10-28-2011 10:57 AM - edited 03-11-2019 02:43 PM
Hi All :
I manage to configure the firewall 5505 so that it can ping between outside and DMZ and also between DMZ and inside.
Outside and Inside are not accessible to each other because Outside No Forward to Inside.
My purpose now wants to access the shared folder by Windows Explorer ( under Network ) between for example DMZ and inside. I tried to do it but cannnot even see the Host of the other party network. For example, if I open Windows explorer at DMZ, I can't see the Host at Inside Network. Same as I open Windows Exploere at Inside, I can't see also the Host at DMZ network.
How am I configure so that I can access the hsot as well as shared folder of two sites which already can ping each other?
Thanks!
Attach please see the configure file for reference. Thanks!
Solved! Go to Solution.
11-06-2011 02:06 PM
Hi,
If my assumption of broadcast domains is the reason why it is filing then this has nothing to do with L4 protocols/ports, it's just that a router or firewall in routed mode cannot forward frames destined to 255.255.255.255.
On a router you can use the ip helper-address command to translate the broadcast to unicast but in the ASA you can't do this except for DHCP with the dhcp relay feature.
Regards.
Alain
10-28-2011 12:02 PM
Looking at configuration inside has got Level 100 and and inside is 50 . With no access list from Inside > DMZ should be allowed but from DMZ > Inside you will have to allow in ACL (dmz_access_in).
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
Microsoft file sharing SMB: User Datagram Protocol (UDP) ports from 135 through 139 and Transmission Control Protocol (TCP) ports from 135 through 139.
Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UPD).
In domain, Kerberos server (KDC) should be contacted to issue session ticket, before access can be granted:
Kerberos V5 UDP TCP 88 on Kerberos server.
Hope this Help.
Thanks
10-29-2011 01:59 AM
Hi Ajaychauhan :
Thanks for your help!
I added in the access list as indicated by your intruction as below in light brown color and apply to interface dmz as inbound :
access-list dmz_access_in extended permit ip any 192.168.100.0 255.255.255.0
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq www
access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq ftp
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq ftp-data
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 135
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 136
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 137
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 138
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn
access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq 135
access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq 136
access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq netbios-ns
access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq netbios-dgm
access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq 139
access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 445
access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq 445
The result is still cannot have the host ( 192.168.100.110/24 ) at inside network to be displayed in the host ( 192.168.3.100/24 ) at dmz network.
Attach the config file. Please advise. Thanks!
03-07-2014 08:09 PM
I tried this too on a Cisco ASA 5510 and was able to get to the user authentication prompt. When i apply the credentials i get the following error:
System error 67 has occurred.
The network name cannot be found.
I do not see any errors on the ASA.
Does anyone have any ideas?
11-02-2011 03:49 PM
Hi Tang-Suan-
Which license do you installed on it? Which mode is your firewall running in?
11-03-2011 08:10 AM
Hi Jean :
Thanks for your reply!
I am using basic license.
The configuration is in Vlan routing Mode -- which separated to 3 VLANs : 1. VLAN1 inside network, 2. VLAN2 dmz network and 3. VLAN3 outside network.
Now I am able to to use \\192.168.100.110 to access the host at inside network from dmz but cannot use network under windows explorer to access the host with IP 192.168.100.110 at inside network.
When I place two host in the same VLAN and they are in the same subnet, they are able to access through network under windows explorer.
Is it consider OK? Or anyway to make can access through network under windows explorer?
Regards,
tangsuan
11-03-2011 12:22 PM
Hi Tang-Suan-
If you are trying to use all 3 VLANs to communicate with one another, then this is not going to be possible. The 3rd VLAN created can only send to one other interface exclusively per the license.
VLAN1 <-bi-directional-> VLAN2 = OK
VLAN3 (can only talk to one other VLAN) either VLAN1 or VLAN2, but not both.
11-05-2011 01:43 AM
Hi Jean and all :
Thanks for your reply!
Yes, I know what you said in your email. The third VALN VLAN3 which is Outside network is NO FORWARD to Inside Network and so they are basically not communicable.
My access problem is between DMZ to Inside or DMZ to outside whereby they are both can communicate bidirectionally.
The situation now is as below :
DMZ to Inside can ping and remote desktop access between each other.
DMZ to Outside can ping and remote desktop access between each other.
Both are OK in PIng and Remote access and also using \\192.168.xxx.xxx to access each other. The only problem is when access by Network of Windows Explorer, they are not appearing as connection item.
When the two hosts are changed to same subnet and placed in the same VLAN ( whether they are at Inside, DMZ or Outside ), the two hosts can be shown as connection item by Network of Windows Explorer.
Can I say that the connection items can only be done by the same subnet and same VLAN? When they are in different subnet and even though there is access rule for them to communicate, they will not seen as connection items under the Network of Windows Explorer?
Thanks!
11-05-2011 10:33 AM
Hi,
NetBIOS is using broadcast and so afaik it won't work between subnets unless you either use a router with ip-helper address or use a WINS server.
Alain.
11-05-2011 08:55 PM
Hi Alain :
Thanks for your reply!
From your reply, I know why there is no connection item becuase the Network of Windows Explorer is using NetBIOS. Thie NetBIOS needs broadcast and the broadcast now is blocked due to inter VLAN routing.
I got your answer. Thanks!
One further question to you that is it all the ports for different protocal open for access rule cannot apply for NetBIOS? if there is, just curious to know that, may be it can set a rule for this purpose.
Thanks again!
11-05-2011 09:13 PM
Hi Alain :
I have checked just now that the NetBIOS port are tcp and udp port 135 to 139. These ports have been tried by access rules from suggestion of Ajay sometimes before. I even tried port tcp and udp port 445 for SMB but all cannot work.
Is there any other ports can be tried? If not, this may be an inherited limitation for inter VLAN routing.
Thanks!
11-06-2011 02:06 PM
Hi,
If my assumption of broadcast domains is the reason why it is filing then this has nothing to do with L4 protocols/ports, it's just that a router or firewall in routed mode cannot forward frames destined to 255.255.255.255.
On a router you can use the ip helper-address command to translate the broadcast to unicast but in the ASA you can't do this except for DHCP with the dhcp relay feature.
Regards.
Alain
11-09-2011 07:38 AM
Hi Alain :
Thanks for your answer.
My request for this solution looks like cannot be done due to firewall in routed mode cannot forward "broadcast" frame or frame destined to 255.255.255.255. Correct me if I am wrong.
Anyway, I am closing this discussion and take your reply as correct answer.
Thanks again!
11-09-2011 08:01 AM
Hi,
apart from the WINS server or a router with ip helper-address, I don't see any solution that I'm aware of but I could be wrong and it could be something else provoking the problem.Maybe you should wait for answers from ASA experts who already encounterd this problem.
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide