CISCO ASA: Unable to connect to DMZ

Unanswered Question
May 19th, 2009

Hi,

I have setup a network below:

LAN <==> Cisco ASA) <==> Internet

^

|

DMZ

I'm having problem connecting (ping) from Internal to hosts on the DMZ.

My plan is to allow all hosts on Internal to connect (ping) to DMZ. IP Address on Internal should not be natted on DMZ.

And allow some of the host to connect to Internal hosts. No natting also.

Below is my current configuration:

=======================

ciscoasa(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

!

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

!

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.0.253 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

pager lines 24

logging asdm informational

mtu external 1500

mtu internal 1500

mtu management 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

static (internal,dmz) 172.31.0.0 172.31.0.0 netmask 255.255.248.0

access-group ping in interface external

access-group ping in interface dmz

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999

: end

====================

Sorry, I'm new to cisco and I am eager to learn cisco.

Hope you can help me.

Thanks,

Lonski

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mike-greene Tue, 05/19/2009 - 16:58

Hi,

Does not look like your allowing echo. Try adding this command to your ACL..

access-list ping extended permit icmp any any echo

HTH

lonskinini Tue, 05/19/2009 - 17:12

Hi Mike,

Thanks for the advise.

I have just added the acl but it still giving me same result.

Is there anything I should add with nat or route?

Thanks again.

Lonski

mike-greene Tue, 05/19/2009 - 17:19

Hi,

Can you post a show access-list. Also can you ping the DMZ and internal hosts from the ASA?

lonskinini Tue, 05/19/2009 - 17:30

Hi Mike,

Here it is:

Ping from ASA to DMZ host (192.168.0.180)

--------------------

ciscoasa(config-if)# ping 192.168.0.180

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.180, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

--------------------

Ping from ASA to Internal (172.31.26.65)

-------------------

ciscoasa(config)# ping 172.31.26.65

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.31.26.65, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

-------------------

Access-list:

--------------------

ciscoasa(config-if)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list ping; 4 elements

access-list ping line 1 extended permit icmp any any echo-reply (hitcnt=8) 0x6431b796

access-list ping line 2 extended permit icmp any any time-exceeded (hitcnt=72) 0x406ef9e9

access-list ping line 3 extended permit icmp any any unreachable (hitcnt=17) 0x45fe8bbe

access-list ping line 4 extended permit icmp any any echo (hitcnt=0) 0x931c70e

--------------------

Hope this helps.

Thanks

mike-greene Tue, 05/19/2009 - 17:36

Your static looks like it's the wrong subnet. Remove the current static and add this one..

static (internal,dmz) 172.31.24.0 172.31.24.0 netmask 255.255.248.0

lonskinini Tue, 05/19/2009 - 17:58

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.28.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks

lonskinini Tue, 05/19/2009 - 17:58

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.29.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks

mike-greene Tue, 05/19/2009 - 18:34

OK. What is the default gateway of the machine on the internal network you were able to ping from the ASA (172.31.26.65 )?

IS the ASA the gateway for the DMZ subnet?

lonskinini Tue, 05/19/2009 - 18:50

The default gateway of internal host is the address of ASA on internal(172.31.24.253) and default gateway of DMZ host is also the address of ASA in DMZ (192.168.0.253).

lonskinini Tue, 05/19/2009 - 18:54

Just to add:

I can ping from DMZ host the address of the DMZ gateway (192.168.0.253)

Thanks

mike-greene Tue, 05/19/2009 - 19:06

Can you issue a clear xlate and try and ping again? Can you also post the running config again.

lonskinini Tue, 05/19/2009 - 19:12

Done clearing xlate... same result :(

Here's the updated config:

----------------

ciscoasa(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

!

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

!

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.0.253 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

access-list ping extended permit icmp any any echo

pager lines 24

logging asdm informational

mtu external 1500

mtu internal 1500

mtu management 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

static (internal,dmz) 172.31.24.0 172.31.24.0 netmask 255.255.248.0

access-group ping in interface external

access-group ping in interface dmz

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999

: end

--------------------

Thanks,

mike-greene Tue, 05/19/2009 - 19:15

Remove the ping ACL from the external interface and apply it to the dmz interface and try again.

no access-group ping in interface external

access-group ping in interface dmz

lonskinini Tue, 05/19/2009 - 19:26

Hi Mike,

I tried removing 'access-group ping in interface external' and the result is it will not let me ping internet (ie. google.com)

I tried issuing 'access-group ping in interface dmz' but still same result. I'm unable to ping from internal to dmz.

Thanks,

mike-greene Tue, 05/19/2009 - 19:54

You can remove this command..

access-list ping extended permit icmp any any echo

Other then that the config looks ok to me. ... It is late though and it's been a long day.

The only other item I can think of to check tonight is the routing tables on the internal and DMZ systems to make sure there not sending the traffic somewhere else.. I believe the command is route print on a Microsoft box.

lonskinini Tue, 05/19/2009 - 20:54

Hi Mike,

Yeah, it's been a long day.

Just a thought, do we need to change from static to dynamic nat?

I'm not sure, I'm thinking that internal is unable to communicate with dmz because it is from different subnet since we used the static nat. ??? not so sure. =)

Thanks

lonskinini Wed, 05/20/2009 - 02:10

Hi Mike,

Hope this ICMP log from ASA will help:

FROM INTERNAL

TO Internal Interface: (successful)

----------------------

ICMP echo request from 172.31.26.65 to 172.31.24.253 ID=1024 seq=18654 len=32

ICMP echo reply from 172.31.24.253 to 172.31.26.65 ID=1024 seq=18654 len=32

----------------------

TO External (yahoo.com): (successful)

----------------------

ICMP echo request from internal:172.31.26.65 to external:209.191.93.53 ID=1024 seq=19166 len=32

ICMP echo request translating internal:172.31.26.65/1024 to external:116.50.189.228/5

ICMP echo reply from external:209.191.93.53 to internal:116.xyz.xyz.228 ID=5 seq=19166 len=32

ICMP echo reply untranslating external:116.xyz.xyz.228/5 to internal:172.31.26.65/1024

----------------------

TO DMZ Interface: (not successful)

----------------------

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20190 len=32

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20446 len=32

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20702 len=32

----------------------

TO host on DMZ segment: (not successful)

----------------------

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=20958 len=32

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=21214 len=32

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=21470 len=32

----------------------

Thanks,

lonskinini Mon, 05/25/2009 - 18:09

Hi,

I was able to resolve the issue by adding the following:

nat (internal) 1 192.168.0.0 255.255.255.0

global (dmz) 1 interface

clear arp

clear xlate

clear local

Thanks

Kureli Sankar Mon, 05/25/2009 - 18:56

You can only ping the closest interface to the client - meaning from an inside host you cannot ping the DMZ interface IP address of the firewall.

With that said,

1. the static looks correct.

2. permission looks correct also.

In fact you can remove this line

access-group ping in interface dmz

and add the inspect icmp

policy-map global_policy

class inspection_default

inspect icmp

If the above doesn't work pls. collect the syslogs (while you ping the dmz host continuously) and paste them here.

logging on

logging buffered 7

sh logg | i 172.31.26.65

lonskinini Mon, 05/25/2009 - 19:13

Hi Kusankar,

Actually, it's working already.

I tried removing 'access-group ping in interface dmz' and added 'inspect icmp' and it's working too.

Thanks for your support. I really appreciate it. =)

Thanks,

Lonski

lonskinini Tue, 05/19/2009 - 17:58

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.29.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks

Actions

This Discussion