Solved: How to Access Folder between two Firewall Sites - ASA5505

Tang-Suan Tan · ‎10-28-2011

Hi All :

I manage to configure the firewall 5505 so that it can ping between outside and DMZ and also between DMZ and inside.

Outside and Inside are not accessible to each other because Outside No Forward to Inside.

My purpose now wants to access the shared folder by Windows Explorer ( under Network ) between for example DMZ and inside. I tried to do it but cannnot even see the Host of the other party network. For example, if I open Windows explorer at DMZ, I can't see the Host at Inside Network. Same as I open Windows Exploere at Inside, I can't see also the Host at DMZ network.

How am I configure so that I can access the hsot as well as shared folder of two sites which already can ping each other?

Thanks!

Attach please see the configure file for reference. Thanks!

cadet alain · ‎11-06-2011

Hi,

If my assumption of broadcast domains is the reason why it is filing then this has nothing to do with L4 protocols/ports, it's just that a router or firewall in routed mode cannot forward frames destined to 255.255.255.255.

On a router you can use the ip helper-address command to translate the broadcast to unicast but in the ASA you can't do this except for DHCP with the dhcp relay feature.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

ajay chauhan · ‎10-28-2011

Looking at configuration inside has got Level 100 and and inside is 50 . With no access list from Inside > DMZ should be allowed but from DMZ > Inside you will have to allow in ACL (dmz_access_in).

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan2

nameif dmz

security-level 50

ip address 192.168.3.1 255.255.255.0

Microsoft file sharing SMB: User Datagram Protocol (UDP) ports from 135 through 139 and Transmission Control Protocol (TCP) ports from 135 through 139.

Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UPD).

In domain, Kerberos server (KDC) should be contacted to issue session ticket, before access can be granted:

Kerberos V5 UDP TCP 88 on Kerberos server.

Hope this Help.

Thanks

Tang-Suan Tan · ‎10-29-2011

Hi Ajaychauhan :

Thanks for your help!

I added in the access list as indicated by your intruction as below in light brown color and apply to interface dmz as inbound :

access-list dmz_access_in extended permit ip any 192.168.100.0 255.255.255.0

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq www

access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq www

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq ftp

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq ftp-data

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 135

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 136

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 137

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 138

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn

access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq 135

access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq 136

access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq netbios-ns

access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq netbios-dgm

access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq 139

access-list dmz_access_in extended permit tcp any 192.168.100.0 255.255.255.0 eq 445

access-list dmz_access_in extended permit udp any 192.168.100.0 255.255.255.0 eq 445

The result is still cannot have the host ( 192.168.100.110/24 ) at inside network to be displayed in the host ( 192.168.3.100/24 ) at dmz network.

Attach the config file. Please advise. Thanks!

michaelsrpersaud · ‎03-07-2014

I tried this too on a Cisco ASA 5510 and was able to get to the user authentication prompt. When i apply the credentials i get the following error:

System error 67 has occurred.

The network name cannot be found.

I do not see any errors on the ASA.

Does anyone have any ideas?

caseth0102 · ‎11-02-2011

Hi Tang-Suan-

Which license do you installed on it? Which mode is your firewall running in?

Tang-Suan Tan · ‎11-03-2011

Hi Jean :

Thanks for your reply!

I am using basic license.

The configuration is in Vlan routing Mode -- which separated to 3 VLANs : 1. VLAN1 inside network, 2. VLAN2 dmz network and 3. VLAN3 outside network.

Now I am able to to use \\192.168.100.110 to access the host at inside network from dmz but cannot use network under windows explorer to access the host with IP 192.168.100.110 at inside network.

When I place two host in the same VLAN and they are in the same subnet, they are able to access through network under windows explorer.

Is it consider OK? Or anyway to make can access through network under windows explorer?

Regards,

tangsuan

caseth0102 · ‎11-03-2011

Hi Tang-Suan-

If you are trying to use all 3 VLANs to communicate with one another, then this is not going to be possible. The 3rd VLAN created can only send to one other interface exclusively per the license.

VLAN1 <-bi-directional-> VLAN2 = OK

VLAN3 (can only talk to one other VLAN) either VLAN1 or VLAN2, but not both.

Tang-Suan Tan · ‎11-05-2011

Hi Jean and all :

Thanks for your reply!

Yes, I know what you said in your email. The third VALN VLAN3 which is Outside network is NO FORWARD to Inside Network and so they are basically not communicable.

My access problem is between DMZ to Inside or DMZ to outside whereby they are both can communicate bidirectionally.

The situation now is as below :

DMZ to Inside can ping and remote desktop access between each other.

DMZ to Outside can ping and remote desktop access between each other.

Both are OK in PIng and Remote access and also using \\192.168.xxx.xxx to access each other. The only problem is when access by Network of Windows Explorer, they are not appearing as connection item.

When the two hosts are changed to same subnet and placed in the same VLAN ( whether they are at Inside, DMZ or Outside ), the two hosts can be shown as connection item by Network of Windows Explorer.

Can I say that the connection items can only be done by the same subnet and same VLAN? When they are in different subnet and even though there is access rule for them to communicate, they will not seen as connection items under the Network of Windows Explorer?

Thanks!

cadet alain · ‎11-05-2011

Hi,

NetBIOS is using broadcast and so afaik it won't work between subnets unless you either use a router with ip-helper address or use a WINS server.

Alain.

Don't forget to rate helpful posts.

Tang-Suan Tan · ‎11-05-2011

Hi Alain :

Thanks for your reply!

From your reply, I know why there is no connection item becuase the Network of Windows Explorer is using NetBIOS. Thie NetBIOS needs broadcast and the broadcast now is blocked due to inter VLAN routing.

I got your answer. Thanks!

One further question to you that is it all the ports for different protocal open for access rule cannot apply for NetBIOS? if there is, just curious to know that, may be it can set a rule for this purpose.

Thanks again!

Tang-Suan Tan · ‎11-05-2011

Hi Alain :

I have checked just now that the NetBIOS port are tcp and udp port 135 to 139. These ports have been tried by access rules from suggestion of Ajay sometimes before. I even tried port tcp and udp port 445 for SMB but all cannot work.

Is there any other ports can be tried? If not, this may be an inherited limitation for inter VLAN routing.

Thanks!

cadet alain · ‎11-06-2011

Hi,

If my assumption of broadcast domains is the reason why it is filing then this has nothing to do with L4 protocols/ports, it's just that a router or firewall in routed mode cannot forward frames destined to 255.255.255.255.

On a router you can use the ip helper-address command to translate the broadcast to unicast but in the ASA you can't do this except for DHCP with the dhcp relay feature.

Regards.

Alain

Don't forget to rate helpful posts.

Tang-Suan Tan · ‎11-09-2011

Hi Alain :

Thanks for your answer.

My request for this solution looks like cannot be done due to firewall in routed mode cannot forward "broadcast" frame or frame destined to 255.255.255.255. Correct me if I am wrong.

Anyway, I am closing this discussion and take your reply as correct answer.

Thanks again!

cadet alain · ‎11-09-2011

Hi,

apart from the WINS server or a router with ip helper-address, I don't see any solution that I'm aware of but I could be wrong and it could be something else provoking the problem.Maybe you should wait for answers from ASA experts who already encounterd this problem.

Regards.

Alain

Don't forget to rate helpful posts.