inside to DMZ not able to telnet asa 8.1(2)

Unanswered Question
Nov 14th, 2009
User Badges:

Hi all,


i am able to ping but not able to telnet from inside to DMZ and vise verse also. please find the attachment of configuration.

DMZ -10.244.4.0/24 network

inside -10.244.0.0/24


Thanks in advance





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Sat, 11/14/2009 - 08:37
User Badges:
  • Cisco Employee,

The config appears correct.

RTP - Routing, Translation and Permission

appear to be correct.


Are you sure the host in dmz 10.244.4.x listens on tcp 23?


enable loggin buffer


command

conf t

logging buffered debug


then issue "sh logg | i 10.244.0.x" the host where you are trying to telnet from on the inside and see what the logs say when you try this telnet when it fails.


Also, from the DMZ segment from a 10.244.4.x host are you able to telnet to the 10.244.4.b host that is listening on this port?

chandru.j Sun, 11/15/2009 - 20:49
User Badges:



Hi,


i am getting error like

6 Nov 15 2009 23:45:32 302014 10.244.4.100 23 10.244.0.21 1254 Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout


These is DC and DR setup from mplsoutside they can able to telnet DMZ but from inside i am able to do.



chandru.j Mon, 11/16/2009 - 20:23
User Badges:

Hi,


I am TELNETTing to DMZ switch only, same form DMZ switch i am not able to telnet even ping also to inside.There is no software in between.i attached the DMZ sw configuration.


Thanks in advance



Attachment: 
Kureli Sankar Thu, 11/19/2009 - 20:00
User Badges:
  • Cisco Employee,

Chandru,

You mentioned you are able to ping the switch from where? The firewall?


6     Nov 15 2009     23:45:32     302014     10.244.4.100     23     10.244.0.21     1254     Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout


1. Are you able to ping the switch IP 10.244.4.100 from the inside host 10.244.0.21 and back?


2. Have you tried a PC in the DMZ and see if you can telnet to the swtich locally? Does that work?


This syslog clearly indicates that the switch is not responding back to the inside host.


The switch appears properly configured with

a. ip address and mask

b. route to the inside pc via the firewall's DMZ interface IP

chandru.j Thu, 11/26/2009 - 01:39
User Badges:

Hi Kusankar,



      1.I am able to telnet 10.244.4.100(dmz switch) to 10.244.4.21 (dmzserver)
      2.Ya I am able to telnet from dmz server to dmz switch and from router I am able to telnet dmz servers

chandru.j Wed, 12/02/2009 - 20:52
User Badges:

Hi,



  I checked all the things i given a default route for dmz switch is to firewall dmz interface ip address like ip route 0.0.0.0 0.0.0.0 10.244.4.1


Can you help me out in this.

busterswt Wed, 12/02/2009 - 21:31
User Badges:
  • Bronze, 100 points or more


Just a few questions/suggestions...


- Have you tried running packet-tracer on the firewall to see where the traffic might be getting dropped?


- You don't have an access-group set for the DMZ interface, so any traffic generated from DMZ segment to the INSIDE segment will get dropped. You can try adding the following line for testing only:


access-group 101 in interface dmz


- Have you considered implementing a nat exemption ACL for traffic between the inside and dmz segments? You would need to add something similar to this:


access-list nonat extended permit ip 10.244.9.0 255.255.255.0 10.244.4.0 255.255.255.0  (ie. from inside to dmz)

access-list nonat extended permit ip 10.244.4.0 255.255.255.0 10.244.9.0 255.255.255.0  (ie. from dmz to inside)


nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonat


You would also need to implement the access-group command above. If these suggestions work for you, be sure to create separate your ACLs for each segment and lock them down appropriately. Good luck!


James

Kureli Sankar Thu, 12/03/2009 - 04:46
User Badges:
  • Cisco Employee,

Chandru,

Next step is to collect captures on the firewall. The logs say syn timeout that means we are not seeing any response from the switch. That is the reason I had asked if telnet to the swtich works locally.


Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout


Pls. try captures:


cap capdmz int DMZ match tcp any host 10.244.4.100 eq 23


cap capin in inside match tcp any host 10.244.4.100 eq 23


Now try a telent connection from the inside and watch these captures.


sh cap capdmz

sh cap capin


and see if you see syn, syn ack, ack - whether the 3-way handshake completes at all and what packets that arrive on one interace are not seen on the other.


Copy and paste the output for us to look at.


-KS

Actions

This Discussion