Haven
Supreme [H]ardness
- Joined
- Oct 11, 2002
- Messages
- 6,468
I have an internal secure network that my client wants to put on his network but still keep it secured so only certain machines can access it. So I have set up a Cisco ASA to sit between the two networks. However I can't get it to work right.
I know I have done something wrong, but I can't seem to figure it out.
I have four machines that the techs use and those machines have static IP addresses now. They are supposed to be allowed inside the network, but when I have the rules setup Packet Tracer says the packets won't go through.
Diagram of network setup.
From what I thought I did, any device that is in the CL_Workstations should be allowed through on the Secure_Ports ports to the NAT'ed IPs.
Cisco Config
Any ideas what I did wrong.
I know I have done something wrong, but I can't seem to figure it out.
I have four machines that the techs use and those machines have static IP addresses now. They are supposed to be allowed inside the network, but when I have the rules setup Packet Tracer says the packets won't go through.
Diagram of network setup.
From what I thought I did, any device that is in the CL_Workstations should be allowed through on the Secure_Ports ports to the NAT'ed IPs.
Cisco Config
hostname Secure-Lab
domain-name test.lab
enable password encrypted
passwd encrypted
names
name 10.214.119.11 NAT_10.214.119.11
name 10.214.119.12 NAT_10.214.119.12
name 10.214.119.13 NAT_10.214.119.13
name 10.214.119.14 NAT_10.214.119.14
name 192.10.1.11 S_192.10.1.11
name 192.10.1.12 S_192.10.1.12
name 192.10.1.13 S_192.10.1.13
name 192.10.1.14 S_192.10.1.14
name 10.214.119.81 W_10.214.119.81
name 10.214.119.82 W_10.214.119.82
name 10.214.119.83 W_10.214.119.83
name 10.214.119.84 W_10.214.119.84
name 192.10.1.1 G_192.10.1.1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.10.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.214.119.4 255.255.255.0
!
interface Vlan4
nameif dmz
security-level 50
ip address G_192.10.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 4
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name indy.gov
object-group service Secure_Ports
service-object tcp-udp eq 137
service-object tcp eq 3389
service-object tcp eq 445
service-object tcp eq netbios-ssn
service-object udp eq netbios-dgm
object-group network CL_Workstations
network-object host W_10.214.119.81
network-object host W_10.214.119.82
network-object host W_10.214.119.83
network-object host W_10.214.119.84
object-group network NAT_IPs
network-object host NAT_10.214.119.11
network-object host NAT_10.214.119.12
network-object host NAT_10.214.119.13
network-object host NAT_10.214.119.14
object-group network Secure_Servers
network-object host S_192.10.1.11
network-object host S_192.10.1.12
network-object host S_192.10.1.13
network-object host S_192.10.1.14
access-list outside_access_in extended permit object-group Secure_Ports object-group CL_Workstations host NAT_10.214.119.14
access-list outside_access_in extended permit object-group Secure_Ports object-group CL_Workstations host NAT_10.214.119.13
access-list outside_access_in extended permit object-group Secure_Ports object-group CL_Workstations host NAT_10.214.119.12
access-list outside_access_in extended permit object-group Secure_Ports object-group CL_Workstations host NAT_10.214.119.11
nat (inside) 101 0.0.0.0 0.0.0.0
static (dmz,outside) NAT_10.214.119.11 S_192.10.1.11 netmask 255.255.255.255
static (dmz,outside) NAT_10.214.119.12 S_192.10.1.12 netmask 255.255.255.255
static (dmz,outside) NAT_10.214.119.13 S_192.10.1.13 netmask 255.255.255.255
static (dmz,outside) NAT_10.214.119.14 S_192.10.1.14 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.214.119.1 1
Any ideas what I did wrong.