inside to DMZ not able to telnet asa 8.1(2)

Unanswered Question
Nov 14th, 2009
User Badges:

Hi all,

i am able to ping but not able to telnet from inside to DMZ and vise verse also. please find the attachment of configuration.

DMZ - network

inside -

Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Sat, 11/14/2009 - 08:37
User Badges:
  • Cisco Employee,

The config appears correct.

RTP - Routing, Translation and Permission

appear to be correct.

Are you sure the host in dmz 10.244.4.x listens on tcp 23?

enable loggin buffer


conf t

logging buffered debug

then issue "sh logg | i 10.244.0.x" the host where you are trying to telnet from on the inside and see what the logs say when you try this telnet when it fails.

Also, from the DMZ segment from a 10.244.4.x host are you able to telnet to the 10.244.4.b host that is listening on this port?

chandru.j Sun, 11/15/2009 - 20:49
User Badges:


i am getting error like

6 Nov 15 2009 23:45:32 302014 23 1254 Teardown TCP connection 159748 for DMZ: to inside: duration 0:00:30 bytes 0 SYN Timeout

These is DC and DR setup from mplsoutside they can able to telnet DMZ but from inside i am able to do.

chandru.j Mon, 11/16/2009 - 20:23
User Badges:


I am TELNETTing to DMZ switch only, same form DMZ switch i am not able to telnet even ping also to inside.There is no software in between.i attached the DMZ sw configuration.

Thanks in advance

Kureli Sankar Thu, 11/19/2009 - 20:00
User Badges:
  • Cisco Employee,


You mentioned you are able to ping the switch from where? The firewall?

6     Nov 15 2009     23:45:32     302014     23     1254     Teardown TCP connection 159748 for DMZ: to inside: duration 0:00:30 bytes 0 SYN Timeout

1. Are you able to ping the switch IP from the inside host and back?

2. Have you tried a PC in the DMZ and see if you can telnet to the swtich locally? Does that work?

This syslog clearly indicates that the switch is not responding back to the inside host.

The switch appears properly configured with

a. ip address and mask

b. route to the inside pc via the firewall's DMZ interface IP

chandru.j Thu, 11/26/2009 - 01:39
User Badges:

Hi Kusankar,

      1.I am able to telnet switch) to (dmzserver)
      2.Ya I am able to telnet from dmz server to dmz switch and from router I am able to telnet dmz servers

chandru.j Wed, 12/02/2009 - 20:52
User Badges:


  I checked all the things i given a default route for dmz switch is to firewall dmz interface ip address like ip route

Can you help me out in this.

busterswt Wed, 12/02/2009 - 21:31
User Badges:
  • Bronze, 100 points or more

Just a few questions/suggestions...

- Have you tried running packet-tracer on the firewall to see where the traffic might be getting dropped?

- You don't have an access-group set for the DMZ interface, so any traffic generated from DMZ segment to the INSIDE segment will get dropped. You can try adding the following line for testing only:

access-group 101 in interface dmz

- Have you considered implementing a nat exemption ACL for traffic between the inside and dmz segments? You would need to add something similar to this:

access-list nonat extended permit ip  (ie. from inside to dmz)

access-list nonat extended permit ip  (ie. from dmz to inside)

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonat

You would also need to implement the access-group command above. If these suggestions work for you, be sure to create separate your ACLs for each segment and lock them down appropriately. Good luck!


Kureli Sankar Thu, 12/03/2009 - 04:46
User Badges:
  • Cisco Employee,


Next step is to collect captures on the firewall. The logs say syn timeout that means we are not seeing any response from the switch. That is the reason I had asked if telnet to the swtich works locally.

Teardown TCP connection 159748 for DMZ: to inside: duration 0:00:30 bytes 0 SYN Timeout

Pls. try captures:

cap capdmz int DMZ match tcp any host eq 23

cap capin in inside match tcp any host eq 23

Now try a telent connection from the inside and watch these captures.

sh cap capdmz

sh cap capin

and see if you see syn, syn ack, ack - whether the 3-way handshake completes at all and what packets that arrive on one interace are not seen on the other.

Copy and paste the output for us to look at.



This Discussion