DMZ looses Internet access when using Backup Interface
- This topic has 0 replies, 1 voice, and was last updated 9 years, 6 months ago by
.
-
Posts
-
Hi,
An ASA 5505 uses a Backup Interface when the ISP goes down (quite often:sad:).That works just fine for the Inside interface, but the DMZ looses Internet connection while using the Backup Interface.
What am I missing?
This is the running config:
Best regards Steffen
!
hostname ciscoasa
domain-name DOMAIN.local
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
name 192.168.0.150 Server1 description SBS 2003 Server
name xxx.yyy.187.20 IP_outside
name 192.168.10.10 IP_ICE
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
description Direct Connect
backup interface Vlan13
nameif outside
security-level 0
pppoe client vpdn group PPPoE_DirectConnect
ip address IP_outside 255.255.255.255 pppoe
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Vlan13
description Backupnett ICE
nameif ICE
security-level 0
ip address IP_ICE 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name DOMAIN.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in remark For RWW
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq 4125
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq pptp
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq 444
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq smtp
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq https
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq www
access-list outside_access_in extended permit icmp any IP_outside 255.255.255.252 echo-reply
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq ftp
access-list DOMAINVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list ICE_access_in extended permit tcp any host IP_ICE eq www
access-list ICE_access_in extended permit tcp any host IP_ICE eq https
access-list ICE_access_in extended permit tcp any host IP_ICE eq smtp
access-list ICE_access_in extended permit tcp any host IP_ICE eq 444
access-list ICE_access_in extended permit tcp any host IP_ICE eq pptp
access-list ICE_access_in extended permit icmp any host IP_ICE echo-reply
access-list ICE_access_in remark For RWW
access-list ICE_access_in extended permit tcp any host IP_ICE eq 4125
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu ICE 1500
ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface ICE
icmp unreachable rate-limit 1 burst-size 1
icmp permit xxx.yyy.187.0 255.255.255.0 outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ICE) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.0.0.0 255.255.255.0
static (inside,ICE) tcp interface 4125 Server1 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 Server1 4125 netmask 255.255.255.255
static (inside,ICE) tcp interface 444 Server1 444 netmask 255.255.255.255
static (inside,outside) tcp interface 444 Server1 444 netmask 255.255.255.255
static (inside,ICE) tcp interface pptp Server1 pptp netmask 255.255.255.255
static (inside,outside) tcp interface pptp Server1 pptp netmask 255.255.255.255
static (inside,ICE) tcp interface smtp Server1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server1 smtp netmask 255.255.255.255
static (inside,ICE) tcp interface https Server1 https netmask 255.255.255.255
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
static (inside,ICE) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp Server1 ftp netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group ICE_access_in in interface ICE
route outside 0.0.0.0 0.0.0.0 xxx.yyy.187.1 1 track 1
route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho xxx.yyy.187.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group PPPoE_DirectConnect request dialout pppoe
vpdn group PPPoE_DirectConnect localname DOMAINas
vpdn group PPPoE_DirectConnect ppp authentication pap
vpdn username DOMAINas password *********
dhcpd auto_config outside
!
dhcpd address 10.0.0.10-10.0.0.39 dmz
dhcpd dns xxx.yyy.187.1 xxx.yyy.187.2 interface dmz
dhcpd lease 6000 interface dmz
dhcpd enable dmz
!ntp server 64.0.0.2 source outside
group-policy DOMAIN_VPN internal
group-policy DOMAIN_VPN attributes
dns-server value 192.168.0.150
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
default-domain value DOMAIN.local
vpn-group-policy DOMAIN_VPN
tunnel-group DOMAIN_VPN type ipsec-ra
tunnel-group DOMAIN_VPN general-attributes
default-group-policy DOMAIN_VPN
dhcp-server Server1
tunnel-group DOMAIN_VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_gnu-http-tunnel_arg
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context: end
You must be logged in to reply to this topic.