cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1267
Views
0
Helpful
10
Replies

inside to DMZ not able to telnet asa 8.1(2)

chandru.j
Level 1
Level 1

Hi all,

i am able to ping but not able to telnet from inside to DMZ and vise verse also. please find the attachment of configuration.

DMZ -10.244.4.0/24 network

inside -10.244.0.0/24

Thanks in advance

10 Replies 10

Kureli Sankar
Cisco Employee
Cisco Employee

The config appears correct.

RTP - Routing, Translation and Permission

appear to be correct.

Are you sure the host in dmz 10.244.4.x listens on tcp 23?

enable loggin buffer

command

conf t

logging buffered debug

then issue "sh logg | i 10.244.0.x" the host where you are trying to telnet from on the inside and see what the logs say when you try this telnet when it fails.

Also, from the DMZ segment from a 10.244.4.x host are you able to telnet to the 10.244.4.b host that is listening on this port?

Hi,

i am getting error like

6 Nov 15 2009 23:45:32 302014 10.244.4.100 23 10.244.0.21 1254 Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout

These is DC and DR setup from mplsoutside they can able to telnet DMZ but from inside i am able to do.

Hi,

sorry i am not able to telnet

A SYN timeout indicates that the TCP handshake is not completing i.e. the source is sending a SYN, bit not receiving a SYN/ACK in reply.

Check that the destination is running the appropriate service (telnet in this case) and that there is not a local software firewall on the destination machine.

Hi,

I am TELNETTing to DMZ switch only, same form DMZ switch i am not able to telnet even ping also to inside.There is no software in between.i attached the DMZ sw configuration.

Thanks in advance

Chandru,

You mentioned you are able to ping the switch from where? The firewall?

6     Nov 15 2009     23:45:32     302014     10.244.4.100     23     10.244.0.21     1254     Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout

1. Are you able to ping the switch IP 10.244.4.100 from the inside host 10.244.0.21 and back?

2. Have you tried a PC in the DMZ and see if you can telnet to the swtich locally? Does that work?

This syslog clearly indicates that the switch is not responding back to the inside host.

The switch appears properly configured with

a. ip address and mask

b. route to the inside pc via the firewall's DMZ interface IP

Hi Kusankar,


      1.I am able to telnet 10.244.4.100(dmz switch) to 10.244.4.21 (dmzserver)
      2.Ya I am able to telnet from dmz server to dmz switch and from router I am able to telnet dmz servers

Hi,

  I checked all the things i given a default route for dmz switch is to firewall dmz interface ip address like ip route 0.0.0.0 0.0.0.0 10.244.4.1

Can you help me out in this.

Just a few questions/suggestions...

- Have you tried running packet-tracer on the firewall to see where the traffic might be getting dropped?

- You don't have an access-group set for the DMZ interface, so any traffic generated from DMZ segment to the INSIDE segment will get dropped. You can try adding the following line for testing only:

access-group 101 in interface dmz

- Have you considered implementing a nat exemption ACL for traffic between the inside and dmz segments? You would need to add something similar to this:

access-list nonat extended permit ip 10.244.9.0 255.255.255.0 10.244.4.0 255.255.255.0  (ie. from inside to dmz)

access-list nonat extended permit ip 10.244.4.0 255.255.255.0 10.244.9.0 255.255.255.0  (ie. from dmz to inside)

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonat

You would also need to implement the access-group command above. If these suggestions work for you, be sure to create separate your ACLs for each segment and lock them down appropriately. Good luck!

James

Chandru,

Next step is to collect captures on the firewall. The logs say syn timeout that means we are not seeing any response from the switch. That is the reason I had asked if telnet to the swtich works locally.

Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout

Pls. try captures:

cap capdmz int DMZ match tcp any host 10.244.4.100 eq 23

cap capin in inside match tcp any host 10.244.4.100 eq 23

Now try a telent connection from the inside and watch these captures.

sh cap capdmz

sh cap capin

and see if you see syn, syn ack, ack - whether the 3-way handshake completes at all and what packets that arrive on one interace are not seen on the other.

Copy and paste the output for us to look at.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: