ASA5505 - Can not Communicate between two host from outside to inside

Answered Question
Feb 18th, 2008

Dear all,

I am new for CISCO security devices.

We have purchased a ASA5505 for securing internal nw allowing only specific users to access the DCS server installed at inside NW i.e 192.168.1.1 255.255.255.0

Allowed users are

1. 10.51.161.16 255.255.255.0 which is routed by MSFC card.

2. 10.51.7.121 which is routed by MSFC card.

I have tried a lot. But unable to suceed.

Please Can any one provide me the working configuration ? I am attaching current running configuration and basic topology diagrame.

Pls help me as soon as possible.

I have this problem too.
0 votes
Correct Answer by abinjola about 8 years 9 months ago

hold on Dipesh..put the satic back in the configuration you do need static xlate rule from outside to inside

Now I asked for the debug icmp trace when you pinged 192.168.1.2 (DCS server), however I don't see you pinging your DCS in the debugs, I noticed you pinging 192.168.1.1

Initiate a ping to 192.168.1.2 from outside machine and get me the debug output

Also turn on the

logg on

logg buffered 7

and get me the sh logg output

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
abinjola Mon, 02/18/2008 - 21:29

COnfig looks good, is DCS server 192.168.1.2 ?

Is there a return route/DG set on 192.168.1.2 ?

I want you to turn on debug icmp trace on firewall and run pings from outside machine to 192.168.1.2..get me the debugs

Dipesh Patel Tue, 02/19/2008 - 01:05

Debug result

ABB-ASA5505# debug icmp trace

debug icmp trace enabled at level 1

ABB-ASA5505# ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=1536

len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=1792 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=2048 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=2304 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=2560 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=2816 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=3072 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=3328 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=3584 len=32

ICMP echo request from 10.51.7.121 to 192.168.1.1 ID=512 seq=3840 len=32

dongdongliu Mon, 02/18/2008 - 22:14

does the MSFC have the route about DCS server?

which kind of application(tcp & udp) are used in the DCS server?

Dipesh Patel Mon, 02/18/2008 - 22:20

yes,

route is

ip route 192.168.1.0 255.255.255.0 10.51.7.30

Communication of IP - Fully communication between these hosts.

dongdongliu Mon, 02/18/2008 - 22:44

hi Dipesh,

please remove the "static (inside outside)..." and then try again.

Dipesh Patel Mon, 02/18/2008 - 23:05

Dear dongdongliu ,

You mean to say I disable NAT? Without Nating is it works?

I can not ping any host.

But Pkt tracert shows its working.

But without route on MSFC also it shows working.

dongdongliu Mon, 02/18/2008 - 23:13

Deer Dipesh,

I do not think of

"static (inside,outside) 192.168.1.2 192.168.1.2 netmask 255.255.255.255"

is NAT command.

there is not the "NAT" command in the configuration on the ASA

I suggest to add a line:

static (inside,outside) 10.51.7.3X 192.168.1.2

regard

dongdong

Correct Answer
abinjola Tue, 02/19/2008 - 06:04

hold on Dipesh..put the satic back in the configuration you do need static xlate rule from outside to inside

Now I asked for the debug icmp trace when you pinged 192.168.1.2 (DCS server), however I don't see you pinging your DCS in the debugs, I noticed you pinging 192.168.1.1

Initiate a ping to 192.168.1.2 from outside machine and get me the debug output

Also turn on the

logg on

logg buffered 7

and get me the sh logg output

Dipesh Patel Thu, 02/21/2008 - 01:28

Yes Issue was resolved but one more problem is that :

I can not access telnet or http from outside......

I m trying to accesstelnet or http using IP

10.5.213.22

Working Running Config is life this .....

sh run

: Saved

:

ASA Version 7.2(2)

!

hostname ABB-ASA5505

domain-name cisco.com

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.5.200.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.5.213.30 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

clock timezone IST 5 30

dns server-group DefaultDNS

domain-name cisco.com

access-list inside_access_in extended permit ip host 172.5.200.2 host 10.5.161.16

access-list outside_access_in extended permit ip host 10.5.161.16 host 10.5.213.21

access-list outside_access_in extended permit ip host 10.5.161.16 host 10.5.213.22

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

static (inside,outside) 10.5.213.21 172.5.200.2 netmask 255.255.255.255

static (inside,outside) 10.5.213.22 172.5.200.1 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.5.213.35 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 172.5.200.2 255.255.255.255 inside

http 10.5.161.16 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 172.5.200.2 255.255.255.255 inside

telnet 10.5.161.16 255.255.255.255 outside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ABB-ASA5505#

Pls help

abinjola Tue, 02/26/2008 - 04:58

put the command "http 10.5.213.22 255.255.255.255 outside"..see if you can open ASDM (GUI) of the firewall now

Also For your information..we cannot telnet to the firewall from outside (security-level=0) but we can ssh to it from outside

ssh 0 0 outside

crypto key gen rsa mod 1024

see if this helps !

Actions

This Discussion