To allow on all ports from and to dmz

Answered Question

Hi,

I have one requirement where need to allow communication to all prots on ASA in dmz.Looking forward so that can place my printer/scanner that can be placed in dmz and can be used from inside network as well as over the internet on all the ports.Also like to have icmp access to and from dmz.

I tried looking at some examples but couldn't got it working.

Kindly help/suggest.

Find attached the config for your reference.

I have this problem too.
0 votes
Correct Answer by husycisco about 8 years 5 months ago

"I made changes still no internet in dmz."

Make sure client in DMZ has 172.20.40.1 as default gateway, and it has a valid DNS server. For testing purposes, assign 4.2.2.2 as preferred DNS server.

add the following

access-list dmz_in extended permit tcp 172.20.40.0 255.255.255.0 any eq www

access-list dmz_in extended permit tcp 172.20.40.0 255.255.255.0 any eq 53

access-list dmz_in extended permit udp 172.20.40.0 255.255.255.0 any eq 53

The connectivity issue from inside to dmz makes no sense. Try this

no static (dmz,inside) 172.20.40.10 172.20.40.10 netmask 255.255.255.255

access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.0.0 172.20.40.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

clear xlate

clear arp

clear local all

clear route

Do not ignore clear commands. After ading above, please run the same packet tracer and post the result.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
husycisco Sun, 06/01/2008 - 18:17

Hi Sushil

Do the following modifications

no access-list 101 extended permit icmp any any source-quench

no access-list 101 extended permit icmp any any echo-reply

no access-list 101 extended permit icmp any any unreachable

no access-list 101 extended permit icmp any any time-exceeded

no access-group 101 in interface outside

no static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (dmz,inside) 172.20.40.10 172.20.40.10 netmask 255.255.255.255

policy-map global_policy

class inspection_default

inspect icmp

Make sure that 172.20.40.10 device, a PC or scanner or printer, has a default gateway IP 172.20.40.1 is set. If that is not set, no one can reach that device from other interfaces.

Regards

Thanks Husy for your reply.

Here few things i ewould like to understand.

access list 101 is there to allow ping.

shouldn't be there any access list allowing communication between inside,dmz (vice versa and over the internet?Whatever i mentioned is correct except 101.

What purpose does below command will serve;

policy-map global_policy

class inspection_default

inspect icmp

Running short of ideas as tough time working over the weekend as well.

I saw few examples where some global pool is defined on dmz interfaces (172.20.40.30-172.20.40.60)... Gone through a lots of documents and don't know which one is right?I tried most of them but coudn't got it working...

Kindly guide/suggest some sample config as well.

Reg,

Sushil

husycisco Mon, 06/02/2008 - 09:35

Sushil,

You cannot assign 2 ACLs to one interface at the same time. Inspect icmp command allows ping responses to come from less secure interfaces, so now ping to dmz will work without need of acl 101.

The configs youve seen are configs where address translation happens. In that scenario, 172.20.40.10 sees the traffic coming from that defined pool. In my suggestion, we apply exempt nat that traffic is not translated and 172.20.40.10 sees the original source address.

Your IOS 7.0 has some bugs, I recommend you to upgrade at least 7.2(2).

What device is 172.20.40.10? A PC or server or printer? The config you just posted is valid, so couple of things to check..

Make sure 172.20.40.10 has correct subnetmask and the gateway IP of 172.20.40.1

Make sure software firewalls exceptions are modified to accept from necessary sources on device.

Run "clear xlate" and "clear arp" in firewall.

Regards

Husy,

Thanks again for your inputs.

I am planning to upgrade this software over this weekend..Should I go with 8.0 or there is any issue with 8.0 as well.

The device 172.20.40.10 is a PC as of now as I am testing it out.Details like subnet mask and gateway are correct.

But I am not able to understand the statement

"Make sure software firewalls exceptions are modified to accept from necessary sources on device".

Does the command Run "clear xlate" and "clear arp" in firewall. is to be run once i upgrade software or shud I try on existing software 7.0.7

I will try this only over this weekend and update you the results.

Reg,

Sushil

husycisco Tue, 06/03/2008 - 16:50

Sushil,

8.0 is fine, use 8.0(3). Ignore my recommendations for now and we will check the issue again after upgrade.

Regards

husycisco Sat, 06/07/2008 - 05:27

Sushil,

route inside 192.168.0.0 255.255.0.0 192.168.0.2 1

What is 192.168.0.2? You should define route for 172.20.40.0 back to 192.168.0.1 in that device

husycisco Sat, 06/07/2008 - 07:51

no static (inside,dmz) 172.20.40.10 172.20.40.10 netmask 255.255.255.255

static (dmz,inside) 172.20.40.10 172.20.40.10 netmask 255.255.255.255

And in L3 switch, add the following

ip route 172.20.40.0 255.255.255.0 192.168.0.1

Hi Husy,

Made changes as far as static nat is concerned.

Moreover I removed the L3 from inbetween.Now a cable from eth0/2 goes to dmz host directly and from eth0/1 goes into my internal host directly.

Internet is working perfectly fine in the inside lan.But nothing on dmz one.Even 192.168.0.1 ip is not able to ping 172.20.40.1 ip in dmz and vice versa.Even internet is not working on dmz lan.Also not able to ping public ip i.e is natted in dmz.

If I run packet tracer tool in dmz(i.e 172.20.40.1) and internal (i.e 192.168.0.1) it shows some access list error with the implicit drop rule and same goes in reverse direction.

As I am having some 10 free public IP's I want to get them free publically.

Don't know where is the issue.

Hope you can suggest me something on the basis of above info.Is there any problem with my access list of NAT?

Hope to hear soon.

Reg,

Sushil

husycisco Sat, 06/07/2008 - 08:38

"Even internet is not working on dmz lan"

Thats easy. Add the following

nat (dmz) 101 172.20.40.0 255.255.255.0

clear xlate

Please run the following and paste the result

packet tracer input inside tcp 192.168.0.5 5555 172.20.40.10 3389 detailed

Correct Answer
husycisco Sat, 06/07/2008 - 09:34

"I made changes still no internet in dmz."

Make sure client in DMZ has 172.20.40.1 as default gateway, and it has a valid DNS server. For testing purposes, assign 4.2.2.2 as preferred DNS server.

add the following

access-list dmz_in extended permit tcp 172.20.40.0 255.255.255.0 any eq www

access-list dmz_in extended permit tcp 172.20.40.0 255.255.255.0 any eq 53

access-list dmz_in extended permit udp 172.20.40.0 255.255.255.0 any eq 53

The connectivity issue from inside to dmz makes no sense. Try this

no static (dmz,inside) 172.20.40.10 172.20.40.10 netmask 255.255.255.255

access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.0.0 172.20.40.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

clear xlate

clear arp

clear local all

clear route

Do not ignore clear commands. After ading above, please run the same packet tracer and post the result.

Actions

This Discussion