06-01-2008 05:43 AM - edited 03-11-2019 05:53 AM
Hi,
I have one requirement where need to allow communication to all prots on ASA in dmz.Looking forward so that can place my printer/scanner that can be placed in dmz and can be used from inside network as well as over the internet on all the ports.Also like to have icmp access to and from dmz.
I tried looking at some examples but couldn't got it working.
Kindly help/suggest.
Find attached the config for your reference.
Solved! Go to Solution.
06-07-2008 09:34 AM
"I made changes still no internet in dmz."
Make sure client in DMZ has 172.20.40.1 as default gateway, and it has a valid DNS server. For testing purposes, assign 4.2.2.2 as preferred DNS server.
add the following
access-list dmz_in extended permit tcp 172.20.40.0 255.255.255.0 any eq www
access-list dmz_in extended permit tcp 172.20.40.0 255.255.255.0 any eq 53
access-list dmz_in extended permit udp 172.20.40.0 255.255.255.0 any eq 53
The connectivity issue from inside to dmz makes no sense. Try this
no static (dmz,inside) 172.20.40.10 172.20.40.10 netmask 255.255.255.255
access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.0.0 172.20.40.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
clear xlate
clear arp
clear local all
clear route
Do not ignore clear commands. After ading above, please run the same packet tracer and post the result.
06-01-2008 06:17 PM
Hi Sushil
Do the following modifications
no access-list 101 extended permit icmp any any source-quench
no access-list 101 extended permit icmp any any echo-reply
no access-list 101 extended permit icmp any any unreachable
no access-list 101 extended permit icmp any any time-exceeded
no access-group 101 in interface outside
no static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,inside) 172.20.40.10 172.20.40.10 netmask 255.255.255.255
policy-map global_policy
class inspection_default
inspect icmp
Make sure that 172.20.40.10 device, a PC or scanner or printer, has a default gateway IP 172.20.40.1 is set. If that is not set, no one can reach that device from other interfaces.
Regards
06-01-2008 09:04 PM
Thanks Husy for your reply.
Here few things i ewould like to understand.
access list 101 is there to allow ping.
shouldn't be there any access list allowing communication between inside,dmz (vice versa and over the internet?Whatever i mentioned is correct except 101.
What purpose does below command will serve;
policy-map global_policy
class inspection_default
inspect icmp
Running short of ideas as tough time working over the weekend as well.
I saw few examples where some global pool is defined on dmz interfaces (172.20.40.30-172.20.40.60)... Gone through a lots of documents and don't know which one is right?I tried most of them but coudn't got it working...
Kindly guide/suggest some sample config as well.
Reg,
Sushil
06-02-2008 06:29 AM
06-02-2008 09:35 AM
Sushil,
You cannot assign 2 ACLs to one interface at the same time. Inspect icmp command allows ping responses to come from less secure interfaces, so now ping to dmz will work without need of acl 101.
The configs youve seen are configs where address translation happens. In that scenario, 172.20.40.10 sees the traffic coming from that defined pool. In my suggestion, we apply exempt nat that traffic is not translated and 172.20.40.10 sees the original source address.
Your IOS 7.0 has some bugs, I recommend you to upgrade at least 7.2(2).
What device is 172.20.40.10? A PC or server or printer? The config you just posted is valid, so couple of things to check..
Make sure 172.20.40.10 has correct subnetmask and the gateway IP of 172.20.40.1
Make sure software firewalls exceptions are modified to accept from necessary sources on device.
Run "clear xlate" and "clear arp" in firewall.
Regards
06-03-2008 01:53 AM
Husy,
Thanks again for your inputs.
I am planning to upgrade this software over this weekend..Should I go with 8.0 or there is any issue with 8.0 as well.
The device 172.20.40.10 is a PC as of now as I am testing it out.Details like subnet mask and gateway are correct.
But I am not able to understand the statement
"Make sure software firewalls exceptions are modified to accept from necessary sources on device".
Does the command Run "clear xlate" and "clear arp" in firewall. is to be run once i upgrade software or shud I try on existing software 7.0.7
I will try this only over this weekend and update you the results.
Reg,
Sushil
06-03-2008 04:50 PM
Sushil,
8.0 is fine, use 8.0(3). Ignore my recommendations for now and we will check the issue again after upgrade.
Regards
06-07-2008 01:56 AM
Hi upgraded to 8.0(3).
Still not able to get it working.
I posted the whole config in my previous posts.
Do let me know what all am I missing?
Reg,
Sushil
06-07-2008 05:27 AM
Sushil,
route inside 192.168.0.0 255.255.0.0 192.168.0.2 1
What is 192.168.0.2? You should define route for 172.20.40.0 back to 192.168.0.1 in that device
06-07-2008 05:55 AM
Hi Husy,
I am using L3 switch and there are diffrent vlan on that.192.168.0.2 is the ip of the internal switch.DMZ switch is exclusive and unmanaged one.Should I define route from DMZ to Inside.At present I am not able to ping interface from inside to dmz and vice versa.
Reg,
Sushil
06-07-2008 07:19 AM
06-07-2008 07:51 AM
no static (inside,dmz) 172.20.40.10 172.20.40.10 netmask 255.255.255.255
static (dmz,inside) 172.20.40.10 172.20.40.10 netmask 255.255.255.255
And in L3 switch, add the following
ip route 172.20.40.0 255.255.255.0 192.168.0.1
06-07-2008 08:28 AM
Hi Husy,
Made changes as far as static nat is concerned.
Moreover I removed the L3 from inbetween.Now a cable from eth0/2 goes to dmz host directly and from eth0/1 goes into my internal host directly.
Internet is working perfectly fine in the inside lan.But nothing on dmz one.Even 192.168.0.1 ip is not able to ping 172.20.40.1 ip in dmz and vice versa.Even internet is not working on dmz lan.Also not able to ping public ip i.e is natted in dmz.
If I run packet tracer tool in dmz(i.e 172.20.40.1) and internal (i.e 192.168.0.1) it shows some access list error with the implicit drop rule and same goes in reverse direction.
As I am having some 10 free public IP's I want to get them free publically.
Don't know where is the issue.
Hope you can suggest me something on the basis of above info.Is there any problem with my access list of NAT?
Hope to hear soon.
Reg,
Sushil
06-07-2008 08:38 AM
"Even internet is not working on dmz lan"
Thats easy. Add the following
nat (dmz) 101 172.20.40.0 255.255.255.0
clear xlate
Please run the following and paste the result
packet tracer input inside tcp 192.168.0.5 5555 172.20.40.10 3389 detailed
06-07-2008 09:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide