Re: Help with accessing DMZ1 device using Telnetting to open ports

Stevan44 · ‎01-13-2022

Hi,

I have a device in my DMZ that needs to talk to my inside network server. I can't telnet using the ports that I have listed in my access list. Packet tracer shows that the TCP traffic is not blocked from the inside to the DMZ1.

packet-tracer input inside tcp 144.244.244.6 9443 192.168.44.44 9443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.44.0 255.255.255.0 dmz1

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in DukeLAN 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group UAG_Inside_Access any object VMWare-UAG log
access-list inside_access_in remark Allow Inside to access PLEX Media Server
object-group service UAG_Inside_Access
description: Ports for VMware UAG
service-object object TCP_22443
service-object object TCP_32111
service-object object UAG_TCP_4172_Inside
service-object object UAG_UDP_4172_Inside
service-object object UDP_22443
service-object object TCP-9427
service-object object 443TCP
service-object object 9443TCP
service-object tcp destination eq www
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
description Netflow_export_class
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7682531, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz1
output-status: up
output-line-status: up
Action: allow

Not sure on how to troubleshoot this issues and any help is greatly appreciated. Inside network is 144.244.244.x

DMZ network is 192.168.44.x. I can ping and get replies from the DMZ1 device 192.168.44.44 from my private LAN.

Thanks

paul driver · ‎01-13-2022

Hello
Can your post the following please:

sh run object inline
sh run object group
sh run nat
sh nat detail
sh run access-list
sh run access-group
sh run policy-map | be glo
sh route | be Ga
sh interface ip brief

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Stevan44 · ‎01-14-2022

Thanks Paul

paul driver · ‎01-14-2022

Hello

Apologies, instead of me requesting additional config can you post the full run config in a file please.
As an interim can you try the following:

access-group dmz1_access_in_2 out interface dmz1

policy-map global_policy
class inspection_default
inspect icmp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Stevan44 · ‎01-14-2022

Policy map is already there, that's why I can ping it. access-group dmz1_access_in_2 out interface dmz1 failed to make a difference.

Stevan44 · ‎01-15-2022

Paul, any suggestions?