06-01-2009 10:57 PM
Dear All,
I applied ASA 5510 in my network,
I configured 3 interfaces DMZ, Inside and Outside
From the ASA, I can access Inside, DMZ and Outside (Internet)
Inside users can communicate with DMZ Servers
Inside users can goto Internet via outside interface
DMZ servers can goto Internet via outside interface
DMZ servers CANNOT Ping Inside network
I was using IpSec VPN on my router,
clients connect to the router using Cisco VPN Client software,
NOW, when I included ASA in the network, VPN clients are unable to communicate with DMZ servers
security level 0 for outside
50 for DMZ
100 for Inside
NAT is off using no nat-control command
Do I need to ON the NAT and some ACL should be in place...
Please advise me, what ACL should I implement, interface? direction?
What NAT statement should I include?
I want to access my network via VPN...
Please Help
Regards,
Junaid
Solved! Go to Solution.
06-02-2009 10:09 PM
ICMP Pings are not stateful. The firewall needs special handling to dynamically permit the pings back, this is done via the 'ICMP inspection'. By default the ICMP inspection is disabled. You can either enable inspection or use an ACL to permit the ICMP traffic. Here is a useful link:
Please rate if helpful.
Regards
Farrukh
06-02-2009 12:56 PM
Hi,
Low Sec (DMZ)--> High Sec (Inside)- you need to create a acl. Try this...
access-list dmz_2_inside extended permit icmp any any
access-group dmz_2_inside in interface DMZ
hth
MS
06-02-2009 10:09 PM
ICMP Pings are not stateful. The firewall needs special handling to dynamically permit the pings back, this is done via the 'ICMP inspection'. By default the ICMP inspection is disabled. You can either enable inspection or use an ACL to permit the ICMP traffic. Here is a useful link:
Please rate if helpful.
Regards
Farrukh
06-03-2009 02:50 AM
Dear Farrukh,
Your provided link resolved my issue,
Where are you from?
THANKS,
Junaid
06-03-2009 02:56 AM
The place where millat tractors are famous :)
Regards
Farrukh
06-03-2009 07:21 AM
Shahdara??? Millat tractors is very next to Begum kot..
I was using NAT on the Router for my Microsoft Exchange Server with this command,
ip nat inside source static tcp 192.168.1.16 25 interface fastethernet 0/1 25
After placing ASA in the network, It is not working,
I check it from the Internet by telnetting my live ip on port 25, for example
55.55.55.55 25
It doesn't respond now,
VPN traffic was also not permitted for accessing Servers in DMZ,
After placing the ACL in the ASA, VPN traffic is permitted but NAT for MS-Exchange is not working,
I temporary allowed all the traffic in the ASA for checking purpose
permit ip any any
permit tcp any any
permit icmp any any
DO I NEED TO NAT it again in the ASA or NAT interface and IP will be change?
Secondly, I would appreciate if you give me your mobile number, so I can better explain,
Regards,
Junaid
06-04-2009 02:41 AM
waiting for your response,
06-04-2009 06:12 AM
No you don't need to NAT again. You just need to permit it in the outside interface ACL.
Where is the 192.168.1.16/x network lie? Is this same as the ASA inside network? Is your routing setup correctly?
Did you add a route on the router to send 192.168.1.x to the ASA?
Regards
Farrukh
06-04-2009 06:22 AM
192.168.1.16 is directly connected with ASA DMZ interface
DMZ IP, 192.168.1.18
when I connect via vpn, I can remote desktop my server,
Regards,
Junaid
06-05-2009 11:05 PM
If you telnet to the public IP of the mail server from outside, what happens?
Did you add a route on the router to send the 192.168.1.x subnet to the ASA?
Regards
Farrukh
06-06-2009 12:04 AM
192.168.1.x subnet is directly connected with ASA (DMZ interface)
I dont think so there is any need of adding a static route in the ASA towards 192.168.1.x subnet
When I telnet my public ip, it shows a message, (Press any key to continue) when I press any key, it shows, connection to the host lost,
telnet
o 55.55.55.55 25
Before Adding ASA, It connects to my mail server successfully,
I added a route in the Router
ip route 192.168.1.0 255.255.255.0 192.168.74.2
where 74.2 is the ASA directly connected interface with the Router
and 192.168.1.x is directly connected with ASA (DMZ Interface)
Regards,
Junaid
06-06-2009 11:54 PM
Were you able to solve this issue?
I tried to post yesterday but the forum was not working.
Can you try disabling ESMTP inspection?
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: