Hi all,
I cannot seem to ping server in dmz from "OUTSIDE" (Static Nat). However, I can ping Outside from inside (PAT).
Could anyone point me to the right direction please?
object network INSIDE-OUTSIDE
nat (inside,outside) dynamic interface
object network DMZ2-OUTSIDE
nat (dmz2,outside) dynamic interface
object network DMZ1-OUTSIDE
nat (dmz1,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
ASAlab2(config)#
ASAlab2(config)#
ASAlab2(config)# sh run
: Saved
:
: Serial Number: 9AMKNK263EE
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2095 MHz
:
ASA Version 9.9(2)
!
hostname ASAlab2
enable password $sha512$5000$+Kpz/EysDD1un1b5YiX/MQ==$k3TtQlPYooJmTbkU/HIykA== pbkdf2
names
!
interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
description LAN
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ1
nameif dmz1
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
description DMZ2
nameif dmz2
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
no ip address
!
ftp mode passive
object network INSIDE-OUTSIDE
subnet 192.168.0.0 255.255.255.0
object network DMZ1-SERVER
host 192.168.1.10
object network OUTSIDE-DMZ1
host 10.1.1.10
object network DMZ2-OUTSIDE
subnet 192.168.2.0 255.255.255.0
object network DMZ1-OUTSIDE
subnet 192.168.1.0 255.255.255.0
access-list OUTISDE-DMZ extended permit ip any host 192.168.1.10
pager lines 23
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network INSIDE-OUTSIDE
nat (inside,outside) dynamic interface
object network DMZ2-OUTSIDE
nat (dmz2,outside) dynamic interface
object network DMZ1-OUTSIDE
nat (dmz1,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
access-group OUTISDE-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
console serial
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:1d55c3acd48ddf7aa7f83d370abfc6ba
: end
Thanks
No comments:
Post a Comment