Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ Subnet

Hello Cisco Gurus,

Im not much of this device, I am seeking help with regards to my simple issue and hopefully someone will get to help. Basically I have a LAN IP of 192.168.2.0/23 from our network. Since I am the System Admin of the company, I have created Application control rules to be restricted for the end users specifically connected to LAN port 2 and I have created  my own port on LAN 4 of the device configured as DMZ with an IP pool of 192.168.100.0/23. Now, my problem is I cannot reach these 2.0/23 subnet devices not either on Ping command. I badly need to access this for my monitoring and configuring purposes. I am not so sure of these will fall under NAT routing, ACL list or whatsoever. Please ask question if you need more clarification on our network scenario. Hope to find answers on this forum. 

Thanks in advance,

Lyndon

Everyone's tags (3)
19 REPLIES

Hi Lyndon

Hi Lyndon

Hope you are fine, this configuration was deployed in an ASA firewall? If so which version of code are you running?

New Member

Hi Kornelia,

Hi Kornelia,

This is deployed on ISA500 device.

Thanks!

Silver

Where is this deployed? on a

Where is this deployed? on a Cisco ASA?
We need more details where this is deployed

Though initially, kindly refer to the follow queries:
1. Verify if you have configure your policies to allow .100.0/23 to .2.0/23 Network
2. Is this deployed on a Cisco ASA? Note that the ASA is very strict with ICMP
3. Assuming query no 2, are your services working e.g., can you visit your web service on .2.0/23 Network from your PC?

-You can also try doing RDP(Remote Desktop) to one of your computers/servers on .2.0/23 from your PC


New Member

Hi LJ,

Hi LJ,

Sorry for late reply, This is deployed on Small Business ISA500 Series device. Please see below answers:

1. Verify if you have configure your policies to allow .100.0/23 to .2.0/23 Network --- Nope, not much idea on how to do it.
2. Is this deployed on a Cisco ASA? Note that the ASA is very strict with ICMP --- Cisco ISA500 device
3. Assuming query no 2, are your services working e.g., can you visit your web service on .2.0/23 Network from your PC? ----  I can only visit the Main router/firewall 192.,168.2.1 which is the ISA500 from my Laptop on 100.0 subnet. Other that that, devices like 2.3.. 2.4.. etc cannot reached. 

I am actually confused where all these stuffs are configured below

a. ACL RULES under Firewall
b. NAT ROUTING/port forwarding
c. STATIC ROUTING under ROUTING TABLE/POLICY BASED ROUTING

Appreciate your reply! Thanks

Silver

Hi Lynd, It would really be

Hi Lynd, 

It would really be best that you have background knowledge on how ACLs work since it will really be hard to troubleshoot

Anyway, Cisco ISA is GUI based, access the ISA Management and look at Firewall -> then policies, 

Verify if you have a policy to allow .100.0/23 to .2.0/23 and if desired the other way around as well

New Member

Hi LJ,

Hi LJ,

Firstly, thanks for the prompt response. Yes this is where my confusion begins. I have attached the screenshot of the ACL and I did tried option below but unfortunately did not worked. Please correct me if I am wrong,

From Zone: since I was sitting on the DMZ subnet, I select it. Or.. should I select LAN because Im under at the LAN subnet of the DMZ? Sorry for this.

To Zone: First selected LAN because of thinking that from DMZ subnet (100.0) would like to access those who are sitting in the LAN subnet (2.0)

and the rest options remains to ANY.

MATCH ACTION: PERMIT

Thanks in advance!

Silver

So Basically, you have an

So Basically, you have an 'any' to 'any' policy in your firewall PS: THat is not actually not recommended, basically you just converted it to unsecure

Anyway, for troubleshooting purposes, can you set your action to allow?
Also, put that policy at the top most of your policy since policies are read from top to bottom. You may havve deny statements on the middle. so for again, troubleshooting purposes, put that 'any' to 'any' policy action 'permit' at the top of your policy

New Member

Yes the policy I've created

Yes the policy I've created automatically went to top of all the policies and it was on permit selection. But still cannot ping/access those 2.0 subnet.

FYI.. 1st config:

From Zone: DMZ

To Zone: LAN

any

any

any

Match Action:permit

----SAVED AND NO LUCK------

2nd config:

From Zone: LAN

To Zone: WAN

any

any

any

Match Action:permit

----SAVED AND NO LUCK STILL------  :(

Silver

There might be other factors

There might be other factors affecting that connection, Factors like NAT, PBR are most likely conflicting with that

Im guessing you are not that technical, i really suggest contacting your vendor for support with that device

New Member

The problem is the device is

The problem is the device is out of warranty already so I cant get support from the vendor anymore. I was a turned-over IT of the company. The previous guy suddenly resigned from work so here I am scratching my head and getting into basics. (trial and error scenario) :( So I'm here now looking for luck here at Cisco support forums.   

New Member

Configured what you suggested

Configured what you suggested, this time making particular to source address to destination address (DMZ Ip's to Default LAN IP's) and vice versa but still did not work.

Some says its probably on the NAT.. should I disable the feature for the DMZ?

Silver

Do it like this 1. To be sure

Do it like this


1. To be sure ICMP really goes to our computers
-Disable the Firewall (Im assumign its windows) on one computer in .2.0/23 subnet and your computer w/c is in the .100.0/23 network

2. Verify your TCP/IP settings on the computers
-Make sure their IP does not conflict with anyone, their subnetmask is correct w/c is /23 and their gateway is set
-im assuming the ISA of yours is handling 2.1 and 100.1 correct? w/c is the gateway of the computers

3. Do a traceroute:
-On the .2.0/23 computer do a "tracert -d <IP OF YOUR .100.0/23 COMPUTER>"
-On your .100.0/23 computer do a "tracert -d <IP OF .2.0/23 COMPUTER>"

4. Lastly on both computers do a "ipconfig /all" 

Please attached the traeroute and ipcofig results



New Member

Hi LJ,

Hi LJ,

Before attaching my screenshots, I would just like you to know that I was able to ping and tracert both computers without any issues from their terminals after turning of the firewall. However, I still cant access switch devices on subnet 2.0 from 100.0 via web and ping which I was trying to achieved. So weird... Does the issue below matters?

Ive set my DMZ network as:

dhcp pool from 192.168.100.2-254

subnet 255.255.254.0

gateway 192.168.100.1

(while Router's IP and LAN has a default gateway of 192.168.2.1) because if I put that IP gateway to the DMZ gateway, it will prompt me error: IP not in range issues. 

Silver

The issue is NOT on the

The issue is NOT on the Firewall them but on your end-points
Always take note that the OS firewall will affect ICMP packets

For security purposes, enable the computers firewall back and simply configure it to allow ICMP(Ping)

Considering the .100.0 computer can already reach a device on .2.0 and based on the policy we configured, there really should not be issues on reaching that switch. Probably the switch has no gateway or has a management ACL configured.

Please check the switch configuration on your side and please do basic troubleshooting
Ping and traceroute are the most helpful tool on this matter since they allow you to trace where your packets are going


PS: I am guessing you are new to the IT industry


Rate or mark as answer helpful posts

New Member

Sorry LJ, But really can't

Sorry LJ, But really can't get to my devices. These are:

Switch1: 192.168.2.2

Switch2: 192.168.2.3

Ruckus ZD: 192.168.2.4

Not even ping nor via web access. it's already frustrating cause I have not set any rules or ACL's on above devices. (just set them to static IP and already PnP)

Actually Im not new to IT Industry in terms with different specialization. But in networking, yes I am probably a novice. :(

Silver

Check those devices gateways,

Check those devices gateways, most of your issues are on the end-point device itself e.g, just like you unable to ping, it seems like the OS firewall is not allowing ICMP,

Please check the configuration on your switches, make sure they are set to the correct gateway.

Of course, computers on the same subnet as the switches are able to ping each other because they do not need a gateway

Do some basic troubleshooting, that is what you are missing

New Member

Hi LJ,

Hi LJ,

Please see attached results for your requests. Thanks! 

Silver

Can you do a traceroute from

Can you do a traceroute from your computer, to the desired computer in the .2 network

PS: Make sure as well that the computers allow ICMP through their WIndows Firewall

Silver

Configure polices DMZ -> LAN

Configure polices DMZ -> LAN and LAN -> DMZ not LAN to WAN
168
Views
0
Helpful
19
Replies
CreatePlease login to create content