Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Pinging DMZ Server from outside without applying Access list to DMZ Interf.

************************

Kindly look on the configuration and guide me please.

************************

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.252

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.100.1 255.255.255.0

!

interface GigabitEthernet0/3

description LAN Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777

access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080

access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any

access-list DMZ_access_in extended permit ip host 192.168.100.0 192.168.0.0 255.255.255.0

access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

ip verify reverse-path interface outside

ip verify reverse-path interface Inside

failover

failover lan unit primary

failover lan interface failovetr-int GigabitEthernet0/3

failover replication http

failover interface ip failovetr-int 10.250.250.1 255.255.255.252 standby 10.250.250.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

asdm history enable

arp timeout 14400

nat (Inside) 0 access-list nonat

nat (DMZ) 0 access-list nonatDMZ

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

3 REPLIES
Cisco Employee

Re: Pinging DMZ Server from outside without applying Access list

Pls. provide the output of "sh run policy-map" make sure there inspect icmp is enabled.

example:

policy-map global_policy

class inspection_default

inspect ftp

.

.

.

inspect icmp

service-policy global_policy global

Community Member

Re: Pinging DMZ Server from outside without applying Access list

**********************

Kindly look at my configuration and guide me how i can solve my problem,

1.Im able to ping 192.168.100.215 server in DMZ from outside source ip 192.168.255.1 how? it is possible without apply access list to DMZ interface.2. when im applying access list to DMZ inerface then from outside im not able to ping DMZ server 192.168.100.215.why?

3. I want to access to DMZ network from Inside network. if any thing wrong pleae guide me.my complete ASA configuration as following.

******************************************* ASA Version 8.0(4)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.252

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet0/3

description LAN Failover Interface

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777

access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080

access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any

access-list DMZ_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list DMZ_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0

access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

nat (Inside) 0 access-list nonat

nat (DMZ) 0 access-list nonatDMZ

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

dynamic-access-policy-record DfltAccessPolicy

class-map inspection_default

match default-inspection-traffic

class-map ips_class_map

match access-list traffic_for_ips

policy-map type inspect dns migrated_dns_map_2

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_2

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

class ips_class_map

ips inline fail-open

: end

ASA#

Community Member

Re: Pinging DMZ Server from outside without applying Access list

Answering your question "1.Im able to ping 192.168.100.215 server in DMZ from outside source ip 192.168.255.1 how?"...because of following rule:

!

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0

!

When you allow ip access... you are allowing mostly anything from Internet. Make note that ICMP & IGMP operate on top of IP but do not transport data like UDP or TCP.... Also, not taking too much time...the following is wrong as well:

!

access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0

!

Why? Because if your DMZ is only 192.168.100.x...then you should always see 192.168.100.x after your permit + protocol and not 192.168.255.x

!

If 192.168.255.x is coming from outside & you wanted to give 100% access to your DMZ (which no one does), the correct statement would be (as you have):

!

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0

!

Via above command, you are giving Internet users on 192.168.255.x segment total access to any 192.168.0.0 no matter what interface (inside or DMZ).

!

Note: Make sure you have the following as well

!

Access-list inside_access_all permit ip any any

!

access-group inside_access_all in interface inside

!

access-list DMZ_access_all permit icmp any any

!

also add your other dmz servers accessing inside or outside after this line

!

access-group DMZ_access_all in interface DMZ

!

Note: why am I, calling this DMZ_access_all and not DMZ_access_in…because sooner or later, your DMZ servers need to access http, ftp, https outside and you can only have 2 access group only depending on direction of traffic… Most FW admin config call for one access group per interface. Also, more recent codes require you to have a access group on inside interface... however its a godd idea to have this, in case later you have an inside host attacking outside, you can block that inside host by placing an access list on top of permit ip an any... I hope this helps and good luck... Matt

203
Views
4
Helpful
3
Replies
CreatePlease to create content