cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5812
Views
0
Helpful
11
Replies

ASA 5506-x inside has no access to dmz

maamon.albattah
Level 1
Level 1

I have ASA 5506-x.
dmz already has an access for the inside interface but i can not pin ASA inside interface

nside has no access to dmz.
Here are my configurations
dmz network 172.16.0.0/24
inside net 10.0.0.0/16
inside interface address: 10.0.19.50

web : 172.16.0.2 web server in DMZ Network

Result of the command: "show run access-list"

access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_acl extended permit tcp any object web eq https
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any


Result of the command: "show run access-group"

access-group outside_acl in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz


Result of the command: "show run nat"

nat (inside,outside) source static any any destination static vpn-object vpn-object no-proxy-arp route-lookup
nat (inside,outside) source static any interface unidirectional
nat (dmz,inside) source dynamic any interface
!
object network obj-inside
nat (any,outside) dynamic interface
object network obj-anyconn
nat (any,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network web
nat (dmz,outside) static interface service tcp https https

11 Replies 11

try this

 

 

 

no access-list inside_access_in extended permit ip any any
no access-list inside_access_in extended permit icmp any any
no access-group inside_access_in in interface inside
no access-group dmz_access_in in interface dmz

 

!

also in default policy

 

 

policy-map global_policy
inspect icmp
inspect icmp error
please do not forget to rate.

Thank you very much for your answer!

 

with this configuration i do not have access from DMZ to inside and from inside to dmz!

 

Result of the command: "show run access-list"

access-list dmz_access_in_1 extended permit ip any any  (( access from dmz to inside))
access-list outside_acl extended permit tcp any object web eq https
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

 

Result of the command: "show run policy-map"

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!

could you upload your configuration it would make more sense to us.

please do not forget to rate.

GRANT3779
Spotlight
Spotlight

Hi,

Based on the config output and info provided.

 

You have stated the following firstly -


"dmz already has an access for the inside interface but i can not pin ASA inside interface"

 

If I understand correctly your DMZ devices can connect to services/hosts within the Inside network, but the DMZ hosts cannot ping the ASA Inside Interface IP?

This is by design. You cannot ping an ASA Interface if the icmp traffic is received inbound via a different interface.

 

For the Inside not being able to access the DMZ this may be related to the following -

 

nat (dmz,inside) source dynamic any interface

 

Your initial traffic to the DMZ from Inside will reach the destination but the return traffic is going to be PAT's via the above rule potentially causing a problem.

 

Thank you for ypor replay..

 

dmz has full access to inside network..

but inside network can not ping dmz network..

i have treid

no nat (dmz,inside) source dynamic any interface

but then no access from dmz to inside!

 

What is the current status?

 

dmz has full access to inside network ? 

 

but inside network can not ping dmz network?

 

Can you provide the IP addresses you are using for this testing, and also the full config of the ASA. Is the ASA the default GW for each network?

dmz has full access to inside network

but inside network can not ping dmz network

 

ip address to test: 10.0.19.55, 10.0.3.113

 

inside networh has 2 Gateways: 10.0.19.50 (my ASA), 10.0.0.1

dmz gateway: 172.16.0.1

web server 172.16.0.2 (from intenernet accessable too)

 

 

 

the Full config. :

 

Result of the command: "show running-conf"

: Saved

:
: Serial Number:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname CiscoASA
enable password $sha512$5000
names
ip local pool testpool 10.0.19.60-10.0.19.90 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 82.x.x.x 255.255.255.224
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.19.50 255.255.0.0
!
interface GigabitEthernet1/3
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Tunnel1
no nameif
no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn-object
subnet 10.0.19.0 255.255.255.0
description vpn-acl-nat
object network obj-inside
subnet 10.0.0.0 255.255.0.0
object network obj-anyconn
subnet 10.0.19.0 255.255.255.0
object network dmz-subnet
subnet 0.0.0.0 0.0.0.0
object network web
host 172.16.0.2
object network web-internal
host 172.16.0.2
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.255.0.0
network-object object vpn-object
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
access-list dmz_access_in_1 extended permit ip any any
access-list testacl extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 any inactive
access-list outside_acl extended permit tcp any object web eq https
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static vpn-object vpn-object no-proxy-arp route-lookup
nat (inside,outside) source static any interface unidirectional
nat (dmz,inside) source dynamic any interface
!
object network obj-inside
nat (any,outside) dynamic interface
object network obj-anyconn
nat (any,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network web
nat (dmz,outside) static interface service tcp https https
access-group outside_acl in interface outside
access-group dmz_access_in_1 in interface dmz
route outside 0.0.0.0 0.0.0.0 82.1x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint Ca-Cert
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpool policy
crypto ca certificate chain Ca-Cert
certificate ca 00dc01a5731c9092ab
3082039c 30820284 a0030201 02020900 dc01a573 1c9092ab 300d0609 2a864886
f70d0101 0b050030 73310b30 09060355 04061302 4445310b 30090603 55040813

quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable dmz client-services port 443
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 8086
enable outside
dtls port 8086
anyconnect enable
tunnel-group-list enable
keepout "Service out temporarily."
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy GroupPolicyTunnelAll internal
group-policy GroupPolicyTunnelAll attributes
wins-server value 10.0.0.10
dns-server value 10.0.0.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value imc-tm.de
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512 pbkdf2 privilege 15
username admin attributes
service-type admin
username MaamonAlbattah password $sh pbkdf2 privilege 15
tunnel-group TunnelAll type remote-access
tunnel-group TunnelAll general-attributes
address-pool testpool
default-group-policy GroupPolicyTunnelAll
tunnel-group TunnelAll webvpn-attributes
authentication certificate
group-alias IT enable
group-alias IT-I disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5acad9c4c6bebb7247
: end

Not entirely sure on the reason you are PAT'ing the DMZ to the Inside Interface. Haven't looked at this fully but has your inside Core device (10.0.0.1) got a route to the 172.16.0.0 /24 network, pointing to the ASA.
I still think you may have a problem with return traffic being PAT'd when pinging from Inside to Out.

Do you need to NAT this? If not, remove the NAT and then ensure 10.0.0.1 has a route back to the 172.16.0.0/24 network.

why you having this rule.

 

nat (dmz,inside) source dynamic any interface

!

remember from security level 100 towards 0 traffic is permit

your inside has security-level 100 and dmz has security level 50. so if you take this above command out you will be able to ping from inside to dmz. unless if there is a specific reason you want to keep this rule above.

 

 

please do not forget to rate.

with this Nat now all has config

 

Result of the command: "show run nat"

nat (inside,outside) source static any any destination static vpn-object vpn-object no-proxy-arp route-lookup
nat (inside,outside) source static any interface unidirectional
nat (inside,dmz) source dynamic any interface
nat (dmz,inside) source dynamic any interface
!
object network obj-inside
nat (any,outside) dynamic interface
object network obj-anyconn
nat (any,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network web
nat (dmz,outside) static interface service tcp https https

 

Thanks for every one

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: