05-19-2009 04:52 PM - edited 03-11-2019 08:34 AM
Hi,
I have setup a network below:
LAN <==> Cisco ASA) <==> Internet
^
|
DMZ
I'm having problem connecting (ping) from Internal to hosts on the DMZ.
My plan is to allow all hosts on Internal to connect (ping) to DMZ. IP Address on Internal should not be natted on DMZ.
And allow some of the host to connect to Internal hosts. No natting also.
Below is my current configuration:
=======================
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password Qe0yKBKYpRMBmOsL encrypted
names
!
interface Ethernet0/0
nameif external
security-level 0
ip address 116.xyz.xyz.228 255.255.255.192
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 172.31.24.253 255.255.248.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.0.253 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list ping extended permit icmp any any echo-reply
access-list ping extended permit icmp any any time-exceeded
access-list ping extended permit icmp any any unreachable
pager lines 24
logging asdm informational
mtu external 1500
mtu internal 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (external) 1 interface
nat (internal) 1 0.0.0.0 0.0.0.0
static (internal,dmz) 172.31.0.0 172.31.0.0 netmask 255.255.248.0
access-group ping in interface external
access-group ping in interface dmz
route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999
: end
====================
Sorry, I'm new to cisco and I am eager to learn cisco.
Hope you can help me.
Thanks,
Lonski
05-19-2009 07:26 PM
Hi Mike,
I tried removing 'access-group ping in interface external' and the result is it will not let me ping internet (ie. google.com)
I tried issuing 'access-group ping in interface dmz' but still same result. I'm unable to ping from internal to dmz.
Thanks,
05-19-2009 07:27 PM
Sorry, it's already on your DMZ interface. Forget my last post.
05-19-2009 07:54 PM
You can remove this command..
access-list ping extended permit icmp any any echo
Other then that the config looks ok to me. ... It is late though and it's been a long day.
The only other item I can think of to check tonight is the routing tables on the internal and DMZ systems to make sure there not sending the traffic somewhere else.. I believe the command is route print on a Microsoft box.
05-19-2009 08:54 PM
Hi Mike,
Yeah, it's been a long day.
Just a thought, do we need to change from static to dynamic nat?
I'm not sure, I'm thinking that internal is unable to communicate with dmz because it is from different subnet since we used the static nat. ??? not so sure. =)
Thanks
05-20-2009 02:10 AM
Hi Mike,
Hope this ICMP log from ASA will help:
FROM INTERNAL
TO Internal Interface: (successful)
----------------------
ICMP echo request from 172.31.26.65 to 172.31.24.253 ID=1024 seq=18654 len=32
ICMP echo reply from 172.31.24.253 to 172.31.26.65 ID=1024 seq=18654 len=32
----------------------
TO External (yahoo.com): (successful)
----------------------
ICMP echo request from internal:172.31.26.65 to external:209.191.93.53 ID=1024 seq=19166 len=32
ICMP echo request translating internal:172.31.26.65/1024 to external:116.50.189.228/5
ICMP echo reply from external:209.191.93.53 to internal:116.xyz.xyz.228 ID=5 seq=19166 len=32
ICMP echo reply untranslating external:116.xyz.xyz.228/5 to internal:172.31.26.65/1024
----------------------
TO DMZ Interface: (not successful)
----------------------
ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20190 len=32
ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20446 len=32
ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20702 len=32
----------------------
TO host on DMZ segment: (not successful)
----------------------
ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=20958 len=32
ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=21214 len=32
ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=21470 len=32
----------------------
Thanks,
05-25-2009 06:09 PM
Hi,
I was able to resolve the issue by adding the following:
nat (internal) 1 192.168.0.0 255.255.255.0
global (dmz) 1 interface
clear arp
clear xlate
clear local
Thanks
05-25-2009 06:56 PM
You can only ping the closest interface to the client - meaning from an inside host you cannot ping the DMZ interface IP address of the firewall.
With that said,
1. the static looks correct.
2. permission looks correct also.
In fact you can remove this line
access-group ping in interface dmz
and add the inspect icmp
policy-map global_policy
class inspection_default
inspect icmp
If the above doesn't work pls. collect the syslogs (while you ping the dmz host continuously) and paste them here.
logging on
logging buffered 7
sh logg | i 172.31.26.65
05-25-2009 07:13 PM
Hi Kusankar,
Actually, it's working already.
I tried removing 'access-group ping in interface dmz' and added 'inspect icmp' and it's working too.
Thanks for your support. I really appreciate it. =)
Thanks,
Lonski
05-19-2009 05:58 PM
Hi Mike,
I have replaced the static base from your suggestion but it has still same result.
By the way, this is the range of ip address of the internal:
172.31.24.0 - 172.31.24.255
172.31.25.0 - 172.31.25.255
172.31.26.0 - 172.31.26.255
172.31.27.0 - 172.31.27.255
172.31.28.0 - 172.31.28.255
172.31.29.0 - 172.31.29.255
172.31.30.0 - 172.31.30.255
172.31.31.0 - 172.31.31.255
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: