Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
1
Replies

ASA 5505 Weirdness

tmcmurray
Level 1
Level 1

‎11-08-2012 09:44 AM - edited ‎03-11-2019 05:20 PM

Hi everyone,

  I have a basic ASA 5505 that is doing soemthing strange.  The only config it has it that all three interfaces have IP's (DMZ, INSIDE, OUTSIDE).  There are no other rules other than default.

When I set up a rule to allow traffic from the DMZ to the INSIDE, I lose the ability to ping ot commnicate with the outside interface from the outside network completely.

When I try to ping the outside I get timeouts.  If I remove the rules on the DMZ and INSIDE interfaces, the outside becomes available again.

Could anyone please explain why this is?

Here is the broken configuration: (Unable to ping the OUTSIDE interface from the outside network.)

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

switchport access vlan 5

!

interface Ethernet0/5

switchport access vlan 5

!            

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description Inside - Endura

nameif inside

security-level 100

ip address 10.120.0.20 255.255.255.0

!

interface Vlan2

description Outside - EDN

nameif outside

security-level 0

ip address 10.221.225.26 255.255.255.0

!

interface Vlan5

description DMZ - DS

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network DSRV1

host 192.168.1.6

access-list inside_access_in extended permit ip 10.120.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list dmz_access_in_1 extended permit ip 192.168.1.0 255.255.255.0 10.120.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any dmz

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

access-group inside_access_in in interface inside

access-group dmz_access_in_1 in interface dmz

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.120.0.0 255.255.255.0 inside

http 10.221.225.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt noproxyarp outside

sysopt noproxyarp inside

sysopt noproxyarp dmz

telnet 10.120.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 10.120.0.24-10.120.0.55 inside

!

no threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Thanks in advance

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎11-08-2012 10:41 AM

The moment you apply an ACL to an interface, all needed communication must be permitted in the ACLs. The default, where traffic from higher security-level to a lower security-level isallowed is not enabled any more.

So you DMZ-ACL needs minimum three lines:

1) permit needed traffic to inside

2) deny all trafic to inside

3) allow traffic to outside

Same for your inside-ACL.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card