DMZ &; SHEEP
Hello
I am new to Cisco ASA (7.2) that we use also as a FIREWALL/NAT. We have following netwrok (see attached diagram). We have just added new dmz with 10.x.x.35/24. We have our comprosie of internal network with an IP public IP & some private (10.x.y.99/24). When I introduce new dmz segment 10.x.x.35/24, our internal network with the IP public 199.X.Y.99 could access the demilitarized zone but our private ip (10.x.y.99/24) could not to reach new dmz.
I'm from the internal to 157.21.x.x IP network when you try to access the Internet.
I found two solution:
=======================================================================
1 I found I could use sheep statement to resolve the problem:
access-list extended sheep helped 10.x.y.0 10.x.x.0 255.255.255.0 ip 255.255.255.0
NAT (inside) 0 access-list sheep
OR
2 I could use static nat, so when moving from inside privatedmz, it translates itself
static (inside, newdmz) 10.x.y.0 10.x.y.0 netmask 255.255.255.0
==========================================================================
Now, I have a few question above solution regarding:
1 why you sheep or nat static of this situation, it's because the traffic flows (Internal) higher to lower (dmz) interface?
2 I started to read about NAT command http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530 & I got totally confused. I couldn't find the order No. - nat on my firewall so I do not know how to check nat-control is disabled, or not?
3. What is the best solution or which are favourable or unfavourable above solution?
Sincerely
Viral
Hi viral,
Answring to your questions:
1. When you have nat-control enabled on your firewall, you need a natting rule during the movement of traffic between two interfaces.
2. to check if you have active control of nat. Go the to the cli and issuing the following command:
SH run nat-control
This will give an output of a line. If this output is preceded by a 'no' means that nat-control is disabled. (Which I don't think that will be your case). This command does not appear in the show regularly run.
3. I prefer to use the static statement, because it will only match the traffic flowing between these two interfaces; rather than not nat, who works for all traffic initiated from inside, but limited with an ACL.
See you soon!
-Butterfly
Tags: Cisco Security
Similar Questions
-
Several statement list Access NAT (DMZ) 0
Hello
IM I have problems with remote VPN. The scenario is as follows:
I have I have few clients who will connect remotely via VPN. Until today, one of them needed to enter my DMZ. But now I want a different profile (the cause is a new client) to access one of my server in the DMZ.
So I said all of the VPN, the ACL settings, but when I want to declare the nat 2 access-list newclient (dmz) it does not work. But if I declare the nat 0 access-list newclient (dmz), it works, BUT it removes the previous 0 having my other client nat. Is there a way to create several access list statement 0 - nat (dmz)?. If this is not the case, how could I solve this problem?
This is my config:
vpnashi list extended access allowed host ip 192.168.16.28 192.168.125.0 255.255.255.0
access extensive list ip 192.168.125.0 vpnashi allow 255.255.255.0 host 192.168.16.28
vpnlati list extended access allowed host ip 192.168.16.50 192.168.125.0 255.255.255.0
access extensive list ip 192.168.125.0 vpnlati allow 255.255.255.0 host 192.168.16.50
IP local pool ippool 192.168.125.10 - 192.168.125.254Global 1 interface (outside)Global 2 200.32.97.254 (outside)NAT (outside) 1 192.168.125.0 255.255.255.0NAT (inside) 0-list of access vpnasNAT (inside) 2 access list ACL-NAT-LIMNAT (inside) 3 access-list vpnwipNAT (inside) 4 access-list vpnashiNAT (inside) 5-list of access vpnlatiNAT (inside) 1 0.0.0.0 0.0.0.0NAT (wifi) 2 0.0.0.0 0.0.0.0NAT (dmz) 0-list of access vpnashiNAT (dmz) 1 192.168.16.0 255.255.255.0NAT (dmz) 2 access-list vpnlatiinternal group RA-ASHI strategyattributes of RA-ASHI-group policyServer DNS 172.16.1.100 valueVPN-idle-timeout 30VPN-filter value vpnashiProtocol-tunnel-VPN IPSec l2tp ipsec webvpnSplit-tunnel-policy tunnelspecifiedinternal strategy of RA-LATI groupattributes of RA-LATI-group policyServer DNS 172.16.1.100 valueVPN-idle-timeout 30VPN-filter value vpnlatiProtocol-tunnel-VPN IPSec l2tp ipsec webvpnSplit-tunnel-policy tunnelspecifiedtunnel-group RA-ASHI type remote accesstunnel-group RA-ASHI-global attributesippool address poolauthentication-server-group (outside partnerauth)Group Policy - by default-RA-ASHItunnel-group RA-ASHI ipsec-attributespre-shared-key *.tunnel-group RA-LVL type remote accesstunnel-group RA-LATI-global attributesippool address poolauthentication-server-group (outside partnerauth)Group Policy - by default-RA-LATItunnel-group RA-LATI ipsec-attributespre-shared-key *.André,
You can have as a NAT exempt list of access by interface (nat rule 0). I understand what you are trying to accomplish. You use the vpnashi and vpnlati access list to control access to devices for different customers through VPN group policies.
What I do is the following:
Create an ACL for the VPN client (that you have, with vpnashi and vpnlati)
Create an ACL for NAT exemption for the interface (inside sheep, sheep-dmz, etc.).Create the ACEs within the exempt ACL of NAT that corresponds to your VPN client access-list.
It is allowed to have multiple statements within a NAT exempt list to access. This will not have a client VPN access to things, it shouldn't.
For example:
access-list sheep-dmz allowed extended host ip 192.168.16.28 192.168.125.0 255.255.255.0
192.168.125.0 IP Access-list extended dmz sheep 255.255.255.0 allow host 192.168.16.28
NAT 0 access-list sheep-dmz (dmz)
-
Hello
I have problems entering other networks out of the interfaces of the SAA. Can I VPN in and access anything whatsoever inside interface and beyond in the kernel. When I try and access a DMZ server off the coast of the ASA I get errors on asymmetric NAT. Client VPN is available as an address of 10.112.15.x.
Can anyone help?
I enclose some of the config.
display the ip address:
GigabitEthernet0/0 outside x.x.x.x 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.112.2.250 255.255.255.0 CONFIG
GigabitEthernet0/2.610 DMZ_External 10.112.7.254 255.255.255.0 CONFIG
GigabitEthernet0/2.620 DMZ_Internal 10.112.6.254 255.255.255.0 CONFIG
GigabitEthernet0/2640 DMZ_Mgmt 10.112.10.254 255.255.255.0 CONFIGConfiguration items:
10.112.0.0 IP Access-list extended sheep 255.240.0.0 allow 10.112.7.0 255.255.255.0
10.112.0.0 IP Access-list extended sheep 255.240.0.0 allow 10.112.10.0 255.255.255.0
10.112.0.0 IP Access-list extended sheep 255.240.0.0 allow 10.112.6.0 255.255.255.0
10.112.0.0 IP Access-list extended sheep 255.240.0.0 allow 10.112.15.0 255.255.255.0NAT-control
Global 1 interface (outside)NAT (inside) 0 access-list sheep
NAT (inside) 1 10.112.0.0 255.240.0.0Route outside 0.0.0.0 0.0.0.0 x.x.x.x. 1
Route inside 10.112.0.0 255.240.0.0 10.112.2.254 1Guidance on what I'm doing wrong?
Thank you.
Hello
The reason is that you don't have a rule for traffic to DMZ sheep.
access-list allowed dmz_nonat 10.112.6.0 255.255.255.0
NAT (dmz) 0-list of access dmz_nonat
This should solve your problem.
Kind regards
NT
-
Client VPN on PIX needs to access DMZ
VPN clients 3.5 ending PIX 6.X cannot access hosts on a PIX DMZ interface. Journal reports of error that there is no 'translation group available outside' for the subnet of the VPN Client (from the vpngroup pool).
I should add the VPN client subnet to a nat (outside) device?
Can I add it to the nat inside?
Can I just add static to the DMZ hosts within the subnet interface because VPN clients can access the inside hosts?
(I have the subnets in the nat 0 sheep ACL)
Thanks and greetings
JT
You'll need to add is nat 0. You say in your () you have an acl sheep, for the perimeter network or the inside interface? You use the same access list to the sheep inside and dmz? You should separate if you use separate access list. Is your pool of client on a different subnet than your home network and dmz? It must be something like this:
Customer IP local pool 192.168.1.1 - 192.168.1.254
IP, add inside 10.10.10.1 255.255.255.0
Add 10.10.20.1 dmz IP 255.255.255.0
access-list sheep by 10.10.10.0 ip 255.255.255.0 192.168.1.0 255.255.255.0
nonatdmz list of access by IP 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (dmz) 0-list of access nonatdmz
If this is correct then clear x, wr mem, reload. I hope this helps.
Kurtis Durrett
PS
If he did not, only can recommend the upgrade your client and pix because that is exactly how it should look, and if its does not work you are facing an additional feature you want.
-
Hi, Will PIX 515 allow packets through the tunnels, IPSec, the external interface to the DMZ interface? You have an idea?
These are the interfaces Securiy levels.
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
Rephrase what you do is you want to your dmz and your inside subnets interface to talk to the remote network via the vpn tunnel. Your home is 10.3.111.0/24 and your intf2 is 10.4.120.0/24 and your remote network you want to talk through the tunnel located on level counterpart 192.168.40.30 located on your external interface. You also have a single host 192.168.22.20 location on intf2 you want to go through the tunnel. But you don't want your intf2 directly connect makes it through the tunnel, just the single host location of this int. If you do put in place with this laboratory? The ip address of your peers, it's a private address is why im asking and check. Inside network is 10.3.9.0/24.
You need to clarify a few things here for me. Card dsl crypto, you have a matching 160 address which is:
access-list 160 deny ip 10.3.111.0 255.255.255.0 host 192.168.22.20
access-list 160 permit ip 10.3.111.0 255.255.255.0 10.3.9.0 255.255.255.0
access-list 160 allow host ip 192.168.22.20 10.3.9.0 255.255.255.0
You don't need your reject order, if this is not allowed, his does not. Your interesting traffic to access list should read should read:
access-list 160 permit ip 10.3.111.0 255.255.255.0 10.3.9.0 255.255.255.0
access-list 160 allow host ip 192.168.22.20 10.3.9.0 255.255.255.0
You have also this same access list tied to you "nat (inside) 0", what needs to change.
You are missing your "nat (intf2) 0 ' statement well and we need to have separate access to each nat statement list." So, follow these steps:
IP 10.3.111.0 allow Access-list sheep 255.255.255.0 10.3.9.0 255.255.255.0
NAT (inside) 0 access-list sheep
nonatintf2 list of allowed access host ip 192.168.22.20 10.3.9.0 255.255.255.0
nonatintf2 (intf2) NAT 0 access list
Do clear xlate, wr mem and a reload. Test again. Should work. For the record, do not remove access list 160 without delettrage firstly your card crypto or you lock your pix.
Kurtis Durrett
-
Is it possible to build a vpn tunnel to the DMZ on a pix 515 interface?
I would like to know if it is possible to have a vpn tunnel ending on a DMZ interface rather then inside interface of a pix 3-way. All the examples of configuration, I found route traffic from the VPN client somewhere on the internet on the inside interface of the pix. I tried a sheep-access list of the demilitarized zone to the vpn client, but it does not work. According to me, because the vpn traffic goes to the safety higher by definition interface. Am I wrong?
Hello
You can do it in use (nat 0 dmz x.x.x.x y.y.y.y)
-
Can someone look through my config? I can ftp from inside the interface, but not of demilitarized zone. I don't see what would be the difference.
PIX Version 6.1 (4)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security50 ethernet2
activate the encrypted password of XXXXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXX
hostname pix515
mydomain.com domain name
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
fixup protocol ftp 21
names of
access list allow component snap permit tcp any host a.b.c.73 eq 443
access list allow component snap permit tcp any host a.b.c.75 eq 1723
access list allow component snap-in allow accord any host a.b.c.75
access list allow component snap permit tcp host 131.183.23.158 eq a.b.c.76 22
dmz-in access list permit tcp host 10.0.0.2 host 192.168.20.2 eq 135
dmz-in access list permit tcp host 10.0.0.2 host 192.168.20.2 eq 389
dmz-in access list permit tcp host 10.0.0.2 host 192.168.20.2 eq 636
dmz-in access list permit tcp host 10.0.0.2 host 192.168.20.2 eq 3268
dmz-in access list permit tcp host 10.0.0.2 host 192.168.20.2 eq 3269
access-list dmz - in permit tcp host 10.0.0.2 192.168.20.2 eq host domain
dmz-in access list permit tcp host 10.0.0.2 host 192.168.20.2 eq 88
dmz-in access list permit tcp host 10.0.0.2 host 192.168.20.2 eq 445
dmz-in access-list allow udp host 10.0.0.2 host 192.168.20.2 eq 389
list of permitted access to dmz - udp host 10.0.0.2 192.168.20.2 eq host domain
dmz-in access-list allow udp host 10.0.0.2 host 192.168.20.2 eq 88
dmz-in access-list allow tcp 10.0.0.2 host any eq www
dmz-in access-list allow tcp 10.0.0.2 host any domain eq
dmz-in access-list allow 10.0.0.2 host udp any eq field
dmz-in access-list allow 10.0.0.2 host udp any eq 443
dmz-in access list permit tcp host 10.0.0.2 host 192.168.20.2 eq 12000
dmz-in access-list allow udp host 10.0.0.2 host 192.168.20.2 eq 12000
dmz-in access-list allow tcp 10.0.0.2 host any eq 443
access-list ip 192.168.20.0 sheep allow 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
interface ethernet0 car
Auto interface ethernet1
Auto interface ethernet2
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
IP address outside a.b.c.74 255.255.255.248
IP address inside 192.168.20.1 255.255.255.0
IP dmz 10.0.0.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) a.b.c.75 192.168.20.2 netmask 255.255.255.255 0 0
static (dmz, external) a.b.c.73 10.0.0.2 netmask 255.255.255.255 0 0
Access - allows to group in the interface outside
Access-group dmz in the dmz interface
Route outside 0.0.0.0 0.0.0.0 a.b.c.78 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 63.164.246.48 255.255.255.248 outside
http 192.168.20.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
Telnet 192.168.20.0 255.255.255.0 inside
Telnet 10.0.0.2 255.255.255.255 dmz
Telnet timeout 5
SSH 63.164.246.48 255.255.255.248 outside
SSH 131.183.23.0 255.255.255.0 outside
SSH 63.127.60.128 255.255.255.255 outside
SSH 192.168.20.0 255.255.255.0 inside
SSH timeout 5
Terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Due to the "absence" of an ACL allowing you to "ftp" the DMZ network anywhere, you're essentially limiting outbound traffic, it is explicitly "prohibit a whole" at the end of the ACL entries. Review your list 'dmz-in access-list', you will notice that there is no ftp service.
Try this:
dmz-in access-list allow tcp 10.0.0.2 host any ftp eq
* You are _not_ restricting outgoing from the inside due to the "non-existent" of a single access list entry related to the interface "inside". In this scenario, the security level of 100 for the inside interface allows all traffic to all networks, the firewall is attached to access to network "inside".
I hope this helps. :)
-
Vpn client access to the DMZ host
I'm having a problem where my customers who establish a VPN with Pix 515 cannot access hosts on the DMZ. VPN clients can access hosts inside network without any problems. I discovered that when I make a route to trace from a client computer that has established a VPN connection to a host on the DMZ, he tries to go through the default gateway of computers instead of the client from cisco. Any ideas?
More information:
When a client connects with the PIX over the VPN, it is given the internal DNS servers and the DNS Server internal, we have a host entry that says "www.whatever.com" 2.2.2.2 (this is the DMZ host). Customers within the network can access this host with problems, it's just the customers who establish a VPN connection. But the VPN Clients can access "www.whatever.com" using the public ip address. The problem is that if remove us the entry from the host on the DNS server so that the name of "www.whatever.com" decides the public ip address customers inside will not be able to access the DMZ host. The names and IP numbers are not real just using those as an example.
Any help would be apperciated. Thank you
You'll currently have something like this in your config file:
sheep allowed ip access-list
NAT (inside) 0 access-list sheep
This tells the PIX not to NAT any traffic from inside interface, which is to go to a VPN client. You need the same thing but for the DMZ interface, then add the following:
sheep allowed ip access-list
NAT 0 access-list sheep (dmz)
Who should you get.
-
Is it possible to put a server on the DMZ SQL
Hi all
He would ask about the deployment of PIX. Is it possible to put a server on DMZ SQL (or one of 5 exclusion inside the interface interfaces) and simply define a NAT to allow inside the user access to the DMZ? Also without allowing the outside user access to SQL server. We intend to set a SQL on a DMZ server, such that unathourized internal users will not be able to know the actual address of the SQL Server.
Are there problems which should be considered on this deployment?
Thanks in advance,
udimpas
Hi Udimpas,
Yes, your scenario is possible. You can put SQL Server on the DMZ network and allow access to inside users. at the same time, you can also block the access from the outside.
Let's say, your sql IP address is 192.168.1.10 & your home LAN is 10.1.1.0/24. You can do the following:
NAT (inside) 0 access-list sheep
access-list allowed sheep ip 10.1.1.0 255.255.255.0 host 192.168.1.10
by doing this, you have not nat all traffic from your inside sql server. In case you have defined everything inside your network access lists, you must open port 1433.
list of access within permit udp 10.1.1.0 255.255.255.0 host 192.168.1.10 eq 1433
You should not add the ACL above, if you have no restrictions from the inside, from now.
I hope this helps... all the best...
REDA
-
statics of the DMZ on the inside
I have a mail relay (gateway) in our DMZ. It stops working if I remove the following static statement:
static (dmz, upside down) insidemail insidemail netmask 255.255.255.255
where insidemail is the name of the internal mail server.
This static doesn't make much sense to me, but as mentioned previously, if it isn't there, I can't get on the mail server internal on port 25.
BTW, my acl for mail in the demilitarized zone is
dmz_acl permit tcp host DMZmail host insidemail eq 25 access-list
Hi binaryflow,
For any server on the DMZ can access inside server, it must first see the server to an IP address. Only after this accessibility of intellectual property, it will establish communication with that server. The accessibility of intellectual property can be obtained in two ways:
(1) given the server on his already existing private IP. to do this, without the server natting to the DMZ interface. for this reason, we use the command
static (dmz, upside down) insidemail insidemail netmask 255.255.255.255
You can also use these commands:
NAT (inside) 0 access-list sheep
access-list allowed sheep ip host insidemail dmz host
(2) you can also make a static on a few other IP and allow access to this IP address to access list.
In any case, the server should operate, accessibility of intellectual property is the first criterion. without that it will not work.
I hope this helps... all the best...
REDA
-
I use a PIX 506 6.1 (1) with such a DMZ. It's our first DMZ and I need assistance to access to the web server in the DMZ. We use a 172.16.0.0 subnet for the demilitarized zone and a 192.168.40.0 internal subnet. In 12.19.xxx.xx public subnet address. I added the following to the Web server on the PIX:
static (dmz, external) 12.19.xxx.xx 172.16.0.21 netmask 255.255.255.255 0 0
Global (dmz) 1 172.16.0.100 - 172.16.0.110
NAT (dmz) 1 172.16.0.0 255.255.255.0
I need to access the Web server in the DMZ to the 192.168.40.0 subnet.
What Miss me? Thank you
This access list do anything?
sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.1.0 255.255.255.0
sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 200.171.173.178
sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.5.0 255.255.255.0
sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 64.219.15.121
192.168.31.0 IP Access-list sheep 255.255.255.0 allow 10.0.5.0 255.255.255.0
192.168.31.0 IP Access-list sheep 255.255.255.0 allow host 64.219.15.121
sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.3.0 255.255.255.0
sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 148.233.144.17
sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.4.0 255.255.255.0
sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 148.235.11.101
sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.7.0 255.255.255.0
sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 66.136.190.89
sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.6.0 255.255.255.0
sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 64.22.205.74
sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.0.0 255.255.255.0
I think that's the problem.
You should use something like that;
sheep 192.168.40.0 ip access-list allow 255.255.255.0 172.16.0.0 255.255.255.0
This should take from your home to your dmz.
-
Hello
I've got 2 PIx 515E with UR 1 and 4 Ethernet 1 506th both in 6.3.4.
I tried to make VPN between Toulon and Montreal.
In Toulon, I can communication of inside the demilitarized zone and inside the Montreal network
Montreal, I can communicate in Toulon inside the network.
But disclosure of the dmz of Toulon for of Montreal and Montreal to Toulon DMZ network.
I got a Syslog message saying that it is not possible...
How could I solve this problem?
Thank you very much
Charles
506th Montreal
IP address inside 192.168.20.1 255.255.255.0
access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.252.0
access-list 102 permit ip host 199.x.x.170 to 192.168.2.3 host
access-list 102 permit ip host 199.x.x.170 192.168.1.5 host
access-list 103 allow ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.252.0
NAT (inside) - 0 102 access list
Crypto ipsec transform-set esp - esp-md5-hmac confoptis
map ToToulon 10 ipsec-isakmp crypto
crypto ToToulon 10 card matches the address 103
card crypto ToToulon 10 set peer 195.x.x.2
card crypto ToToulon 10 the transform-set confoptis value
ToToulon interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 195.x.x.2 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
515E Toulon
IP address inside 192.168.1.10 255.255.255.0
dmZ1 address IP 192.168.2.1 255.255.255.0
access-list 103 allow ip 192.168.0.0 255.255.252.0 192.168.20.0 255.255.255.0
access-list 104. allow ip 192.168.0.0 255.255.252.0 192.168.20.0 255.255.255.0
access-list 104. allow ip 192.168.0.0 255.255.252.0 192.168.30.0 255.255.255.0
access-list 104 allow 192.168.2.3 host ip 199.243.137.170
access-list 104 allow 192.168.1.5 ip host 199.243.137.170
NAT (inside) - 0 104 access list
Crypto ipsec transform-set esp - esp-md5-hmac optisconf
Crypto-map dynamic dynmap 30 transform-set optisconf
map ToMontreal 10 ipsec-isakmp crypto
crypto ToMontreal 10 card matches the address 103
card crypto ToMontreal 10 set peer 199.x.x.170
card crypto ToMontreal 10 the transform-set optisconf value
map ToMontreal 20-isakmp ipsec crypto dynamic dynmap
ToMontreal interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 199.x.x.170 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address vpnaccess2 pool VPNallemagne
vpngroup dns 192.168.1.1 Server VPNallemagne
vpngroup wins 192.168.1.1 VPNallemagne-Server
vpngroup VPNallemagne by default-field OPTIS.local
vpngroup idle 1800 VPNallemagne-time
vpngroup password VPNallemagne *.
Syslog message:
% 305005-3-PIX: no outside group translation not found for icmp src: 192.168.20.2 dst dmZ1:192.168.2.3 (type 8, code 0)
% 305005-3-PIX: no group of translation not found for udp src outside:192.168.20.2/1180 dst dmZ1:192.168.2.3/53
If you want to be able to communicate hollow VPN connection to the DMZ, you should disable the NAT to the demilitarized zone. As already configured for the Interior. A set corresponding access list for the SHEEP!
Example:
NAT (dmz) 0 104 access list
sincerely
Patrick
-
Hi all
I have some problems with nat/sheep on a pix 515e.
the pix is connected to a tunnel of site2site on the external interface.
the problem is to ping the vpn tunnel to the hosts of the demilitarized zone.
I think it should with a static entry as follows:
static (outside, dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0
but in the newspaper, I always get the message:
305005: no outside group translation not found for icmp src: 10.43.27.250 dmz:10.43.100.3 (type 8, code 0) dst
I also tried a nat rule 0 without success.
Then I attached a config performed:
access-list allowed sheep ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 200.1.58.0 255.255.255.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
IP outdoor 199.99.99.2 255.255.254.0
IP address inside the 10.43.8.12 255.255.240.0
10.43.100.2 dmz IP address 255.255.255.0
Global (outside) 1 199.99.99.11 netmask 255.255.255.255
Global (outside) 1 199.99.99.14 netmask 255.255.255.255
Global (dmz) 1 10.43.100.50 - 10.43.100.98 netmask 255.255.255.0
Global (dmz) 1 10.43.100.99 netmask 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.43.0.44 255.255.255.255 0 0
NAT (inside) 1 10.43.8.0 255.255.255.0 0 0
NAT (inside) 1 10.43.9.0 255.255.255.0 0 0
static (inside, outside) 199.99.99.2 tcp telnet 10.43.8.52 telnet netmask 255.255.255.255 0 0
static (inside, dmz) 10.43.8.29 10.43.8.29 netmask 255.255.255.255 0 0
static (inside, dmz) 10.43.8.20 10.43.8.20 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.6 10.43.100.6 netmask 255.255.255.255 0 0
public static 199.99.99.7 (Interior, exterior) 10.43.9.56 netmask 255.255.255.255 0 0
public static 199.99.99.5 (Interior, exterior) 10.43.8.53 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.4 10.43.100.4 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.3 10.43.100.3 netmask 255.255.255.255 0 0
static (outside, dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0
Access-group acl_out in interface outside
acl_in access to the interface inside group
Access-group acl_dmz in dmz interface
any tips?
Thank you
Armin
Without seeing the rest of the config it is difficult to tell you exactly what's happening (IE ACL, sysopt connection ipsec permits etc.)
However, you will need to have a sheep for the DMZ traffic back through the VPN:
IP 10.43.100.0 allow Access-list sheep-dmz 255.255.255.0 10.43.27.0 255.255.255.0
NAT (dmz) access-list sheep-dmz
Also remove the 10.43.26.0 static (outside, dmz) 10.43.26.0 netmask 255.255.254.0 0 0. I see no reason for you to destination NAT.
HTH
-
Configuration of the DMZ for MS access
I set up a DMZ for a Web server. I'll probably put an RODC in there later, but for now I want to open ports to the domain controller.
I'm a bit new to DMZ and I'm a bit confused.
I put in place services for different ports and then configure the rules of lan/dmz coming out of the demilitarized zone to the domain controller, but I get no connection.
I have the DMZ a 10.0.0.1 / 255.255.240.0
The value 10.0.0.5 Web server / 255.255.255.240.0
Gateway is 10.0.0.1DNS server on the primary domain controller 192.168.10.1
I opened the ports following services:
Kerberos 88 (TCP, UDP)
Time 123 (UDP)
135 Kerberos authentication (TCP)
LDAP 389
LDAP 445
MS DS 3268 (TCP)
1025-4999 RPC Ports (TCP)In the rules of the DMZ Lan, for those leaving, should I simply specify the machine side of DMZ DMZ users or do I need to specify the side Lan Lan users too?
Then I need to duplicate these ports in the Incoming, correct?
Any help in pointing to the relevant documentation would be great.
No, you should not need to configure static routes, unless you have something weird going. You can check the network path by adding rules incoming/outgoing ICMP LAN DMZ (ICMP-TYPE-8, to be precise) and ping back and forth between the DC and the Web server (ensuring any intermediate software firewall is disabled). If you can test in both directions, then you know with certainty that none of the static routes are needed.
-
Installation of the SCOM Agent on servers in the DMZ
Dear,
can you please help me with the exact steps to install SCOM Agent to the DMZ (no trusted domain) server to monitor anyone and is it possible to test it before in any Windows 7 PC. ?
Thanks in advance
This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers)
If you give us a link to the new thread we can point to some resources it
Maybe you are looking for
-
Problem with the use of MID/LEFT functions
I have a problem, see the point of these functions if (as seems to be the case) they will not allow another cell to be referenced. I want to do a SUMIFS with match being the first four characters of another cell data. I can't find any way to do it wi
-
can I charge my kindle fire from my dell inspiron 530 computer
If so where I plug in?
-
can't seem to find the driver for my laptop hp 820g 1
Hello I can't find the drivers for the hardware of the theses id: USB\VID_0A5C & PID_21F1 & REV_0112 PCI\VEN_8086 & DEV_9C31 & SUBSYS_1991103C & REV_04 ACPI\INT33A0
-
When starting computer XP, message saying server busy to switch to or try again
Hello When I start my computor I get a box saying server busy, switch to, or retry.
-
Catalyst control center and ati driver problem
I installed Nvidia Geoforce GT630 in my Inspiron 570... Windows 7... 8 GB ram Processor a Main Circuit Board b3.00 gigahertz AMD Athlon II X2 250256 kilobyte primary memory cache2048 kilobyte secondary memory cache64-bit readyMulti-core (2 total)Not