Solved: ASA 5510 issue

junshah22 · ‎06-01-2009

Dear All,

I applied ASA 5510 in my network,

I configured 3 interfaces DMZ, Inside and Outside

From the ASA, I can access Inside, DMZ and Outside (Internet)

Inside users can communicate with DMZ Servers

Inside users can goto Internet via outside interface

DMZ servers can goto Internet via outside interface

DMZ servers CANNOT Ping Inside network

I was using IpSec VPN on my router,

clients connect to the router using Cisco VPN Client software,

NOW, when I included ASA in the network, VPN clients are unable to communicate with DMZ servers

security level 0 for outside

50 for DMZ

100 for Inside

NAT is off using no nat-control command

Do I need to ON the NAT and some ACL should be in place...

Please advise me, what ACL should I implement, interface? direction?

What NAT statement should I include?

I want to access my network via VPN...

Please Help

Regards,

Junaid

Farrukh Haroon · ‎06-02-2009

ICMP Pings are not stateful. The firewall needs special handling to dynamically permit the pings back, this is done via the 'ICMP inspection'. By default the ICMP inspection is disabled. You can either enable inspection or use an ACL to permit the ICMP traffic. Here is a useful link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Please rate if helpful.

Regards

Farrukh

View solution in original post

mvsheik123 · ‎06-02-2009

Hi,

Low Sec (DMZ)--> High Sec (Inside)- you need to create a acl. Try this...

access-list dmz_2_inside extended permit icmp any any

access-group dmz_2_inside in interface DMZ

hth

MS

Farrukh Haroon · ‎06-02-2009

ICMP Pings are not stateful. The firewall needs special handling to dynamically permit the pings back, this is done via the 'ICMP inspection'. By default the ICMP inspection is disabled. You can either enable inspection or use an ACL to permit the ICMP traffic. Here is a useful link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Please rate if helpful.

Regards

Farrukh

junshah22 · ‎06-03-2009

Dear Farrukh,

Your provided link resolved my issue,

Where are you from?

THANKS,

Junaid

Farrukh Haroon · ‎06-03-2009

The place where millat tractors are famous :)

Regards

Farrukh

junshah22 · ‎06-03-2009

Shahdara??? Millat tractors is very next to Begum kot..

I was using NAT on the Router for my Microsoft Exchange Server with this command,

ip nat inside source static tcp 192.168.1.16 25 interface fastethernet 0/1 25

After placing ASA in the network, It is not working,

I check it from the Internet by telnetting my live ip on port 25, for example

55.55.55.55 25

It doesn't respond now,

VPN traffic was also not permitted for accessing Servers in DMZ,

After placing the ACL in the ASA, VPN traffic is permitted but NAT for MS-Exchange is not working,

I temporary allowed all the traffic in the ASA for checking purpose

permit ip any any

permit tcp any any

permit icmp any any

DO I NEED TO NAT it again in the ASA or NAT interface and IP will be change?

Secondly, I would appreciate if you give me your mobile number, so I can better explain,

Regards,

Junaid

junshah22 · ‎06-04-2009

waiting for your response,

Farrukh Haroon · ‎06-04-2009

No you don't need to NAT again. You just need to permit it in the outside interface ACL.

Where is the 192.168.1.16/x network lie? Is this same as the ASA inside network? Is your routing setup correctly?

Did you add a route on the router to send 192.168.1.x to the ASA?

Regards

Farrukh

junshah22 · ‎06-04-2009

192.168.1.16 is directly connected with ASA DMZ interface

DMZ IP, 192.168.1.18

when I connect via vpn, I can remote desktop my server,

Regards,

Junaid

Farrukh Haroon · ‎06-05-2009

If you telnet to the public IP of the mail server from outside, what happens?

Did you add a route on the router to send the 192.168.1.x subnet to the ASA?

Regards

Farrukh

junshah22 · ‎06-06-2009

192.168.1.x subnet is directly connected with ASA (DMZ interface)

I dont think so there is any need of adding a static route in the ASA towards 192.168.1.x subnet

When I telnet my public ip, it shows a message, (Press any key to continue) when I press any key, it shows, connection to the host lost,

telnet

o 55.55.55.55 25

Before Adding ASA, It connects to my mail server successfully,

I added a route in the Router

ip route 192.168.1.0 255.255.255.0 192.168.74.2

where 74.2 is the ASA directly connected interface with the Router

and 192.168.1.x is directly connected with ASA (DMZ Interface)

Regards,

Junaid

Farrukh Haroon · ‎06-06-2009

Were you able to solve this issue?

I tried to post yesterday but the forum was not working.

Can you try disabling ESMTP inspection?

Regards

Farrukh