Need a hand with DMZ

Unanswered Question
Jun 20th, 2012
User Badges:

I can't seem to get this going for thie life of me, maybe a little fuzzy on the concepts but I've done this before without problems. I need the DMZ hosts to be able to ping anything we have inside and outside our network. I will lock down anything else after, right now I can't get anything in the DMZ to access anything outside or inside.


interface Ethernet0/0
description Public
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface Ethernet0/1
description Private
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
description DMZ
nameif dmz
security-level 50
ip address 192.168.41.1 255.255.255.0


access-list dmz-allowed-in extended permit ip any any

access-group dmz-allowed-in in interface dmz


access-list allowed-in extended permit icmp any host 1.1.1.2

access-group allowed-in in interface outside


access-list allow-out extended permit ip 192.168.40.0 255.255.255.0 any

access-group allow-out in interface inside



global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (dmz) 1 0.0.0.0 0.0.0.0 dns


static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0

static (dmz,outside) 1.1.1.2 192.168.41.10 netmask 255.255.255.255




Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules

Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules             
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:


Packet tracer from outside to dmz host's public address says its allowed

Packet tracer from dmz to outside address says its allowed

It would see at least ping to the outside from DMZ should work but it doesn't.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rwharris13 Wed, 06/20/2012 - 07:40
User Badges:

Yes at the moment but I have tested with it disabled and same results.

Jennifer Halim Wed, 06/20/2012 - 07:45
User Badges:
  • Cisco Employee,

This sounds wrong:

Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules

Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules  


Both addresses are assigned to your ASA firewall interfaces, so you can't have host with that IP Address.

rwharris13 Wed, 06/20/2012 - 07:49
User Badges:

Ah yes, bad examples, so I redid them with .10 addresses and they say they are supposed to be passed on.

Jennifer Halim Wed, 06/20/2012 - 07:51
User Badges:
  • Cisco Employee,

Great, that means nothing wrong with the ASA config.

You might want to check the host itself, correct subnet mask? correct default gateway? connected to the correct VLAN/etc?

rwharris13 Wed, 06/20/2012 - 07:53
User Badges:

So, host in the dmz, connected to vlan 6, DMZ interface in vlan 6.

Public side connected to vlan 3

Host inside connected to vlan 1, inside interface in vlan 1.


Both use the ASA as their default gateway.

Jennifer Halim Wed, 06/20/2012 - 07:57
User Badges:
  • Cisco Employee,

Run "debug icmp trace" and see if you are getting the echo and/or echo-reply on the ASA

OR/ do packet capture on the ASA and see if echo is reaching and leaving the ASA, and if echo-reply is reaching and leaving the ASA.

rwharris13 Wed, 06/20/2012 - 08:05
User Badges:

I didn't do an actual packet capture on the host yet but it would seem it is from the debug.


Sending 5, 100-byte ICMP Echos to 192.168.41.10, timeout is 2 seconds:

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

!ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Jennifer Halim Wed, 06/20/2012 - 08:09
User Badges:
  • Cisco Employee,

?? Are you just pinging from ASA towards your DMZ host?

I thought you are having issue with ping through the firewall from DMZ host??

rwharris13 Wed, 06/20/2012 - 08:15
User Badges:

Yes through the firewall. From the DMZ to internal hosts, from the DMZ to the internet.

rwharris13 Wed, 06/20/2012 - 08:17
User Badges:

I just restarted the ASA, and it's working now without any changes done....

Actions

This Discussion