Cisco ASA, and Secure Servers

Discussion in 'Networking & Security' started by Haven, Feb 25, 2015.

  1. Haven

    Haven I Only Post Important Stuff

    Messages:
    6,186
    Joined:
    Oct 11, 2002
    I have an internal secure network that my client wants to put on his network but still keep it secured so only certain machines can access it. So I have set up a Cisco ASA to sit between the two networks. However I can't get it to work right.

    I know I have done something wrong, but I can't seem to figure it out.

    I have four machines that the techs use and those machines have static IP addresses now. They are supposed to be allowed inside the network, but when I have the rules setup Packet Tracer says the packets won't go through.

    Diagram of network setup.
    [​IMG]

    From what I thought I did, any device that is in the CL_Workstations should be allowed through on the Secure_Ports ports to the NAT'ed IPs.

    Cisco Config
    Any ideas what I did wrong.
     
  2. Jay_2

    Jay_2 2[H]4U

    Messages:
    3,583
    Joined:
    Mar 20, 2006
    What ASA are you using?

    Also what is 192.10.0.x and 192.10.1.x used for?
     
  3. Haven

    Haven I Only Post Important Stuff

    Messages:
    6,186
    Joined:
    Oct 11, 2002
    It is a Cisco ASA 5505.

    192.168.0.x is for "internal" which is to say nothing really.

    192.168.1.x is used for the secure machines that need to be accessed by the 10.214.219.x specific machines.

    And I have just been informed by the customer that they no longer want to do that, they just want to block all access to the secure machines, but let the secure machines out on port 443 to a Citrix server. Which I had working a month ago till they changed their mind.

    Thanks for the help. I'm going to go bang my head against the desk.
     
  4. stormy1

    stormy1 [H]ard|Gawd

    Messages:
    1,047
    Joined:
    Apr 3, 2008
    I used vpn to do it.
    Only connection from unsecured to secure was by individual vpn connections with short timeouts so they didn't get left open all the time and full logging.
     
  5. charold

    charold Limp Gawd

    Messages:
    314
    Joined:
    Sep 7, 2011
    It looks like your IP address on the dmz is wrong? I'm not sure why you are using

    That's something I'm at least unfamiliar with.

    Also, it appears you are using pre 8.3 based ASA firmware, which means, I believe you will have to create a no NAT statement when traversing between DMZ and Outside interfaces. The syntax should be

    ASA 8.2 and earlier versions are made to NAT to the outside automatically, so you need to NAT exempt traffic. 8.3 and on it did not perform NAT unless you told it to. This may be solved by renaming the outside to something else as well, but don't quote me on that.

    You can reset stats, and run

    show nat

    It will show you how many times each nat rule has been applied. Or go through packet-tracer and determine if it's being routed.

    Do a

    Let us know the results. One thing I like about the ASDM is when you do the packet-tracer tool, it can show you the specific access-list rule thats blocking it (usually the implicit rule). That should get you going though.