08-17-2013 02:53 PM - edited 03-11-2019 07:27 PM
ASA 5520 8.0(5)
I want guest AP users in DMZ to browser thru dmz controller. User is receiveing IP address (172.17.0.1) from WLAN controller and can ping 172.17.1.254 &192.168.1.225, but cannot ping 4.2.2.1. Even controller (192.168.1.225) cannot ping 4.2.2.1. Following is the config
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ Physical Interface
nameif dmz
security-level 10
ip address 192.168.1.1 255.255.255.0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 10.0.0.0 255.0.0.0 10.1.1.1 1
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 2 172.17.0.0 255.255.254.0
nat (dmz) 1 0.0.0.0 0.0.0.0
access-list outside_acl extended permit ip any host 1.1.1.225
static (dmz,outside) 1.1.1.225 192.168.1.225 netmask 255.255.255.255
access-list outside_acl extended permit ip any 172.17.0.0 255.255.254.0
access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0
access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0
policy-map global_policy
class inspection_default
inspect icmp
INET-FW(config)# packet-tracer input dmz icmp 172.17.0.255 8 0 4.2.2.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
08-17-2013 03:30 PM
Hi,
Why is the network routed towards the ASAs interface IP address?
Can you provide a "packet-tracer" for a source address in the network 172.17.0.0/23 towards some external IP.
- Jouni
08-17-2013 02:59 PM
Hi,
The configurations you have posted above dont include any route for the network 172.17.0.0/23
Also the ACL for the DMZ doesnt allow the traffic from this network or the directly connected network.
- Jouni
08-17-2013 03:13 PM
I added & it is not working
route dmz 172.17.0.0 255.255.254.0 192.168.1.1 1
access-list outside_acl extended permit ip any 172.17.0.0 255.255.254.0
access-list outside_acl extended permit ip 172.17.0.0 255.255.254.0 any
access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0
access-list dmz_in extended permit ip 172.17.0.0 255.255.254.0 any
08-17-2013 03:30 PM
Hi,
Why is the network routed towards the ASAs interface IP address?
Can you provide a "packet-tracer" for a source address in the network 172.17.0.0/23 towards some external IP.
- Jouni
08-17-2013 03:42 PM
It is working after adding route dmz 172.17.0.0 & removing nat (dmz) 2 172.17.0.0
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: