Am setting up DMZ and I want th LAN to access DMZ using RDP. So far I can`t ping dmz from lan and can`t access the Server on DMZ from LAN kindly tell me what am missing below are the configs
On phone so didn't check very closely but I couldn't find a NAT between internal and DMZ network Also, get in a habit of using named object instead of IP. Make your life far better when reading the configuration file Oh and strip password and public IP when posting public. Its not a plain password but still ... "
hostname Ukuta
domain-name ic.com
enable password lJVPuxPhcYrtQ9qcK encrypted
passwd lJVPuxPhcYRQghn9cK encrypted
names
name 10.2.0.9 evault-srv
name 10.2.0.18 voip-gateway
name 10.2.0.16 citrix-srv
dns-guard
!
interface Ethernet0/0
description outside
nameif outside
security-level 0
ip address 195.202.81.170 255.255.255.248
!
interface Ethernet0/1
description inside
nameif inside
security-level 100
ip address 10.2.0.11 255.255.0.0
!
interface Ethernet0/2
description DMZ Zone
nameif DMZ
security-level 50
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description management interface
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner login Warning: unauthorized access is prohibited and punishable to the full extent of the law.
boot system disk0:/asa821-k8.bin
boot system disk0:/asa803-k8.bin
boot system disk0:/asa724-k8_1.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 195.202.64.1
name-server 195.202.64.2
domain-name ic.com
object-group service WEB-SERVICES tcp
port-object eq https
port-object eq www
port-object eq 8080
port-object eq 1026
port-object eq domain
object-group service MAIL-SERVICES tcp
description MAIL-SERVER *10.2.0.87*
port-object eq 993
port-object eq 465
port-object eq imap4
port-object eq smtp
port-object eq pop2
port-object eq https
port-object eq pop3
object-group service EVAULT-SERVICES tcp
description EVAULT-PORTS
port-object eq 2547
port-object eq 807
port-object eq 808
port-object eq 12547
port-object eq 2546
object-group network DirectIntNAT
description IPs that can access Internet directly
network-object 192.168.1.0 255.255.255.0
network-object host 10.2.0.149
network-object host 10.2.0.12
network-object host 10.2.0.4
network-object host 10.2.0.55
network-object host 10.2.0.87
network-object host 10.2.0.89
network-object host 10.2.0.97
network-object host 10.2.0.98
network-object host evault-srv
network-object host 10.2.0.53
network-object host 10.2.0.88
network-object host 10.2.0.79
network-object host 10.2.0.77
network-object host 10.2.0.106
network-object host 10.2.0.81
network-object host 10.2.0.227
network-object host 10.2.0.10
network-object host 10.2.0.8
network-object host 10.2.0.29
network-object host 10.2.4.95
network-object host 10.2.0.73
network-object host 10.2.0.72
network-object host 10.2.0.51
network-object host 10.2.0.58
network-object host 10.2.4.96
network-object host 10.2.0.99
network-object host 10.2.0.30
network-object host 10.2.0.71
network-object host 10.2.0.46
network-object host 10.2.0.41
object-group service DM_INLINE_SERVICE_1
object-group service ActiveSync990 tcp
description Port 990 for Active Sync
port-object eq 990
port-object eq 5678
port-object eq 5721
port-object eq 587
port-object eq 993
port-object eq 999
access-list IPS extended permit ip any any
access-list outside_access_in extended permit tcp any any object-group WEB-SERVICES
access-list outside_access_in extended permit tcp any interface outside object-group MAIL-SERVICES log
access-list outside_access_in extended permit tcp any host evault-srv object-group EVAULT-SERVICES log
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit tcp any any object-group MAIL-SERVICES log
access-list outside_access_in extended permit tcp any any object-group ActiveSync990
access-list outside_access_in remark implicit deny all
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.2.5.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.2.5.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.2.5.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.2.0.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.2.5.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.2.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.2.4.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.2.0.216 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 10.2.0.216 255.255.255.248
