cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1609
Views
0
Helpful
23
Replies

CISCO ASA: Unable to connect to DMZ

lonskinini
Level 1
Level 1

Hi,

I have setup a network below:

LAN <==> Cisco ASA) <==> Internet

^

|

DMZ

I'm having problem connecting (ping) from Internal to hosts on the DMZ.

My plan is to allow all hosts on Internal to connect (ping) to DMZ. IP Address on Internal should not be natted on DMZ.

And allow some of the host to connect to Internal hosts. No natting also.

Below is my current configuration:

=======================

ciscoasa(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

!

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

!

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.0.253 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

pager lines 24

logging asdm informational

mtu external 1500

mtu internal 1500

mtu management 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

static (internal,dmz) 172.31.0.0 172.31.0.0 netmask 255.255.248.0

access-group ping in interface external

access-group ping in interface dmz

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999

: end

====================

Sorry, I'm new to cisco and I am eager to learn cisco.

Hope you can help me.

Thanks,

Lonski

23 Replies 23

lonskinini
Level 1
Level 1

Sorry, DMZ is directly connected to Cisco ASA.

mike-greene
Level 4
Level 4

Hi,

Does not look like your allowing echo. Try adding this command to your ACL..

access-list ping extended permit icmp any any echo

HTH

Hi Mike,

Thanks for the advise.

I have just added the acl but it still giving me same result.

Is there anything I should add with nat or route?

Thanks again.

Lonski

Hi,

Can you post a show access-list. Also can you ping the DMZ and internal hosts from the ASA?

Hi Mike,

Here it is:

Ping from ASA to DMZ host (192.168.0.180)

--------------------

ciscoasa(config-if)# ping 192.168.0.180

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.180, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

--------------------

Ping from ASA to Internal (172.31.26.65)

-------------------

ciscoasa(config)# ping 172.31.26.65

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.31.26.65, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

-------------------

Access-list:

--------------------

ciscoasa(config-if)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list ping; 4 elements

access-list ping line 1 extended permit icmp any any echo-reply (hitcnt=8) 0x6431b796

access-list ping line 2 extended permit icmp any any time-exceeded (hitcnt=72) 0x406ef9e9

access-list ping line 3 extended permit icmp any any unreachable (hitcnt=17) 0x45fe8bbe

access-list ping line 4 extended permit icmp any any echo (hitcnt=0) 0x931c70e

--------------------

Hope this helps.

Thanks

Your static looks like it's the wrong subnet. Remove the current static and add this one..

static (internal,dmz) 172.31.24.0 172.31.24.0 netmask 255.255.248.0

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.28.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.29.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks

OK. What is the default gateway of the machine on the internal network you were able to ping from the ASA (172.31.26.65 )?

IS the ASA the gateway for the DMZ subnet?

The default gateway of internal host is the address of ASA on internal(172.31.24.253) and default gateway of DMZ host is also the address of ASA in DMZ (192.168.0.253).

Just to add:

I can ping from DMZ host the address of the DMZ gateway (192.168.0.253)

Thanks

Can you issue a clear xlate and try and ping again? Can you also post the running config again.

Done clearing xlate... same result :(

Here's the updated config:

----------------

ciscoasa(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

!

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

!

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.0.253 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

access-list ping extended permit icmp any any echo

pager lines 24

logging asdm informational

mtu external 1500

mtu internal 1500

mtu management 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

static (internal,dmz) 172.31.24.0 172.31.24.0 netmask 255.255.248.0

access-group ping in interface external

access-group ping in interface dmz

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999

: end

--------------------

Thanks,

Remove the ping ACL from the external interface and apply it to the dmz interface and try again.

no access-group ping in interface external

access-group ping in interface dmz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: