cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4670
Views
0
Helpful
4
Replies

ASA 5510: Allow Pings and ssh 'putty' connection to directly connected 2800 router

jaymatrona222
Level 1
Level 1

Hi All

I have an ASA 5510 with a DMZ interface that has a Cisco 2800 router directly connected to it.  I am having two issues:

1. I want to use WhatsUpGold on the Inside Lan to ping the router to monitor up status(at least the e0 int. directly connected to the ASA)

2. I want to connect to the router from the inside LAN using putty on port 22  (I believe I have configured the router properly to handle ssh connections on vty)  *Right now I get a Putty fatal Error:Network error: Connection refused

The issue is, on the ASA we have an ACL bound to the inside interface with a Deny IP any any statement at the end so it is adding a layer of difficulty.

Do I need an ACE to the inside ACL allowing access from Inside to DMZ interface eq ssh?  Same with ICMP Pings?

Thanks

4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

Yes.

You are initiating a connections from the inside towards the dmz, you will need to open the ACL if there is an ACL applied on the inside interface. Make sure it is above the "deny any any" if there is an explicit "deny any any"

Then you will need translations and routes.

I hope it helps.

PK

You need this

static (inside,dmz) whatup_gold_ip whatup_gold_ip net 255.255.255.255

I believe whatup_gold will know (from  its GW) to get to the firewall or order to reach the router on the DMZ.

If you don't have an ACL on the higher security interface then just that static should make it work otherwise add permission on this ACL applied on the inside interface

access-l blah permi tcp host whatsup_gold_ip hos 2800_dmz_ip eq 22

-KS

Thanks for the info.

I do have an ACL on the higher security inside interface, so it seems I need to create ACEs on the inside to out ACL that permits traffic to DMZ on port 22 and for icmp?

I want to allow the entire inside subnet 192.168.101.0 /24 to send traffic to 192.168.201.1 ( DMZ router address) on port 22

I want the same for pings from any host on the inside subnet to 192.168.101.1

1. Should my ACL for ssh specify the DMZ interface or the router's e0 address?

2. I have tried and failed to create an ACL to handle icmp, any ideas?

Thanks again!

I do have an ACL on the higher security inside interface, so it seems I need to create ACEs on the inside to out ACL that permits traffic to DMZ on port 22 and for icmp?

I want to allow the entire inside subnet 192.168.101.0 /24 to send traffic to 192.168.201.1 ( DMZ router address) on port 22

I want the same for pings from any host on the inside subnet to 192.168.101.1

1. Should my ACL for ssh specify the DMZ interface or the router's e0 address?

2. I have tried and failed to create an ACL to handle icmp, any ideas?

You need

access-l blah per tcp 192.168.101.0 255.255.255.0 host 192.168.201.1 eq 22

access-l blah per icmp 192.168.101.0 255.255.255.0 host 192.168.201.1

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: