Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unable to contact host in DMZ through ASA 5505

Helo all,

I'm unable to connect to a host in a DMZ (interface has security level 10), from a host on an "inside" network with security level 100. The host on the DMZ net can ping it's gateway, and the "inside" host can ping its gateway. I've applied a rule on the inside interface to allow the host to connect using RDP, FTP, and FTP-data. I've also set up static identity NATs between the two interfaces. The packet tracer shows RDP and FTP packets should pass, and when I attempt to connect from the inside host to the DMZ I can see the connection being made in the firewalls log, but I still can't connect.

To verify remote desktop and the FTP server were working I the host to another network (security level 100) and was able to connect.

Here's the pertinent config entries. If I need to provide more information, please let me know.

interface Ethernet0/1

switchport access vlan 50

interface Vlan50
nameif dmz
security-level 10
ip address 192.168.50.1 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_2 tcp
group-object RDP
port-object eq ftp
port-object eq ftp-data

access-list systems_access_in extended permit tcp object-group office_SysAdmin host RPOFCFTP object-group DM_INLINE_TCP_2

static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (systems,dmz) 192.168.250.0 192.168.250.0 netmask 255.255.255.0

Any help is greatly appreciated...

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Unable to contact host in DMZ through ASA 5505

Base on the configuration, assuming that you are trying to access DMZ from "systems" interface, the following static NAT needs to be removed as it is not required:

no static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

Then, please perform "clear xlate"

To test connectivity via RDP, can you please test to see if you can telnet on port 3389, and for FTP, see if you can telnet on port 21 and getting a prompt.

You might want to share the configuration on:

1) Object-group office_SysAdmin

2) IP Address of host RPOFCFTP

3) Group-object RDP

4 REPLIES
New Member

Re: Unable to contact host in DMZ through ASA 5505

Please disregard. The problem was due to a bad route on the inside host.

Super Bronze

Re: Unable to contact host in DMZ through ASA 5505

No worries, please mark it as solved then. Thanks..

Super Bronze

Re: Unable to contact host in DMZ through ASA 5505

Base on the configuration, assuming that you are trying to access DMZ from "systems" interface, the following static NAT needs to be removed as it is not required:

no static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

Then, please perform "clear xlate"

To test connectivity via RDP, can you please test to see if you can telnet on port 3389, and for FTP, see if you can telnet on port 21 and getting a prompt.

You might want to share the configuration on:

1) Object-group office_SysAdmin

2) IP Address of host RPOFCFTP

3) Group-object RDP

New Member

Re: Unable to contact host in DMZ through ASA 5505

Thanks Jennifer for the reply. I've removed the extra nat statement...

480
Views
5
Helpful
4
Replies