02-18-2010 08:39 PM - edited 03-11-2019 10:12 AM
Hi All
I have an ASA 5510 with a DMZ interface that has a Cisco 2800 router directly connected to it. I am having two issues:
1. I want to use WhatsUpGold on the Inside Lan to ping the router to monitor up status(at least the e0 int. directly connected to the ASA)
2. I want to connect to the router from the inside LAN using putty on port 22 (I believe I have configured the router properly to handle ssh connections on vty) *Right now I get a Putty fatal Error:Network error: Connection refused
The issue is, on the ASA we have an ACL bound to the inside interface with a Deny IP any any statement at the end so it is adding a layer of difficulty.
Do I need an ACE to the inside ACL allowing access from Inside to DMZ interface eq ssh? Same with ICMP Pings?
Thanks
02-19-2010 09:47 AM
Yes.
You are initiating a connections from the inside towards the dmz, you will need to open the ACL if there is an ACL applied on the inside interface. Make sure it is above the "deny any any" if there is an explicit "deny any any"
Then you will need translations and routes.
I hope it helps.
PK
02-19-2010 11:25 AM
You need this
static (inside,dmz) whatup_gold_ip whatup_gold_ip net 255.255.255.255
I believe whatup_gold will know (from its GW) to get to the firewall or order to reach the router on the DMZ.
If you don't have an ACL on the higher security interface then just that static should make it work otherwise add permission on this ACL applied on the inside interface
access-l blah permi tcp host whatsup_gold_ip hos 2800_dmz_ip eq 22
-KS
02-19-2010 01:09 PM
Thanks for the info.
I do have an ACL on the higher security inside interface, so it seems I need to create ACEs on the inside to out ACL that permits traffic to DMZ on port 22 and for icmp?
I want to allow the entire inside subnet 192.168.101.0 /24 to send traffic to 192.168.201.1 ( DMZ router address) on port 22
I want the same for pings from any host on the inside subnet to 192.168.101.1
1. Should my ACL for ssh specify the DMZ interface or the router's e0 address?
2. I have tried and failed to create an ACL to handle icmp, any ideas?
Thanks again!
02-19-2010 01:16 PM
I do have an ACL on the higher security inside interface, so it seems I need to create ACEs on the inside to out ACL that permits traffic to DMZ on port 22 and for icmp?
I want to allow the entire inside subnet 192.168.101.0 /24 to send traffic to 192.168.201.1 ( DMZ router address) on port 22
I want the same for pings from any host on the inside subnet to 192.168.101.1
1. Should my ACL for ssh specify the DMZ interface or the router's e0 address?
2. I have tried and failed to create an ACL to handle icmp, any ideas?
You need
access-l blah per tcp 192.168.101.0 255.255.255.0 host 192.168.201.1 eq 22
access-l blah per icmp 192.168.101.0 255.255.255.0 host 192.168.201.1
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: