11-08-2012 09:44 AM - edited 03-11-2019 05:20 PM
Hi everyone,
I have a basic ASA 5505 that is doing soemthing strange. The only config it has it that all three interfaces have IP's (DMZ, INSIDE, OUTSIDE). There are no other rules other than default.
When I set up a rule to allow traffic from the DMZ to the INSIDE, I lose the ability to ping ot commnicate with the outside interface from the outside network completely.
When I try to ping the outside I get timeouts. If I remove the rules on the DMZ and INSIDE interfaces, the outside becomes available again.
Could anyone please explain why this is?
Here is the broken configuration: (Unable to ping the OUTSIDE interface from the outside network.)
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
switchport access vlan 5
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Inside - Endura
nameif inside
security-level 100
ip address 10.120.0.20 255.255.255.0
!
interface Vlan2
description Outside - EDN
nameif outside
security-level 0
ip address 10.221.225.26 255.255.255.0
!
interface Vlan5
description DMZ - DS
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DSRV1
host 192.168.1.6
access-list inside_access_in extended permit ip 10.120.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz_access_in_1 extended permit ip 192.168.1.0 255.255.255.0 10.120.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group dmz_access_in_1 in interface dmz
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.120.0.0 255.255.255.0 inside
http 10.221.225.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp dmz
telnet 10.120.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.120.0.24-10.120.0.55 inside
!
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Thanks in advance
11-08-2012 10:41 AM
The moment you apply an ACL to an interface, all needed communication must be permitted in the ACLs. The default, where traffic from higher security-level to a lower security-level isallowed is not enabled any more.
So you DMZ-ACL needs minimum three lines:
1) permit needed traffic to inside
2) deny all trafic to inside
3) allow traffic to outside
Same for your inside-ACL.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide