11-14-2009 04:40 AM - edited 03-11-2019 09:39 AM
Hi all,
i am able to ping but not able to telnet from inside to DMZ and vise verse also. please find the attachment of configuration.
DMZ -10.244.4.0/24 network
inside -10.244.0.0/24
Thanks in advance
11-14-2009 08:37 AM
The config appears correct.
RTP - Routing, Translation and Permission
appear to be correct.
Are you sure the host in dmz 10.244.4.x listens on tcp 23?
enable loggin buffer
command
conf t
logging buffered debug
then issue "sh logg | i 10.244.0.x" the host where you are trying to telnet from on the inside and see what the logs say when you try this telnet when it fails.
Also, from the DMZ segment from a 10.244.4.x host are you able to telnet to the 10.244.4.b host that is listening on this port?
11-15-2009 08:49 PM
Hi,
i am getting error like
6 Nov 15 2009 23:45:32 302014 10.244.4.100 23 10.244.0.21 1254 Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout
These is DC and DR setup from mplsoutside they can able to telnet DMZ but from inside i am able to do.
11-16-2009 12:06 AM
Hi,
sorry i am not able to telnet
11-16-2009 04:36 AM
A SYN timeout indicates that the TCP handshake is not completing i.e. the source is sending a SYN, bit not receiving a SYN/ACK in reply.
Check that the destination is running the appropriate service (telnet in this case) and that there is not a local software firewall on the destination machine.
11-16-2009 08:23 PM
11-19-2009 08:00 PM
Chandru,
You mentioned you are able to ping the switch from where? The firewall?
6 Nov 15 2009 23:45:32 302014 10.244.4.100 23 10.244.0.21 1254 Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout
1. Are you able to ping the switch IP 10.244.4.100 from the inside host 10.244.0.21 and back?
2. Have you tried a PC in the DMZ and see if you can telnet to the swtich locally? Does that work?
This syslog clearly indicates that the switch is not responding back to the inside host.
The switch appears properly configured with
a. ip address and mask
b. route to the inside pc via the firewall's DMZ interface IP
11-26-2009 01:39 AM
Hi Kusankar,
1.I am able to telnet 10.244.4.100(dmz switch) to 10.244.4.21 (dmzserver)
2.Ya I am able to telnet from dmz server to dmz switch and from router I am able to telnet dmz servers
12-02-2009 08:52 PM
Hi,
I checked all the things i given a default route for dmz switch is to firewall dmz interface ip address like ip route 0.0.0.0 0.0.0.0 10.244.4.1
Can you help me out in this.
12-02-2009 09:31 PM
Just a few questions/suggestions...
- Have you tried running packet-tracer on the firewall to see where the traffic might be getting dropped?
- You don't have an access-group set for the DMZ interface, so any traffic generated from DMZ segment to the INSIDE segment will get dropped. You can try adding the following line for testing only:
access-group 101 in interface dmz
- Have you considered implementing a nat exemption ACL for traffic between the inside and dmz segments? You would need to add something similar to this:
access-list nonat extended permit ip 10.244.9.0 255.255.255.0 10.244.4.0 255.255.255.0 (ie. from inside to dmz)
access-list nonat extended permit ip 10.244.4.0 255.255.255.0 10.244.9.0 255.255.255.0 (ie. from dmz to inside)
nat (inside) 0 access-list nonat
nat (dmz) 0 access-list nonat
You would also need to implement the access-group command above. If these suggestions work for you, be sure to create separate your ACLs for each segment and lock them down appropriately. Good luck!
James
12-03-2009 04:46 AM
Chandru,
Next step is to collect captures on the firewall. The logs say syn timeout that means we are not seeing any response from the switch. That is the reason I had asked if telnet to the swtich works locally.
Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout
Pls. try captures:
cap capdmz int DMZ match tcp any host 10.244.4.100 eq 23
cap capin in inside match tcp any host 10.244.4.100 eq 23
Now try a telent connection from the inside and watch these captures.
sh cap capdmz
sh cap capin
and see if you see syn, syn ack, ack - whether the 3-way handshake completes at all and what packets that arrive on one interace are not seen on the other.
Copy and paste the output for us to look at.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide