitarized zone]
-
I have a web server on my dmz. On the demilitarized zone, the computers cannot be accessed by name. The problem is that DNS returns the ip (real) outside. I need the demilitarized zone to translate it into a local ip address. I use the MDP so I'm not using aliases. Any help would be appreciated.
You can do this with the [static] commands and the "dns" option
static (dmz, outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [keyword dns tells the pix to DNS doctoring for this translation because DNS resolves the public IP address]
static (dmz, inside) 123.123.123.123 192.168.1.1 subnet 255.255.255.255 mask [allows the internal hosts to connect to the public IP found in DNS and it translates the private IP on the way to the demilitarized zone]
Make sure you do a [clear xlate] after the changes.
If you are running under 6.2, you will have to make any [alias] on the Pix.
-
Translation problem group on PIX 515
Hi can someone help me with this?
I'm trying to configure a PIX 515 to pass messages icmp from the interface vlan dmz configured on interface (Vlan 3) PIX inside interface.
setting it up like this
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
physical interface ethernet2 vlan2
logical interface ethernet2 vlan3
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 msx interieure4
nameif dmz security7 vlan3
SH nat
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0
NAT (msx) 1 0.0.0.0 0.0.0.0 0 0
Global HS
Global (inside) 1 interface
Global interface (dmz) 1
Global (msx) 1 interface
At this stage I am not concerened with access lists that I get the error message is as follows
155:-echo request ICMP dmz:192.168.3.1 to 10.240.2.2 ID = 512 seq = 11520 length = 40
305005: no translation not found for icmp src dmz:192.168.3.1 dst domestic group: 10.240.2.2 (type 8, code 0)
I'm not an expert when it comes to the PIX can someone help. Two other things can help shed light on the problem, there is no configuration of routing between Vlan interfaces, this could be a problem? I tried a static command and still have the same error that the order was... static (dmz, inside) 192.168.3.1 192.168.3.1
Hi David:
As you try to allow host from an interface for low security to a high security interface, you must have
static (high, low) high high
In this case, you must:
static (inside, dmz) 10.240.2.2 10.240.2.2 netmask 255.255.255.255 0 0
I assume that you already have an access list to allow the icmp message of echo applied to the DMZ interface. If it is not already there, just add an ACE to allow the icmp message to echo that you should be good to go.
Sincerely,
Binh
-
Have a vpn site to site of work, added second who has problems
We've had a success vpn site to site working for several months now. It's a 5510 ASA to Headquarters for an ASA 5505 in a branch in another State. We add a second vpn site to site in another State this time of the AC to a Sonicwall TZ100. After connecting the Sonicwall to the Qwest modem in bridge mode tunnel came right up. I was unable to ping all off the coast of the private IPs to the HQ of the new branch, but was able to use the remote desktop in servers and workstations at Headquarters. Also, all computers appear when you browse the network of the new branch.
The first part, we are able to ping both directions and use remote desktop in both directions.
When using tracers of package in ASDM on the ASA HQ and rattling one of the IPs in HQ protected network to an IP address in the new network of agencies EXEMPT from NAT looks good, but when it hits the first NAT it fits on the "dynamic translation to the pool (10.1.255.254) 10 [Interface PAT]" (which is the default route to all VLAN access to Internet).
Next NAT (subtype - host-limits) is more beautiful and this one goes to the IP address of the external interface of the ASA 5510 HQ, but then the third NAT (subtype - rpf-check) returns to the ' 10 (10.1.255.254) Interface PAT] "and the package is ABANDONED. Also there is no step VPN in Packet Tracer after NAT.
So obviously the HQ ASA 5510 does not consider this to be interesting traffic but I don't know why.
Here is the output of sh crypto ipsec his ffrom HQ ASA:
Interface: outside
Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.Xaccess-list encrypt_acl-30 permit ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
local ident (addr, mask, prot, port): (10.1.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
current_peer: 65.102.14.72#pkts program: 229450, #pkts encrypt: 229450, #pkts digest: 229450
#pkts decaps: 172516, #pkts decrypt: 172516, #pkts check: 172516
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 229450, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 91860025SAS of the esp on arrival:
SPI: 0x88957B9C (2291497884)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 59068
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0 x 91860025 (2441478181)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 59068
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.X
access-list encrypt_acl-30 permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
local ident (addr, mask, prot, port): (10.1.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
current_peer: 65.102.x.x#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: A204BAE2SAS of the esp on arrival:
SPI: 0xDA8C653A (3666634042)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 84670
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0xA204BAE2 (2718218978)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 84621
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Here is the output of sh crypto isakmp his on HQ ASA:
3 peer IKE: 65.102.x.x
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
Here is the config:
ASA Version 8.0 (4)
!
hostname COMPASA
domain COMPfirm.com
activate the encrypted password of TMACBloMlcBsq1kp
TMACBloMlcBsq1kp encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP 209.X.X.X 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.1.255.254 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
10.2.2.1 IP address 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa804 - k8.bin
passive FTP mode
clock timezone MDT - 7
clock to summer time recurring MDT
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 4.2.2.1
domain COMPfirm.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
list of allowed inbound tcp extended access any host 209.X.X.X eq www
list of allowed inbound tcp extended access any host 209.X.X.X eq https
list of allowed inbound tcp extended access any host 209.X.X.X eq ftp
list of allowed inbound tcp extended access any host 209.X.X.X eq ftp - data
list of allowed inbound tcp extended access any host 209.X.X.X eq ssh
list of allowed inbound tcp extended access any host 209.X.X.X eq imap4
list of allowed inbound tcp extended access any host 209.X.X.X eq pop3
list of allowed inbound tcp extended access any host 209.X.X.X eq www
list of allowed inbound tcp extended access any host 209.X.X.X eq https
list of allowed inbound tcp extended access any host 209.X.X.X eq smtp
list of extended inbound icmp permitted access a whole
access list entering note MMS-1755
list incoming extended access permit tcp any eq 1755 host inactive 209.X.X.X
inbound access list notice MMS - UDP
list of inbound udp allowed extended access all eq 1755 host inactive 209.X.X.X
DMZ list extended access permit tcp host 10.2.2.2 10.1.1.11 host eq smtp
DMZ list extended access permit tcp host 10.2.2.2 host 10.1.1.50 eq 8777
access-list extended sheep allowed ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.0.0.0 255.255.255.0
access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
access extensive list ip 10.1.0.0 vpnsplit allow 255.255.0.0 172.16.22.0 255.255.255.0
access extensive list ip 10.1.10.0 encrypt_acl allow 255.255.255.0 10.0.0.0 255.255.255.0
permit encrypt_acl to access extended list ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
global_mpc list extended access permitted tcp a whole
access-list encrypt_acl-30 scope ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
access-list encrypt_acl-30 permit extended ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
management of MTU 1500
IP local pool vpnpool 172.16.22.1 - 172.16.22.254 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm - 61551.bin
don't allow no asdm history
ARP timeout 14400
Global (outside) 10 209.X.X.X netmask 255.255.255.0
Global interface (10 Interior)
Global interface (dmz) 10
NAT (inside) 0 access-list sheep
NAT (inside) 10 0.0.0.0 0.0.0.0
NAT (dmz) 10 0.0.0.0 0.0.0.0
static (dmz, external) 209.X.X.X 10.2.2.2 netmask 255.255.255.255
static (inside, outside) 209.X.X.X 10.1.1.11 netmask 255.255.255.255
static (dmz, inside) 10.2.2.2 10.2.2.2 netmask 255.255.255.255
static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
static (inside, dmz) 10.1.1.50 10.1.1.50 netmask 255.255.255.255
Access-group interface incoming outside
Access-group in interface dmz dmz
Route outside 0.0.0.0 0.0.0.0 209.X.X.X 1
Route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Ray of AAA-server vpn Protocol
AAA-server vpn (inside) host 10.1.1.12
key--> ZZZZZZ
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
local AAA authentication attempts 16 max in case of failure
Enable http server
http 172.16.22.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Sysopt noproxyarp inside
Sysopt noproxyarp dmz
Sysopt noproxyarp management
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac HQset
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 10 the transform-set ESP-3DES-MD5 value
life together - the association of security crypto dynamic-map outside_dyn_map 10 28800 seconds
Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic outside_dyn_map 10 the value reverse-road
card crypto outside_map 20 match address encrypt_acl
card crypto outside_map 20 game peers 67.42.X.X
outside_map 20 game of transformation-HQset crypto card
life safety association set card crypto outside_map 20 28800 seconds
card crypto outside_map 20 set security-association life kilobytes 4608000
card crypto 30 match address encrypt_acl-30 outside_map
crypto outside_map 30 peer 65.102.X.X card game
crypto outside_map 30 card value transform-set HQset
86400 seconds, duration of life card crypto outside_map 30 set - the security association
card crypto outside_map 30 set security-association life kilobytes 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 50
Telnet 10.1.0.0 255.255.0.0 inside
Telnet timeout 15
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 10.1.0.0 255.255.0.0 inside
SSH timeout 30
Console timeout 0
management-access inside
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
threat scan-threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
Server NTP 192.43.244.18
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal Clients_VPN group strategy
Group Policy Clients_VPN attributes
value of server WINS 10.1.1.12
value of server DNS 10.1.1.12
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpnsplit
value by default-field COMPfirm.local
Split-dns value COMPfirm.local
the address value vpnpool pools
internal clientgroup group policy
attributes of the strategy of group clientgroup
value of server WINS 10.1.1.12
value of server DNS 10.1.1.12
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelall
WebVPN
SVC Dungeon-Installer installed
time to generate a new key of SVC 30
SVC generate a new method ssl key
SVC request no svc default
ssluser1 encrypted password username
username bcurtis encrypted password privilege 0 v
username privilege 15 WPDR encrypted password
username admin privilege 15 encrypted password
username privilege password encrypted XXXXXXX 0
tunnel-group M & J type remote access
tunnel-group M & J - global attributes
address vpnpool pool
Vpn server authentication group
strategy - by default-group Clients_VPN
tunnel-group M & J ipsec-attributes
pre-shared-key *.
type tunnel-group sslgroup remote access
tunnel-group sslgroup General-attributes
address vpnpool pool
Vpn server authentication group
Group Policy - by default-clientgroup
tunnel-group sslgroup webvpn-attributes
activation of the Group sslgroup_users alias
tunnel-group 67.42.X.X type ipsec-l2l
IPSec-attributes tunnel-group 67.42.X.X
pre-shared-key *.
tunnel-group 65.102.X.X type ipsec-l2l
IPSec-attributes tunnel-group 65.102.X.X
pre-shared-key *.
!
Global class-card class
corresponds to the global_mpc access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 768
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Global category
IPS inline sensor vs0 relief
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:ZZZZZZZZZZZZZZZZZZZZZ
: endIs the problem may be due to the fact that my 2 new ACL to fall "encrypt_acl-30" after "access-list extended global_mpc permit tcp any any" in the config and it flows into the implied all refuse?
Thanks for looking at this.
Rather than replace the static route, you can simply add a new static route to 10.1.8.0/24 as follows:
outdoor 10.1.8.0 255.255.255.0 209.X.X.X 1
Because it is more precise it will take precedence over your most generic static route from 10.1.0.0/16 inward.
Good spot btw!
Maybe you are looking for
-
.. system memory of the application
Can anyone suggest anything? Computer slowed right down and requested force quite apps, with the message: your system is out of memory for the application. As suggested in another post, I ran an EtreCheck and the report is quoted below. I deleted som
-
New tab does not work - could not open a new tab
I can not open a new tab, using OSX 10.9.4 and 31.0 Firefox. I tried the '+' and the key combination. Thank you-
-
Tried to scan a doc to email, 403 error says cannot connect to the server. Check the wireless internet and it said that there is nothing wrong. Check router password, has recently installed a new, and all this information is correct. Still won't let
-
HP Print and Scan Doctor do not work and could not be uninstalled
My inkjet HP8600 Pro will not scan to my computer (Windows OS 8.1). Message on HP9600 say no computer even if the cable is connected. How can I get HP8600 Pro to recognize my computer with Windows 8.1? (Note that Windows 8.1 does not have instructio
-
Printer e-all-in-one-HP Photosmart 5510d
Hi guys,. I bought a HP Photosmart 5510 d about 4 months ago. I replaced the black cartridge with no problems at all. I have a problem with the color cartridges after what they have been replaced. I have them have installed correctly, the machine has