Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
5
Helpful
4
Replies

Unable to contact host in DMZ through ASA 5505

Go to solution
remitprosupport
Level 1
Level 1

‎11-14-2010 08:53 PM - edited ‎03-11-2019 12:09 PM

Helo all,

I'm unable to connect to a host in a DMZ (interface has security level 10), from a host on an "inside" network with security level 100. The host on the DMZ net can ping it's gateway, and the "inside" host can ping its gateway. I've applied a rule on the inside interface to allow the host to connect using RDP, FTP, and FTP-data. I've also set up static identity NATs between the two interfaces. The packet tracer shows RDP and FTP packets should pass, and when I attempt to connect from the inside host to the DMZ I can see the connection being made in the firewalls log, but I still can't connect.

To verify remote desktop and the FTP server were working I the host to another network (security level 100) and was able to connect.

Here's the pertinent config entries. If I need to provide more information, please let me know.

interface Ethernet0/1
 switchport access vlan 50
interface Vlan50
 nameif dmz
 security-level 10
 ip address 192.168.50.1 255.255.255.0 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_2 tcp
 group-object RDP
 port-object eq ftp
 port-object eq ftp-data
access-list systems_access_in extended permit tcp object-group office_SysAdmin host RPOFCFTP object-group DM_INLINE_TCP_2
static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (systems,dmz) 192.168.250.0 192.168.250.0 netmask 255.255.255.0

Any help is greatly appreciated...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-14-2010 09:03 PM

Base on the configuration, assuming that you are trying to access DMZ from "systems" interface, the following static NAT needs to be removed as it is not required:

no static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

Then, please perform "clear xlate"

To test connectivity via RDP, can you please test to see if you can telnet on port 3389, and for FTP, see if you can telnet on port 21 and getting a prompt.

You might want to share the configuration on:

1) Object-group office_SysAdmin

2) IP Address of host RPOFCFTP

3) Group-object RDP

View solution in original post

4 Replies 4

Go to solution
remitprosupport
Level 1
Level 1

‎11-14-2010 09:02 PM

Please disregard. The problem was due to a bad route on the inside host.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to remitprosupport

‎11-14-2010 09:05 PM

No worries, please mark it as solved then. Thanks..

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-14-2010 09:03 PM

Base on the configuration, assuming that you are trying to access DMZ from "systems" interface, the following static NAT needs to be removed as it is not required:

no static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

Then, please perform "clear xlate"

To test connectivity via RDP, can you please test to see if you can telnet on port 3389, and for FTP, see if you can telnet on port 21 and getting a prompt.

You might want to share the configuration on:

1) Object-group office_SysAdmin

2) IP Address of host RPOFCFTP

3) Group-object RDP

Go to solution
remitprosupport
Level 1
Level 1
In response to Jennifer Halim

‎11-14-2010 09:06 PM

Thanks Jennifer for the reply. I've removed the extra nat statement...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card