Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
1
Helpful
6
Replies

ASA 5510 setup/routing

SOL10
Level 1
Level 1

‎04-14-2008 05:31 AM - edited ‎03-05-2019 10:22 PM

hi there

i have an ASA5510 with the following setup:

e0 - outside interface-212.188.x.x/28

e1 - inside if - 192.168.3.x/24 into 2960sw pport 10 vlan 1-switchport access

e2 - dmz if - 172.16.x.x/24 into port 14 vlan 40 switchport access.

linux server plugged into port 14 vlan40 ip 172.16.x.x/24 g/w dmz interface.

windows server plugged into port 15 vlan1 ip 192.16.3.x/24. g/w inside interface

both the windows server and linux server can ping their default gateways but i cant seem to ping each server across the network or establish an ssh connection to the liinux box.

the sh route command on the asa shows the 3 connected n/w (outside,inside&dmz).

I can get to the internet fromt the inside thatis ok

when i try to ping the windows erver from the linuxbox i get network unreachable. below are the access lists:

access-list 106 line 1 extended permit tcp host 192.168.3.x host 172.16.10.x eq ssh (hitcnt=9)

access-list 106 line 2 extended permit icmp any any (hitcnt=148)

access-list 106 line 3 extended permit ip any any (hitcnt=122)

access-group 106 in interface inside

Any ideas? Plese help as im really baffled.

Thnkx

Labels:
0 Helpful
6 Replies 6

srue
Level 7
Level 7

‎04-14-2008 05:37 AM

access-list dmz_in permit icmp any any echo

access-list dmz_in permit ip any any

access-group dmz_in in interface dmz

you have to explicitly allow icmp in an interface.

and of course the "permit ip any any" isn't the most secure option for a dmz, but you get the idea.

0 Helpful

SOL10
Level 1
Level 1
In response to srue

‎04-14-2008 05:58 AM

hi there, i tried that but still no joy. when i try to open an ssh conenction from 192.168.3.x/24 to 172.16.10.x i get conenction refused, when i look at the loggin is ASDM i get:

portmap translation creation failed for tcp src inside:192.168.3.x/3481 dst dmz:172.16.10.x/22

any ideas what im doing wrong?

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to SOL10

‎04-14-2008 06:48 AM

You are probably missing NAT for access from inside to DMZ. Try this config.

static (inside,DMZ) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

BTW, this disables translation and is also called static identity NAT. Linux Server on the DMZ would see the real address of the inside Windows server.

You may want to do a 'clear xlate' after adding the static command.

HTH

Sundar

0 Helpful

SOL10
Level 1
Level 1
In response to sundar.palaniappan

‎04-14-2008 07:12 AM

sundar,

its not working.im puling my hair out. fromthe linux box, when i ping 192.168.3.5 i get network unreachable.

0 Helpful

branfarm1
Level 4
Level 4
In response to SOL10

‎04-14-2008 07:16 AM

I don't know if this will help but there's also an icmp permit command (use the context help for more information: icmp permit ? ). For instance, if you wanted to allow icmp from any host on your inside interface you would add: icmp permit any inside

Good luck.

SOL10
Level 1
Level 1
In response to branfarm1

‎04-14-2008 07:38 AM

hi guys, thanks for all your help

the issue was not with the asa at all. it was the linux box, for some reason after you set up the ip addressing on the nic you have to enter a static route for the connected nw and also default route for all other traffic. weird but works

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card