05-19-2011 03:04 PM - edited 03-11-2019 01:35 PM
I am trying to set up
a DMZ with an inside VLAN to transfer SFTP (SS
H) securely. I can't get the inside pc to connect to the SFTP
(SSH) server. I have bought and activated the Security upgrade
My DMZ server is 10.30.30.1
My PC trying to go from the inside to the DMZ is 192.168.1.3
Here is my running config:
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Vlan5
nameif DMZ
security-level 0
ip address 10.30.30.30 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list DMZ_access_in extended permit ip 10.30.30.0 255.255.255.0 192.168.1. 0 255.255.255.0
access-list inside_access_in extended permit tcp 10.30.30.0 255.255.255.0 192.16 8.1.0 255.255.255.0 eq ssh
access-list inside_access_in extended permit ip 10.30.30.0 255.255.255.0 192.168 .1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config DMZ
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd auto_config DMZ interface inside
dhcpd enable inside
!
!
!
prompt hostname context
Cryptochecksum:73a91eb713376caf890ca2f0824da80e
: end
Solved! Go to Solution.
05-19-2011 05:50 PM
Hello,
interface Vlan1
nameif inside
security-level 50
ip address 192.168.1.1 255.255.255.0
access-list inside_access_in extended permit tcp 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0 eq ssh
access-list inside_access_in extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
The ACL applied inbound to the inside interface seems to be backwards. As the inside interface is assigned IP address 192.168.1.1, the source of the traffic from behind that interface should be 192.168.1.0/24. Therefore, shouldn't the ACL be:
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0 eq ssh
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
Hope this helps.
05-19-2011 05:50 PM
Hello,
interface Vlan1
nameif inside
security-level 50
ip address 192.168.1.1 255.255.255.0
access-list inside_access_in extended permit tcp 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0 eq ssh
access-list inside_access_in extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
The ACL applied inbound to the inside interface seems to be backwards. As the inside interface is assigned IP address 192.168.1.1, the source of the traffic from behind that interface should be 192.168.1.0/24. Therefore, shouldn't the ACL be:
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0 eq ssh
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
Hope this helps.
05-20-2011 06:26 AM
That's it! You're a GENIUS!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide