Re: ASA, inside to dmz access - Page 2

kegodfrey · ‎06-09-2009

Hi, hope someone can help. I've been working on setting up access from some clients on the inside interface to a host on the dmz. I've been unable to get it working so far. The config is below.

ASA Version 7.0(8)

!

enable password Bte2XWw78iXdJmqt encrypted

passwd Bte2XWw78iXdJmqt encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240 standby x.x.x.x

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.901

vlan 901

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.

0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

failover

failover lan unit primary

failover lan interface LANFAIL Management0/0

failover polltime unit msec 500 holdtime 5

failover polltime interface 3

failover key *****

failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2

icmp permit any inside

icmp permit any dmz

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh x.x.x.x 255.255.255.240 outside

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483

: end

I can see in the log the following when the connection fails when trying icmp form the inside host 10.0.0.92 to the dmz host 192.168.1.50.

%ASA-7-609002: Teardown local-host inside:10.0.0.92 duration 0:00:02

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:02

Any help would be greatly appreciated.

kegodfrey · ‎06-10-2009

No, still no luck. icmp still not working... I've tried other ports, such as http and rdp that I know the host is listening on, but no connection.

francisco_1 · ‎06-10-2009

have you removed the above routes?

kegodfrey · ‎06-10-2009

Yes, I have removed the routes. The device I am trying to ping 192.168.1.50 from is on the same 10.x subnet as the inside interface as the ASA, so there are no routes other than the one outside. Still not working. Any more ideas?

francisco_1 · ‎06-10-2009

pls post your config again. I want to go through it one last time...

kegodfrey · ‎06-10-2009

Thanks for your help, really appreciate it.

Here is the config.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240 standby x.x.x.x

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.901

vlan 901

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list inside-in extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.

255.0

access-list inside-in extended permit icmp any any

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.

0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

failover

failover lan unit primary

failover lan interface LANFAIL Management0/0

failover polltime unit msec 500 holdtime 5

failover polltime interface 3

failover key *****

failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2

icmp permit any inside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (dmz) 1 192.168.1.0 255.255.255.0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

access-group inside-in in interface inside

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483

: end

[OK]

francisco_1 · ‎06-10-2009

you still have some lines i asked you to remove above.

Copy and paste

nat (inside) 1 0.0.0.0 0.0.0.0

no global (dmz) 1 interface

no access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list dmz-in extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

you should have

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 192.168.1.0 255.255.255.0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside-in extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list inside-in extended permit icmp any any

for testing we are permiting IP ANY ANY for now..

Kureli Sankar · ‎06-10-2009

You are still only trying icmp? I see icmp built and teardown mesages. So, the conns are getting built.

Are these windows PCs. Do they have the firewall turned on? Especially the one that is supposed to reply for icmp.

If so, turn it off and try it pls.

Try some tcp connection like RDP or http or telnet.