Re: ASA 5508 DMZ Access Rules

LordBoBCUP · ‎02-01-2018

Hi,

I have an ASA I have inherited and I am having trouble getting a new DMZ interface to work as expected. I have setup the basic interface (IP, security level etc) and from ARP i can see a client connected to it which is what I expect. I cannot however, get any traffic to flow on it even with a permit any any on both in and out on that interface.

Basically I am getting up a guest network using a consumer based AP on the DMZ interface. It is currently configured with a static IP and I can see that via ARP however I am not able to ping or browse to http on it.

The Device is on 192.168.1.1, the DMZ network is 192.168.1.0/24 for now. The device im trying to manage it from is on 192.168.20.6 on the 192.168.20.0/24 network (LAN security 100).

I have attached my sanitized config to this post.

I am trying to work out why when packet-tracer input LAN 192.168.20.6 12345 192.168.1.1 80 detailed I get action: allow but when I actually try to do that in a browser it doesnt work. Same when I do packet-tracer input LAN icmp 192.168.20.6 8 0 192.168.1.1 detailed it also seems fine, but I cant actually ping it.

I have also tried a static nat rule like pre8.3 but that didnt work either. Can anyone see what I am missing?

Rahul Govindan · ‎02-01-2018

Could you paste the packet tracer output? Also, does the AP have the right default route setup as 192.168.1.254? You can probably ping it from the ASA since it on the same subnet, but it might be failing to route to any other subnet.

Also a good step to troubleshoot would be to apply a packet capture on that Guest interface and test access. We can then see if the ASA sends the packet out and receives anything back in return.