access-list ICEAVPNRA_splitTunnelAcl standard permit any
access-list ICEA_splitTunnelAcl standard permit any
access-list LocalLANAccess standard permit 10.2.0.0 255.255.0.0
access-list ICEARA_splitTunnelAcl standard permit any
access-list inside_nat_outbound extended permit ip object-group DirectIntNAT any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool vpn_ips 10.2.0.216-10.2.0.220 mask 255.255.0.0
ip local pool vpn_ips2 10.2.5.1-10.2.5.50 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 access-list inside_nat_outbound
nat (inside) 101 10.2.0.12 255.255.255.255
nat (inside) 101 10.2.0.89 255.255.255.255
nat (inside) 101 10.2.0.149 255.255.255.255
static (outside,inside) tcp 10.2.0.10 5679 195.202.81.170 5679 netmask 255.255.255.255
static (outside,outside) tcp 10.2.0.153 7001 10.2.0.153 7001 netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 10.2.0.87 citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 465 10.2.0.46 465 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.2.0.46 smtp netmask 255.255.255.255
static (inside,outside) tcp interface imap4 10.2.0.46 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.2.0.46 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface https 10.2.0.46 https netmask 255.255.255.255
static (inside,outside) tcp interface 990 10.2.0.46 990 netmask 255.255.255.255
static (inside,outside) tcp interface 999 10.2.0.46 999 netmask 255.255.255.255
static (inside,outside) tcp interface 5678 10.2.0.46 5678 netmask 255.255.255.255
static (inside,outside) tcp interface 5721 10.2.0.46 5721 netmask 255.255.255.255
static (inside,outside) tcp interface 26675 10.2.0.46 26675 netmask 255.255.255.255
static (inside,outside) tcp interface 993 10.2.0.46 993 netmask 255.255.255.255
static (inside,outside) tcp interface 587 10.2.0.46 587 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.202.81.174 1
route inside 10.21.0.0 255.255.224.0 10.2.0.27 1
route inside 172.22.254.0 255.255.255.224 10.2.0.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.2.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.2.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.2.0.82 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1 rc4-md5
webvpn
group-policy ICEARA internal
group-policy ICEARA attributes
dns-server value 10.2.0.89 10.2.0.98
default-domain value icea.com
username vwainaina password B.CA3.rL63N4U.O4 encrypted
username vwainaina attributes
vpn-group-policy ICEARA
username test1 password C7gQOMTxCEoaINky encrypted
username test password P4ttSyrm33SV8TYp encrypted
username test attributes
vpn-group-policy ICEARA
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value ICEARA
username imutua password jnIz5/2R3pqxmnl6 encrypted
username imutua attributes
vpn-group-policy DfltGrpPolicy
username awaburi password GXHxEu03DxJOSMJ1 encrypted
username tmasudi password ePlX/AjfmvUU6Fsu encrypted privilege 15
username tmasudi attributes
vpn-group-policy ICEARA
username iceadmin password TiUC4sIBt7uF.xnb encrypted
username iceaadmin password TiUC4sIBt7uF.xnb encrypted privilege 15
username soluoch password WVNRbJ8S3.GQc9fV encrypted
username soluoch attributes
vpn-group-policy DfltGrpPolicy
username smbugua password pRJuRFSbQ/1ek8K8 encrypted privilege 15
username smbugua attributes
vpn-group-policy ICEARA
service-type remote-access
username vicky password STOg/nQM6msaWHdq encrypted
username vicky attributes
vpn-group-policy DfltGrpPolicy
tunnel-group ICEARA type remote-access
tunnel-group ICEARA general-attributes
address-pool vpn_ips2
default-group-policy ICEARA
tunnel-group ICEARA ipsec-attributes
pre-shared-key *
!
class-map ips-class
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map ips-policy
class ips-class
ips inline fail-open
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class ips-class
ips inline fail-open
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
smtp-server 10.2.0.87
prompt hostname context
Cryptochecksum:a2e591d6708eaa3461b6f66b4b23d4c6
: end
participants (1)
-
William Muriithi