Re: CISCO ASA: Unable to connect to DMZ - Page 2

lonskinini · ‎05-19-2009

Hi,

I have setup a network below:

LAN <==> Cisco ASA) <==> Internet

^

|

DMZ

I'm having problem connecting (ping) from Internal to hosts on the DMZ.

My plan is to allow all hosts on Internal to connect (ping) to DMZ. IP Address on Internal should not be natted on DMZ.

And allow some of the host to connect to Internal hosts. No natting also.

Below is my current configuration:

=======================

ciscoasa(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

!

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

!

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.0.253 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

pager lines 24

logging asdm informational

mtu external 1500

mtu internal 1500

mtu management 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

static (internal,dmz) 172.31.0.0 172.31.0.0 netmask 255.255.248.0

access-group ping in interface external

access-group ping in interface dmz

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999

: end

====================

Sorry, I'm new to cisco and I am eager to learn cisco.

Hope you can help me.

Thanks,

Lonski

lonskinini · ‎05-19-2009

Hi Mike,

I tried removing 'access-group ping in interface external' and the result is it will not let me ping internet (ie. google.com)

I tried issuing 'access-group ping in interface dmz' but still same result. I'm unable to ping from internal to dmz.

Thanks,

mike-greene · ‎05-19-2009

Sorry, it's already on your DMZ interface. Forget my last post.

mike-greene · ‎05-19-2009

You can remove this command..

access-list ping extended permit icmp any any echo

Other then that the config looks ok to me. ... It is late though and it's been a long day.

The only other item I can think of to check tonight is the routing tables on the internal and DMZ systems to make sure there not sending the traffic somewhere else.. I believe the command is route print on a Microsoft box.

lonskinini · ‎05-19-2009

Hi Mike,

Yeah, it's been a long day.

Just a thought, do we need to change from static to dynamic nat?

I'm not sure, I'm thinking that internal is unable to communicate with dmz because it is from different subnet since we used the static nat. ??? not so sure. =)

Thanks

lonskinini · ‎05-20-2009

Hi Mike,

Hope this ICMP log from ASA will help:

FROM INTERNAL

TO Internal Interface: (successful)

----------------------

ICMP echo request from 172.31.26.65 to 172.31.24.253 ID=1024 seq=18654 len=32

ICMP echo reply from 172.31.24.253 to 172.31.26.65 ID=1024 seq=18654 len=32

----------------------

TO External (yahoo.com): (successful)

----------------------

ICMP echo request from internal:172.31.26.65 to external:209.191.93.53 ID=1024 seq=19166 len=32

ICMP echo request translating internal:172.31.26.65/1024 to external:116.50.189.228/5

ICMP echo reply from external:209.191.93.53 to internal:116.xyz.xyz.228 ID=5 seq=19166 len=32

ICMP echo reply untranslating external:116.xyz.xyz.228/5 to internal:172.31.26.65/1024

----------------------

TO DMZ Interface: (not successful)

----------------------

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20190 len=32

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20446 len=32

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.253 ID=1024 seq=20702 len=32

----------------------

TO host on DMZ segment: (not successful)

----------------------

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=20958 len=32

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=21214 len=32

ICMP echo request from internal:172.31.26.65 to dmz:192.168.0.180 ID=1024 seq=21470 len=32

----------------------

Thanks,

lonskinini · ‎05-25-2009

Hi,

I was able to resolve the issue by adding the following:

nat (internal) 1 192.168.0.0 255.255.255.0

global (dmz) 1 interface

clear arp

clear xlate

clear local

Thanks

Kureli Sankar · ‎05-25-2009

You can only ping the closest interface to the client - meaning from an inside host you cannot ping the DMZ interface IP address of the firewall.

With that said,

1. the static looks correct.

2. permission looks correct also.

In fact you can remove this line

access-group ping in interface dmz

and add the inspect icmp

policy-map global_policy

class inspection_default

inspect icmp

If the above doesn't work pls. collect the syslogs (while you ping the dmz host continuously) and paste them here.

logging on

logging buffered 7

sh logg | i 172.31.26.65

lonskinini · ‎05-25-2009

Hi Kusankar,

Actually, it's working already.

I tried removing 'access-group ping in interface dmz' and added 'inspect icmp' and it's working too.

Thanks for your support. I really appreciate it. =)

Thanks,

Lonski

lonskinini · ‎05-19-2009

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.29.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks