ASA5505 - Can not Communicate between two host from outside to inside

Answered Question
Feb 18th, 2008
User Badges:

Dear all,


I am new for CISCO security devices.


We have purchased a ASA5505 for securing internal nw allowing only specific users to access the DCS server installed at inside NW i.e 192.168.1.1 255.255.255.0


Allowed users are


1. 10.51.161.16 255.255.255.0 which is routed by MSFC card.

2. 10.51.7.121 which is routed by MSFC card.



I have tried a lot. But unable to suceed.


Please Can any one provide me the working configuration ? I am attaching current running configuration and basic topology diagrame.



Pls help me as soon as possible.




Correct Answer by abinjola about 9 years 3 months ago

hold on Dipesh..put the satic back in the configuration you do need static xlate rule from outside to inside


Now I asked for the debug icmp trace when you pinged 192.168.1.2 (DCS server), however I don't see you pinging your DCS in the debugs, I noticed you pinging 192.168.1.1


Initiate a ping to 192.168.1.2 from outside machine and get me the debug output


Also turn on the


logg on

logg buffered 7

and get me the sh logg output

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
abinjola Mon, 02/18/2008 - 21:29
User Badges:
  • Cisco Employee,

COnfig looks good, is DCS server 192.168.1.2 ?


Is there a return route/DG set on 192.168.1.2 ?


I want you to turn on debug icmp trace on firewall and run pings from outside machine to 192.168.1.2..get me the debugs


Dipesh Patel Tue, 02/19/2008 - 01:05
User Badges:

Debug result


ABB-ASA5505# debug icmp trace

debug icmp trace enabled at level 1

ABB-ASA5505# ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=1536

len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=1792 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=2048 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=2304 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=2560 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=2816 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=3072 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=3328 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=3584 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=3840 len=32



dongdongliu Mon, 02/18/2008 - 22:14
User Badges:

does the MSFC have the route about DCS server?

which kind of application(tcp & udp) are used in the DCS server?

Dipesh Patel Mon, 02/18/2008 - 22:20
User Badges:

yes,


route is


ip route 192.168.1.0 255.255.255.0 10.51.7.30


Communication of IP - Fully communication between these hosts.


dongdongliu Mon, 02/18/2008 - 22:44
User Badges:

hi Dipesh,

please remove the "static (inside outside)..." and then try again.

Dipesh Patel Mon, 02/18/2008 - 23:05
User Badges:

Dear dongdongliu ,


You mean to say I disable NAT? Without Nating is it works?


I can not ping any host.


But Pkt tracert shows its working.


But without route on MSFC also it shows working.


dongdongliu Mon, 02/18/2008 - 23:13
User Badges:

Deer Dipesh,

I do not think of

"static (inside,outside) 192.168.1.2 192.168.1.2 netmask 255.255.255.255"

is NAT command.


there is not the "NAT" command in the configuration on the ASA


I suggest to add a line:

static (inside,outside) 10.51.7.3X 192.168.1.2



regard

dongdong

adamperrego Tue, 02/19/2008 - 05:17
User Badges:

Yes..Whatever host you are trying to ping or do a 1 to 1 mapping.

Correct Answer
abinjola Tue, 02/19/2008 - 06:04
User Badges:
  • Cisco Employee,

hold on Dipesh..put the satic back in the configuration you do need static xlate rule from outside to inside


Now I asked for the debug icmp trace when you pinged 192.168.1.2 (DCS server), however I don't see you pinging your DCS in the debugs, I noticed you pinging 192.168.1.1


Initiate a ping to 192.168.1.2 from outside machine and get me the debug output


Also turn on the


logg on

logg buffered 7

and get me the sh logg output

abinjola Wed, 02/20/2008 - 20:53
User Badges:
  • Cisco Employee,

Is the issue resolved..do let me know plz.?

Dipesh Patel Thu, 02/21/2008 - 01:28
User Badges:

Yes Issue was resolved but one more problem is that :


I can not access telnet or http from outside......


I m trying to accesstelnet or http using IP

10.5.213.22


Working Running Config is life this .....



sh run


: Saved


:


ASA Version 7.2(2)


!


hostname ABB-ASA5505


domain-name cisco.com


enable password xxx


names


!


interface Vlan1


nameif inside


security-level 100


ip address 172.5.200.1 255.255.255.0


!


interface Vlan2


nameif outside


security-level 0


ip address 10.5.213.30 255.255.255.0


!


interface Ethernet0/0


switchport access vlan 2


!


interface Ethernet0/1


!


interface Ethernet0/2


!


interface Ethernet0/3


!


interface Ethernet0/4


!


interface Ethernet0/5


!


interface Ethernet0/6


!


interface Ethernet0/7


!


passwd xxx


ftp mode passive


clock timezone IST 5 30


dns server-group DefaultDNS


domain-name cisco.com


access-list inside_access_in extended permit ip host 172.5.200.2 host 10.5.161.16


access-list outside_access_in extended permit ip host 10.5.161.16 host 10.5.213.21


access-list outside_access_in extended permit ip host 10.5.161.16 host 10.5.213.22


pager lines 24


logging enable


logging buffered debugging


logging asdm informational


mtu inside 1500


mtu outside 1500


icmp unreachable rate-limit 1 burst-size 1


asdm image disk0:/asdm-522.bin


no asdm history enable


arp timeout 14400


static (inside,outside) 10.5.213.21 172.5.200.2 netmask 255.255.255.255

static (inside,outside) 10.5.213.22 172.5.200.1 netmask 255.255.255.255


access-group inside_access_in in interface inside


access-group outside_access_in in interface outside


route outside 0.0.0.0 0.0.0.0 10.5.213.35 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout uauth 0:05:00 absolute


http server enable


http 172.5.200.2 255.255.255.255 inside


http 10.5.161.16 255.255.255.255 outside


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


telnet 172.5.200.2 255.255.255.255 inside


telnet 10.5.161.16 255.255.255.255 outside


telnet timeout 5


ssh timeout 5


console timeout 0



!

class-map inspection_default


match default-inspection-traffic


!


!


policy-map type inspect dns preset_dns_map


parameters


message-length maximum 512


policy-map global_policy


class inspection_default


inspect dns preset_dns_map


inspect ftp


inspect h323 h225


inspect h323 ras


inspect rsh


inspect rtsp


inspect esmtp


inspect sqlnet


inspect skinny


inspect sunrpc


inspect xdmcp


inspect sip


inspect netbios


inspect tftp


inspect icmp


!


service-policy global_policy global


prompt hostname context


Cryptochecksum:xxx


: end



ABB-ASA5505#


Pls help



abinjola Tue, 02/26/2008 - 04:58
User Badges:
  • Cisco Employee,

put the command "http 10.5.213.22 255.255.255.255 outside"..see if you can open ASDM (GUI) of the firewall now


Also For your information..we cannot telnet to the firewall from outside (security-level=0) but we can ssh to it from outside


ssh 0 0 outside

crypto key gen rsa mod 1024


see if this helps !


Actions

This Discussion