Solved: Accessing Exchange Server from DMZ

sholiday666 · ‎08-17-2011

Good morning,

We have a ASA5510 with a webserver in the DMZ network 10.2.2.0/24. We now want this web server to be able to access the Exchange server in the Inside network 10.1.1.0/24. I researched this and it seemed straight forward according the the Cisco document below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

I'm looking to do this with smtp so I added these lines to the config:

static (inside,DMZ) 10.2.2.30 10.1.1.11 netmask 255.255.255.255

access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp

The configuration line:

access-group DMZ in interface DMZ

Already existed in the configuration so didn't need to be re-entered.

ASA Version 8.0(4)

!

hostname xxxx

domain-name xxxx.com

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.141.85 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.255.254 255.255.255.248

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.2.2.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone MDT -7

clock summer-time MDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.1

domain-name mjfirm.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq www

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq https

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ftp

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ftp-data

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ssh

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq imap4

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq pop3

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq www

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq https

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq smtp

access-list inbound extended permit icmp any any

access-list dmz extended deny ip any 10.1.0.0 255.255.0.0

access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp

access-list dmz extended permit ip any any

access-list nonat extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0

access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list vpnsplit extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0

access-list encrypt_acl extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool vpnpool 172.16.22.1-172.16.22.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 10 xxx.xxx.141.82 netmask 255.255.255.0

global (dmz) 10 interface

nat (inside) 0 access-list nonat

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz) 10 0.0.0.0 0.0.0.0

static (dmz,outside) xxx.xxx.141.83 10.2.2.2 netmask 255.255.255.255

static (inside,outside) xxx.xxx.141.84 10.1.1.11 netmask 255.255.255.255

static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255

access-group inbound in interface outside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 xxx.xxx.141.81 1

route inside 10.1.0.0 255.255.0.0 10.1.255.249 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server vpn protocol radius

aaa-server vpn (inside) host 10.1.1.12

key -->

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa local authentication attempts max-fail 16

http server enable

http 172.16.22.0 255.255.255.0 inside

http 10.1.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

sysopt noproxyarp inside

sysopt noproxyarp dmz

sysopt noproxyarp management

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set HQset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 20 match address encrypt_acl

crypto map outside_map 20 set peer 207.202.195.198

crypto map outside_map 20 set transform-set HQset

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 50

telnet 10.1.0.0 255.255.0.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh 10.1.0.0 255.255.0.0 inside

ssh timeout 30

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.43.244.18

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy vpnclients internal

group-policy vpnclients attributes

wins-server value 10.1.1.12

dns-server value 10.1.1.12

vpn-tunnel-protocol IPSec

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplit

default-domain value mjfirm.local

split-dns value mjfirm.local

address-pools value vpnpool

group-policy clientgroup internal

group-policy clientgroup attributes

wins-server value 10.1.1.12

dns-server value 10.1.1.12

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelall

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default svc

tunnel-group M&J type remote-access

tunnel-group M&J general-attributes

address-pool vpnpool

authentication-server-group vpn

default-group-policy vpnclients

tunnel-group M&J ipsec-attributes

pre-shared-key *

tunnel-group sslgroup type remote-access

tunnel-group sslgroup general-attributes

address-pool vpnpool

authentication-server-group vpn

default-group-policy clientgroup

tunnel-group sslgroup webvpn-attributes

group-alias sslgroup_users enable

tunnel-group xxx.xxx.195.198 type ipsec-l2l

tunnel-group xxx.xxx.195.198 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 768

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

It's not working. Below is the output form Packet-Tracer using smtp

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255

match ip inside host 10.1.1.11 dmz any

static translation to 10.2.2.30

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd5786190, priority=5, domain=nat-reverse, deny=false

hits=9, user_data=0xd627c598, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.1.1.11, mask=255.255.255.255, port=0, dscp=0x0

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any assistance would be appreciated!

varrao · ‎08-18-2011

Hi Scott,

Y it is still working is because, you have the access-list:

access-list dmz extended permit ip any any

so all the traffic would hit this rule, so yes, you can delete the acl:

access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp

from the config.

I have seen the captures, don't worry its all legitimate traffic if you look at the ip addresses in there.

Please mark the thread as answered if all your queries have been resolved.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-19-2011

Hi Scott,

How are you doing? Do you need telnet and icmp access?

Scott Holiday wrote:

I only wanted telnet and ICMP from DMZ to Inside so I've deleted those entries as well. Here it is!:

Because I do not see them in the config, I only see smtp port opened.

If you need telnet and icmp access, you need these ACL's:

access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq telnet

access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11

If you don't need them then the config looks perfectly fine.

Let me know if this resoves your query.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-17-2011

Hi Scott,

Can you provide the complete output of the packet-tracer, that will be helpful.

Thanks,

Varun

Thanks,
Varun Rao

sholiday666 · ‎08-17-2011

Thanks Varun, here it is:

ASA# packet-tracer input dmz tcp 10.2.2.2 smtp 10.1.1.11 smtp detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.0.0 255.255.0.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz in interface dmz
access-list dmz extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56cdc20, priority=12, domain=permit, deny=false
        hits=18, user_data=0xd5785640, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56f8458, priority=0, domain=permit-ip-option, deny=true
        hits=905436, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) xxx.xxx.141.83 10.2.2.2 netmask 255.255.255.255
match ip dmz host 10.2.2.2 outside any
    static translation to xxx.xxx.141.83
    translate_hits = 29659, untranslate_hits = 1026673
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd576e668, priority=5, domain=host, deny=false
        hits=899340, user_data=0xd5786790, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.2.2.2, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 dmz any
    static translation to 10.2.2.30
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd967f210, priority=5, domain=nat-reverse, deny=false
        hits=0, user_data=0xd96d12a0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.1.1.11, mask=255.255.255.255, port=0, dscp=0x0

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

varrao · ‎08-17-2011

Hi Scott,

Something doesn't seem right to me, if you see on the tracer, on phase 5, the packets are falling into the wrong nat statement, because the tracer command used is not correct, it should be:

packet-tracer input dmz tcp 10.2.2.2 2345 10.2.2.30 smtp detailed

Remember, you are trying to access the server on inside on IP 10.2.2.30, so it should be this.

i would also take captures on the firewall;

access-list cap permit ip host 10.2.2.2 host 10.2.2.30

access-list cap permit ip host 10.2.2.30 host 10.2.2.2

access-list cap permit ip host 10.1.1.11 host 10.2.2.2

access-list cap permit ip host 10.2.2.2 host 10.1.1.11

cap capin access-list cap interface inside

cap capo access-list cap interface outside

Generate some traffic and then collect the captures and logs for it.

show cap capin

show cap capo

Also, as a test, can you add:

global (inside) 10 interface

Let me know the results.

Thanks,

Varun

Thanks,
Varun Rao

sholiday666 · ‎08-17-2011

Thanks Varun. That did the trick as far as packet-tracer. Below is the output. But why did you ahve me use port 2345?

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 dmz any
static translation to 10.2.2.30
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 10.2.2.30/0 to 10.1.1.11/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz in interface dmz
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9dc16d8, priority=12, domain=permit, deny=false
        hits=0, user_data=0xd56ae608, cs_id=0x0, flags=0x0, protocol=6
        src ip=10.2.2.2, mask=255.255.255.255, port=0
        dst ip=10.2.2.30, mask=255.255.255.255, port=25, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56f8458, priority=0, domain=permit-ip-option, deny=true
        hits=906425, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) xxx.xxx.141.83 10.2.2.2 netmask 255.255.255.255
match ip dmz host 10.2.2.2 outside any
    static translation to xxx.xxx.141.83
    translate_hits = 29663, untranslate_hits = 1026933
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd576e668, priority=5, domain=host, deny=false
        hits=900329, user_data=0xd5786790, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.2.2.2, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 dmz any
    static translation to 10.2.2.30
    translate_hits = 0, untranslate_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd967f210, priority=5, domain=nat-reverse, deny=false
        hits=1, user_data=0xd96d12a0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.1.1.11, mask=255.255.255.255, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) xxx.xxx.141.84 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 outside any
    static translation to xxx.xxx.141.84
    translate_hits = 19832486, untranslate_hits = 5484763
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd56093b0, priority=5, domain=host, deny=false
        hits=23010699, user_data=0xd5915db8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.1.1.11, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd56a5470, priority=0, domain=permit-ip-option, deny=true
        hits=145735197, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 149903633, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.255.249 using egress ifc inside
adjacency Active
next-hop mac address 0017.0e3b.82bf hits 3981329

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

varrao · ‎08-17-2011

Hi Scott,

Did you take the captures and logs as well???

-Varun

Thanks,
Varun Rao

sholiday666 · ‎08-17-2011

Varuna,

Yes set up the captures but i didn't get anything. I generated telnet, icmp, and smtp from 10.2.2.2 to 10.2.2.30 then added captures for the dmz interface and again no captures.

-Scott

varrao · ‎08-17-2011

Hi Scott,

what we would need to identify is, apply both the captures on the inside and dmz together and then generate traffic. Reason 1 - This would identify whether tnhe traffic is reaching the ASA dmthz interface, if not then routing on the etwork needs to be checked.

Reason 2- If the packets are seen on the dmz, do those packets reach the inside interface?? If not, its ASA dropping them.

Collect logs as well, it would help greatly.

Thanks,

Varun

Thanks,
Varun Rao

sholiday666 · ‎08-18-2011

ASA# sh capture capin

1 packet captured

1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192

1 packet shown

ASA# sh capture capo

1 packet captured

1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192

1 packet shown

varrao · ‎08-18-2011

Hi Scott,

The captures shows me that the request is going to the server but no replies coming back, which means the server is not responding back.

But before jumpimg to conclusions, I think after applying the captures, you ran a packet tracer and collected the cap tures, because the source port is also 25, in actual traffic, the source port would always be a higherseries port number. Also packet-tracer is just a helping tool and never always the clear picture. We now need to depend on the real traffic, and it would be good to take logs and captures when you actually initiate traffic from the dmz host.

For collecting logs you would need:

logging buffered 7

after generating traffic:

show logg | in 10.2.2.2

show logg | in 10.2.2.30

I guess we would nail the problem this way, and also could you please test with:

global (inside) 10 interface

Thanks,

Varun

Thanks,
Varun Rao

sholiday666 · ‎08-18-2011

Varun,

I added the entry

global (inside) 10 interface

and enabled logging and initiated traffic from the web server using the form that will contact the Exchange server, but nothing is showing up in the logs for 10.2.2.2 or 10.2.2.30.

varrao · ‎08-18-2011

Hi Scott,

If you do not see anything in the logs and the captures, then it might be posible that the packets are not even reaching the firewall.

-Varun

Thanks,
Varun Rao

sholiday666 · ‎08-18-2011

Varun,

If you look at my configuration you probably noticed that I attempted to enable telnet and ICMP to test. Telnet and ping are not working either. Is there something you can see in the config that is not right? these were the entries I created for telnet and ICMP:

access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq telnet

access-list dmz extended permit icmp host 10.2.2.2 host 10.2.2.30 echo

access-list dmz extended permit icmp host 10.2.2.2 host 10.2.2.30 echo-reply

Shouldn't these work. If I could get telnet going i could try the old "telnet 10.2.2.30 25" command from the 10.2.2.2 host.

varrao · ‎08-18-2011

Hi Scott,

What you have is correct.

Lets try one thing, use the following config:

static (inside,dmz) 10.1.1.11 10.1.1.11

nat (dmz) 10 0.0.0.0 0.0.0.0

global (inside) 10 interface

access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq telnet

access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11 echo

access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11 echo-reply

access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11 eq 25

once you have this, apply fresh captures:

access-list test permit ip host 10.1.1.11 host 10.2.2.2

access-list test permit ip host 10.2.2.2 host 10.1.1.11

cap capi access-list test interface inside

cap capdmz access-list test interface dmz

Once you have everything setup, try initiating telnet or ping traffic, and collect captures. If we atleast have this info, we woudl be able to identify the issue.

Hope everything goes well.

Thanks,

Varun

Thanks,
Varun Rao

sholiday666 · ‎08-18-2011

Do I need to erase the other configuration entries related to telnet and ICMP using 10.2.2.30 first? Also do i need to erase the "access-list dmz extended permit ip any any" and then add it back at the end so it shows up last?

I appreciate your help.