ASA 5510 issue

Answered Question
Jun 1st, 2009
User Badges:

Dear All,


I applied ASA 5510 in my network,

I configured 3 interfaces DMZ, Inside and Outside


From the ASA, I can access Inside, DMZ and Outside (Internet)


Inside users can communicate with DMZ Servers


Inside users can goto Internet via outside interface


DMZ servers can goto Internet via outside interface


DMZ servers CANNOT Ping Inside network


I was using IpSec VPN on my router,

clients connect to the router using Cisco VPN Client software,


NOW, when I included ASA in the network, VPN clients are unable to communicate with DMZ servers


security level 0 for outside

50 for DMZ

100 for Inside


NAT is off using no nat-control command


Do I need to ON the NAT and some ACL should be in place...


Please advise me, what ACL should I implement, interface? direction?


What NAT statement should I include?


I want to access my network via VPN...


Please Help


Regards,


Junaid

Correct Answer by Farrukh Haroon about 7 years 10 months ago

ICMP Pings are not stateful. The firewall needs special handling to dynamically permit the pings back, this is done via the 'ICMP inspection'. By default the ICMP inspection is disabled. You can either enable inspection or use an ACL to permit the ICMP traffic. Here is a useful link:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0


Please rate if helpful.


Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mvsheik123 Tue, 06/02/2009 - 12:56
User Badges:
  • Gold, 750 points or more

Hi,


Low Sec (DMZ)--> High Sec (Inside)- you need to create a acl. Try this...


access-list dmz_2_inside extended permit icmp any any


access-group dmz_2_inside in interface DMZ


hth

MS




Correct Answer
Farrukh Haroon Tue, 06/02/2009 - 22:09
User Badges:
  • Red, 2250 points or more

ICMP Pings are not stateful. The firewall needs special handling to dynamically permit the pings back, this is done via the 'ICMP inspection'. By default the ICMP inspection is disabled. You can either enable inspection or use an ACL to permit the ICMP traffic. Here is a useful link:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0


Please rate if helpful.


Regards

Farrukh

junshah22 Wed, 06/03/2009 - 02:50
User Badges:

Dear Farrukh,


Your provided link resolved my issue,


Where are you from?


THANKS,


Junaid


Farrukh Haroon Wed, 06/03/2009 - 02:56
User Badges:
  • Red, 2250 points or more

The place where millat tractors are famous :)


Regards


Farrukh

junshah22 Wed, 06/03/2009 - 07:21
User Badges:


Shahdara??? Millat tractors is very next to Begum kot..


I was using NAT on the Router for my Microsoft Exchange Server with this command,


ip nat inside source static tcp 192.168.1.16 25 interface fastethernet 0/1 25


After placing ASA in the network, It is not working,

I check it from the Internet by telnetting my live ip on port 25, for example


55.55.55.55 25


It doesn't respond now,

VPN traffic was also not permitted for accessing Servers in DMZ,


After placing the ACL in the ASA, VPN traffic is permitted but NAT for MS-Exchange is not working,


I temporary allowed all the traffic in the ASA for checking purpose


permit ip any any

permit tcp any any

permit icmp any any


DO I NEED TO NAT it again in the ASA or NAT interface and IP will be change?


Secondly, I would appreciate if you give me your mobile number, so I can better explain,


Regards,

Junaid

Farrukh Haroon Thu, 06/04/2009 - 06:12
User Badges:
  • Red, 2250 points or more

No you don't need to NAT again. You just need to permit it in the outside interface ACL.


Where is the 192.168.1.16/x network lie? Is this same as the ASA inside network? Is your routing setup correctly?


Did you add a route on the router to send 192.168.1.x to the ASA?


Regards


Farrukh

junshah22 Thu, 06/04/2009 - 06:22
User Badges:


192.168.1.16 is directly connected with ASA DMZ interface


DMZ IP, 192.168.1.18


when I connect via vpn, I can remote desktop my server,


Regards,


Junaid

Farrukh Haroon Fri, 06/05/2009 - 23:05
User Badges:
  • Red, 2250 points or more

If you telnet to the public IP of the mail server from outside, what happens?


Did you add a route on the router to send the 192.168.1.x subnet to the ASA?


Regards


Farrukh

junshah22 Sat, 06/06/2009 - 00:04
User Badges:

192.168.1.x subnet is directly connected with ASA (DMZ interface)


I dont think so there is any need of adding a static route in the ASA towards 192.168.1.x subnet


When I telnet my public ip, it shows a message, (Press any key to continue) when I press any key, it shows, connection to the host lost,


telnet

o 55.55.55.55 25


Before Adding ASA, It connects to my mail server successfully,


I added a route in the Router

ip route 192.168.1.0 255.255.255.0 192.168.74.2


where 74.2 is the ASA directly connected interface with the Router


and 192.168.1.x is directly connected with ASA (DMZ Interface)



Regards,


Junaid



Farrukh Haroon Sat, 06/06/2009 - 23:54
User Badges:
  • Red, 2250 points or more

Were you able to solve this issue?


I tried to post yesterday but the forum was not working.


Can you try disabling ESMTP inspection?


Regards


Farrukh

Actions

This Discussion