05-19-2009 04:52 PM - edited 03-11-2019 08:34 AM
Hi,
I have setup a network below:
LAN <==> Cisco ASA) <==> Internet
^
|
DMZ
I'm having problem connecting (ping) from Internal to hosts on the DMZ.
My plan is to allow all hosts on Internal to connect (ping) to DMZ. IP Address on Internal should not be natted on DMZ.
And allow some of the host to connect to Internal hosts. No natting also.
Below is my current configuration:
=======================
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password Qe0yKBKYpRMBmOsL encrypted
names
!
interface Ethernet0/0
nameif external
security-level 0
ip address 116.xyz.xyz.228 255.255.255.192
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 172.31.24.253 255.255.248.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.0.253 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list ping extended permit icmp any any echo-reply
access-list ping extended permit icmp any any time-exceeded
access-list ping extended permit icmp any any unreachable
pager lines 24
logging asdm informational
mtu external 1500
mtu internal 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (external) 1 interface
nat (internal) 1 0.0.0.0 0.0.0.0
static (internal,dmz) 172.31.0.0 172.31.0.0 netmask 255.255.248.0
access-group ping in interface external
access-group ping in interface dmz
route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999
: end
====================
Sorry, I'm new to cisco and I am eager to learn cisco.
Hope you can help me.
Thanks,
Lonski
05-19-2009 04:55 PM
Sorry, DMZ is directly connected to Cisco ASA.
05-19-2009 04:58 PM
Hi,
Does not look like your allowing echo. Try adding this command to your ACL..
access-list ping extended permit icmp any any echo
HTH
05-19-2009 05:12 PM
Hi Mike,
Thanks for the advise.
I have just added the acl but it still giving me same result.
Is there anything I should add with nat or route?
Thanks again.
Lonski
05-19-2009 05:19 PM
Hi,
Can you post a show access-list. Also can you ping the DMZ and internal hosts from the ASA?
05-19-2009 05:30 PM
Hi Mike,
Here it is:
Ping from ASA to DMZ host (192.168.0.180)
--------------------
ciscoasa(config-if)# ping 192.168.0.180
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.180, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
--------------------
Ping from ASA to Internal (172.31.26.65)
-------------------
ciscoasa(config)# ping 172.31.26.65
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.26.65, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
-------------------
Access-list:
--------------------
ciscoasa(config-if)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ping; 4 elements
access-list ping line 1 extended permit icmp any any echo-reply (hitcnt=8) 0x6431b796
access-list ping line 2 extended permit icmp any any time-exceeded (hitcnt=72) 0x406ef9e9
access-list ping line 3 extended permit icmp any any unreachable (hitcnt=17) 0x45fe8bbe
access-list ping line 4 extended permit icmp any any echo (hitcnt=0) 0x931c70e
--------------------
Hope this helps.
Thanks
05-19-2009 05:36 PM
Your static looks like it's the wrong subnet. Remove the current static and add this one..
static (internal,dmz) 172.31.24.0 172.31.24.0 netmask 255.255.248.0
05-19-2009 05:58 PM
Hi Mike,
I have replaced the static base from your suggestion but it has still same result.
By the way, this is the range of ip address of the internal:
172.31.24.0 - 172.31.24.255
172.31.25.0 - 172.31.25.255
172.31.26.0 - 172.31.26.255
172.31.27.0 - 172.31.27.255
172.31.28.0 - 172.31.28.255
172.31.29.0 - 172.31.28.255
172.31.30.0 - 172.31.30.255
172.31.31.0 - 172.31.31.255
Thanks
05-19-2009 05:58 PM
Hi Mike,
I have replaced the static base from your suggestion but it has still same result.
By the way, this is the range of ip address of the internal:
172.31.24.0 - 172.31.24.255
172.31.25.0 - 172.31.25.255
172.31.26.0 - 172.31.26.255
172.31.27.0 - 172.31.27.255
172.31.28.0 - 172.31.28.255
172.31.29.0 - 172.31.29.255
172.31.30.0 - 172.31.30.255
172.31.31.0 - 172.31.31.255
Thanks
05-19-2009 06:34 PM
OK. What is the default gateway of the machine on the internal network you were able to ping from the ASA (172.31.26.65 )?
IS the ASA the gateway for the DMZ subnet?
05-19-2009 06:50 PM
The default gateway of internal host is the address of ASA on internal(172.31.24.253) and default gateway of DMZ host is also the address of ASA in DMZ (192.168.0.253).
05-19-2009 06:54 PM
Just to add:
I can ping from DMZ host the address of the DMZ gateway (192.168.0.253)
Thanks
05-19-2009 07:06 PM
Can you issue a clear xlate and try and ping again? Can you also post the running config again.
05-19-2009 07:12 PM
Done clearing xlate... same result :(
Here's the updated config:
----------------
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password Qe0yKBKYpRMBmOsL encrypted
names
!
interface Ethernet0/0
nameif external
security-level 0
ip address 116.xyz.xyz.228 255.255.255.192
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 172.31.24.253 255.255.248.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.0.253 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list ping extended permit icmp any any echo-reply
access-list ping extended permit icmp any any time-exceeded
access-list ping extended permit icmp any any unreachable
access-list ping extended permit icmp any any echo
pager lines 24
logging asdm informational
mtu external 1500
mtu internal 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (external) 1 interface
nat (internal) 1 0.0.0.0 0.0.0.0
static (internal,dmz) 172.31.24.0 172.31.24.0 netmask 255.255.248.0
access-group ping in interface external
access-group ping in interface dmz
route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999
: end
--------------------
Thanks,
05-19-2009 07:15 PM
Remove the ping ACL from the external interface and apply it to the dmz interface and try again.
no access-group ping in interface external
access-group ping in interface dmz
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: