01-04-2022 09:45 AM
I am facing issues in connecting a pc from outside interface to dmz interface on cisco 5505 asa firewall. The icmp ping is successfull from outside pc to dmz server but failed to establish any tcp connection.
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.6 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.1.1.10 255.255.255.252
!
object network dmz
host 10.1.1.9
object network inside
host 10.1.1.5
!
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
!
access-list icmp_http_ftp extended permit icmp any object inside
access-list icmp_http_ftp extended permit icmp any object dmz
access-list icmp_http_ftp extended permit tcp any object dmz eq www
access-list icmp_http_ftp extended permit tcp any object dmz eq ftp
!
!
access-group icmp_http_ftp in interface outside
object network dmz
nat (DMZ,outside) static 10.1.1.3
object network inside
nat (inside,outside) dynamic interface
class-map cmap
match default-inspection-traffic
!
policy-map pmap
class cmap
inspect ftp
inspect http
inspect icmp
!
service-policy pmap global
!
telnet timeout 5
ssh timeout 5
Kindly can anyone provide feedback of where i am going wrong.
I am attaching issue ip packet screenshot emulation as well.
01-04-2022 10:23 AM
The icmp ping is successfull from outside pc to dmz server but failed to establish any tcp connection.
what TCP connection ? what port ?
can you explain what source IP address and what is the destination IP address and port ?
01-04-2022 12:03 PM
Hi
Dmz server is natted with static ip address of 10.1.1.3/29 and server has http and ftp ports opened , which have been added to acl icmp_http_ftp and acl is added to access group of outside interface.
01-09-2022 11:03 AM - edited 01-09-2022 11:04 AM
Hello
Duplicate post - With a possible provided solution - here
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide