Solved: Cisco ASA5505 conundrum

Joseph Dowling · ‎05-19-2011

I am trying to set up

a DMZ with an inside VLAN to transfer SFTP (SS

H) securely. I can't get the inside pc to connect to the SFTP

(SSH) server. I have bought and activated the Security upgrade

My DMZ server is 10.30.30.1

My PC trying to go from the inside to the DMZ is 192.168.1.3

Here is my running config:

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Vlan5

nameif DMZ

security-level 0

ip address 10.30.30.30 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list DMZ_access_in extended permit ip 10.30.30.0 255.255.255.0 192.168.1. 0 255.255.255.0

access-list inside_access_in extended permit tcp 10.30.30.0 255.255.255.0 192.16 8.1.0 255.255.255.0 eq ssh

access-list inside_access_in extended permit ip 10.30.30.0 255.255.255.0 192.168 .1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config DMZ

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd auto_config DMZ interface inside

dhcpd enable inside

!

prompt hostname context

Cryptochecksum:73a91eb713376caf890ca2f0824da80e

: end

Allen P Chen · ‎05-19-2011

Hello,

interface Vlan1

nameif inside

security-level 50

ip address 192.168.1.1 255.255.255.0

access-list inside_access_in extended permit tcp 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0 eq ssh

access-list inside_access_in extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group inside_access_in in interface inside

The ACL applied inbound to the inside interface seems to be backwards. As the inside interface is assigned IP address 192.168.1.1, the source of the traffic from behind that interface should be 192.168.1.0/24. Therefore, shouldn't the ACL be:

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0 eq ssh

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0

Hope this helps.

View solution in original post

Allen P Chen · ‎05-19-2011

Hello,

interface Vlan1

nameif inside

security-level 50

ip address 192.168.1.1 255.255.255.0

access-list inside_access_in extended permit tcp 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0 eq ssh

access-list inside_access_in extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group inside_access_in in interface inside

The ACL applied inbound to the inside interface seems to be backwards. As the inside interface is assigned IP address 192.168.1.1, the source of the traffic from behind that interface should be 192.168.1.0/24. Therefore, shouldn't the ACL be:

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0 eq ssh

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0

Hope this helps.

Joseph Dowling · ‎05-20-2011

That's it! You're a GENIUS!!!