06-09-2009 08:20 AM - edited 03-11-2019 08:41 AM
Hi, hope someone can help. I've been working on setting up access from some clients on the inside interface to a host on the dmz. I've been unable to get it working so far. The config is below.
ASA Version 7.0(8)
!
enable password Bte2XWw78iXdJmqt encrypted
passwd Bte2XWw78iXdJmqt encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240 standby x.x.x.x
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.901
vlan 901
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Management0/0
description LAN Failover Interface
!
ftp mode passive
access-list dmz-in extended permit icmp any any
access-list dmz-in extended permit ip any host 192.168.1.50 log
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.
0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
failover
failover lan unit primary
failover lan interface LANFAIL Management0/0
failover polltime unit msec 500 holdtime 5
failover polltime interface 3
failover key *****
failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2
icmp permit any inside
icmp permit any dmz
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
access-group dmz-in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.0.0.0 10.0.0.252 1
route inside 192.168.0.0 255.255.255.0 10.0.0.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.240 outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483
: end
I can see in the log the following when the connection fails when trying icmp form the inside host 10.0.0.92 to the dmz host 192.168.1.50.
%ASA-7-609002: Teardown local-host inside:10.0.0.92 duration 0:00:02
%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:02
Any help would be greatly appreciated.
06-10-2009 04:33 AM
No, still no luck. icmp still not working... I've tried other ports, such as http and rdp that I know the host is listening on, but no connection.
06-10-2009 04:35 AM
have you removed the above routes?
06-10-2009 04:50 AM
Yes, I have removed the routes. The device I am trying to ping 192.168.1.50 from is on the same 10.x subnet as the inside interface as the ASA, so there are no routes other than the one outside. Still not working. Any more ideas?
06-10-2009 05:05 AM
pls post your config again. I want to go through it one last time...
06-10-2009 05:12 AM
Thanks for your help, really appreciate it.
Here is the config.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240 standby x.x.x.x
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.901
vlan 901
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Management0/0
description LAN Failover Interface
!
ftp mode passive
access-list dmz-in extended permit icmp any any
access-list dmz-in extended permit ip any host 192.168.1.50 log
access-list inside-in extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.
255.0
access-list inside-in extended permit icmp any any
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.
0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
failover
failover lan unit primary
failover lan interface LANFAIL Management0/0
failover polltime unit msec 500 holdtime 5
failover polltime interface 3
failover key *****
failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2
icmp permit any inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group inside-in in interface inside
access-group dmz-in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483
: end
[OK]
06-10-2009 05:27 AM
you still have some lines i asked you to remove above.
Copy and paste
nat (inside) 1 0.0.0.0 0.0.0.0
no global (dmz) 1 interface
no access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list dmz-in extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
you should have
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-list dmz-in extended permit icmp any any
access-list dmz-in extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside-in extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list inside-in extended permit icmp any any
for testing we are permiting IP ANY ANY for now..
06-10-2009 09:00 AM
You are still only trying icmp? I see icmp built and teardown mesages. So, the conns are getting built.
Are these windows PCs. Do they have the firewall turned on? Especially the one that is supposed to reply for icmp.
If so, turn it off and try it pls.
Try some tcp connection like RDP or http or telnet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: