Solved: Need to allow ping to switch connected to DMZ from outside

mahesh18 · ‎04-27-2013

Hi everyone,

Current config from ASA allows telnet to switch which is connected to DMZ of ASA from outside connection of ASA.

IS there any way that i can also allow ping to this switch from outside at the same time.

Can ping and telnet work at same time from outside switch which is connected to outside interface of ASA to DMZ switch.

DMZ switch IP is 192.168.69.1

Outside interface of ASA IP 192.168.11.2

Switch connected to outside interface of ASA IP 192.168.11.1

current config

ciscoasa# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 11

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 12

!

interface Ethernet0/5

switchport access vlan 12

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.52.1 255.255.255.0

!

interface Vlan11

nameif outside

security-level 0

ip address 192.168.11.2 255.255.255.0

!

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

!

regex facebook "\.facebook\.com"

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MST recurring

access-list facebook extended deny tcp host 192.168.69.4 any eq www log

access-list facebook extended permit tcp any any eq www log

access-list ACL extended permit icmp any host 192.168.69.4 echo

access-list DMZ-NAT0 extended permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0 log

access-list outside_in extended permit tcp host 192.168.11.1 host 192.168.69.1 eq telnet log

pager lines 24

logging enable

logging timestamp

logging buffer-size 12288

logging buffered debugging

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list DMZ-NAT0

nat (DMZ) 1 192.168.69.0 255.255.255.0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

route DMZ 192.168.77.0 255.255.255.0 192.168.69.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

http 192.168.0.0 255.255.0.0 DMZ

http 192.168.0.0 255.255.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate cda15b51

308201cf 30820138 a0030201 020204cd a15b5130 0d06092a 864886f7 0d010105

0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

86f70d01 09021608 63697363 6f617361 301e170d 31333034 30333033 33313134

5a170d32 33303430 31303333 3131345a 302c3111 300f0603 55040313 08636973

636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c5 04be4392

051ff956 1786981c 6acbe7ed 880bc95a 1c846bf4 19e381f7 f1e8d0d0 e340f86f

e94ec55b a1714de8 19976ae4 e9196c52 7791873c 794d2eec 4ae90aa5 5b40282c

3aac7fbb 2a2a2e36 77906a25 a3874d98 7f51e370 266068d8 f5adbd97 bd204ce0

61943442 ae73ce78 4f2b0daa 53374044 07f4df39 eed0e80c 2b92af02 03010001

300d0609 2a864886 f70d0101 05050003 8181001e 41c1636b c86357f6 94585bc0

2fe4bf2f b9f0cc4a 108f3cbf 830ebe54 fb6c87e6 04ad11a4 3fec5ced 5f6f9784

9f423788 c7de4b5b b7226d81 262ee3b6 ff0adffe 4e49ed7a 42c74d4b f52f0456

1b8feb3f f19efdc5 adaced62 c4bd7180 107feb06 8658937e 8cb2a154 7486de37

9b00c44c d17f967e 5fbe4584 c71fd389 55d670

quit

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh 192.168.0.0 255.255.0.0 DMZ

ssh timeout 60

ssh version 2

console timeout 0

dhcpd dns 64.59.144.19

!

dhcpd address 192.168.52.5-192.168.52.15 inside

dhcpd enable inside

!

dhcpd address 192.168.69.3-192.168.69.20 DMZ

dhcpd enable DMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.11.1

webvpn

username mintoo password AILiHuRWFGgkbsI5 encrypted privilege 15

!

class-map facebook

match access-list facebook

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http test

parameters

match request header host regex facebook

reset log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

class facebook

inspect http test

class class-default

set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:70b9f5bac4c6b6146672a8ca214639cc

: end

Regards

Mahesh

Jouni Forss · ‎04-27-2013

Hi Mahesh,

Are we talking about purely L2 Switchs or L3 Switches doing routing?

Does the Telnet work already?

You naturally need to open ICMP from the "outside" to allow the traffic since at the moment only Telnet is allowed.

access-list outside_in extended permit icmp host 192.168.11.1 host 192.168.69.1 echo

If the Telnet isnt even working between the switches then you might be lacking the "ip default-gateway" configuration from both of the switches.

- Jouni

View solution in original post

Jouni Forss · ‎04-27-2013

Hi,

It should work if the source was "any" also.

Can you tell me what ACL/configuration you were using that didnt work?

In the above configuration I can only see Telnet opened from OUTSIDE to DMZ. So in the above configuration ICMP was not possible.

If you added some configuration before I am not sure why it didnt work.

- Jouni

View solution in original post

Jouni Forss · ‎04-27-2013

Hi,

I dont think you can do that. You can only ping an interface from a host behind that interface. Not from behind another interface.

- Jouni

View solution in original post

Jouni Forss · ‎04-27-2013

Hi Mahesh,

Are we talking about purely L2 Switchs or L3 Switches doing routing?

Does the Telnet work already?

You naturally need to open ICMP from the "outside" to allow the traffic since at the moment only Telnet is allowed.

access-list outside_in extended permit icmp host 192.168.11.1 host 192.168.69.1 echo

If the Telnet isnt even working between the switches then you might be lacking the "ip default-gateway" configuration from both of the switches.

- Jouni

mahesh18 · ‎04-27-2013

Hi Jouni,

Telnet is working fine from outside to DMZ switch.

Switch connected to outside is Layer 3 and switch connected to DMZ is layer 2 only.

DMZ switch has default route of 192.168.69.2.

Seems i tried few times icmp command but seems i was trying any instead of host 192.168.11.1 command in the above config

thats the reason it was not working.

now i config the above ACL and it worked like charm..

Can you please explain me why using any as source did not work?

Also while using source as any icmp request was coming from 192.168.11.1 to 192.168.69.1 but reply was not coming back?

3550SMIB#ping 192.168.69.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.69.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Regards

Mahesh

Jouni Forss · ‎04-27-2013

Hi,

It should work if the source was "any" also.

Can you tell me what ACL/configuration you were using that didnt work?

In the above configuration I can only see Telnet opened from OUTSIDE to DMZ. So in the above configuration ICMP was not possible.

If you added some configuration before I am not sure why it didnt work.

- Jouni

mahesh18 · ‎04-27-2013

Hi Jouni,

Now it worked using source as any also.

May be i was doing something wrong.

Is pinging to DMZ interface IP from outside switch possible?

Thanks

MAhesh

Jouni Forss · ‎04-27-2013

Hi,

I dont think you can do that. You can only ping an interface from a host behind that interface. Not from behind another interface.

- Jouni

mahesh18 · ‎04-27-2013

Thanks Jouni again.

Regards

Mahesh