06-04-2019 04:25 AM
Hi Every one,
Please find the below configuration
we are not able to ping to DMZ to any network but we ping happening from DMZ to all network.
ASA Version 9.8(1)
!
hostname ACC-1
enable password $sha512$5000$PKH2SLMR2CTytt1uCQlAQA==$2uJHNALkt45EyuxG/Oga5A== pbkdf2
names
zone Serveraccess
!
interface GigabitEthernet1/1
nameif SPLUS
security-level 100
zone-member Serveraccess
ip address 172.16.4.100 255.255.252.0
!
interface GigabitEthernet1/2
nameif pcs1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
<--- More --->
interface GigabitEthernet1/3
bridge-group 2
nameif pcs2
security-level 100
!
interface GigabitEthernet1/4
nameif TIMEMGMT
security-level 100
ip address 172.16.20.100 255.255.252.0
!
interface GigabitEthernet1/5
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
nameif opc
security-level 100
ip address 172.16.12.100 255.255.252.0
!
interface GigabitEthernet1/7
nameif DMZ
security-level 100
zone-member Serveraccess
<--- More --->
ip address 172.16.8.100 255.255.252.0
!
interface GigabitEthernet1/8
nameif WAN
security-level 50
ip address 11.124.232.1 255.255.255.252
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
no ip address
!
interface BVI2
nameif PCS
security-level 100
ip address 172.16.16.100 255.255.252.0
!
ftp mode passive
<--- More --->
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network vla1
range 172.16.4.1 172.16.4.99
object network NETWORK_OBJ_192.168.10.0_25
subnet 192.168.10.0 255.255.255.128
object network SPo001
host 172.16.4.24
<--- More --->
object network SPT001
host 172.16.8.1
object network mylan
subnet 172.16.4.0 255.255.252.0
object network dmz
subnet 172.16.8.0 255.255.252.0
object network TEST
host 192.168.1.5
object-group network splus
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service OPC tcp
port-object range 49153 49453
object-group service DCOM tcp
port-object eq 135
object-group service DM_INLINE_TCP_1 tcp
port-object eq 135
port-object range 49153 49453
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
protocol-object ip
protocol-object icmp
<--- More --->
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
access-list 102 extended permit ip any any log inactive
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 2072
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 2069
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 4242
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 1111
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 8086
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 2424
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 4241
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 89
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 1234
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 1433
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 1434
access-list 102 extended permit udp any 172.16.4.0 255.255.252.0 eq 2070
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 any eq 5001 log
<--- More --->
access-list 102 extended permit tcp 172.16.4.0 255.255.252.0 any eq 5001 log
access-list 102 extended permit udp any 172.16.4.0 255.255.252.0 eq 9999
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 any range 5000 5010 log
access-list 102 extended permit tcp 172.16.4.0 255.255.252.0 any range 5000 5010 log
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 eq tftp any log
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 eq 161 log
access-list 102 extended permit udp any 172.16.4.0 255.255.252.0 eq snmp log
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 any eq 64468 log
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 any eq 52472 log
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 eq 64468 object SPT001 eq snmp log
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 eq 52472 object SPT001 eq snmp log
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 object SPT001 eq ntp
access-list 102 extended permit udp 172.16.4.0 255.255.252.0 172.16.16.0 255.255.252.0 eq ntp log
access-list 102 extended permit icmp 172.16.8.0 255.255.252.0 172.16.4.0 255.255.252.0 log
access-list 102 extended permit tcp any 172.16.4.0 255.255.252.0 range 5000 5010 log
access-list 102 extended permit icmp 172.16.4.0 255.255.252.0 172.16.8.0 255.255.252.0 log
access-list 102 extended permit udp any 172.16.8.0 255.255.252.0 eq 2423
access-list 102 extended permit udp any 172.16.8.0 255.255.252.0 eq 3339
access-list 102 extended permit udp 172.16.8.0 255.255.252.0 172.16.4.0 255.255.252.0 eq 3339
access-list 102 extended permit tcp 172.16.4.0 255.255.252.0 any eq 69
access-list 102 extended permit udp any 172.16.4.0 255.255.252.0 eq tftp
access-list 102 extended permit icmp any any
access-list 103 extended permit tcp any any object-group DM_INLINE_TCP_1 log
access-list 103 extended permit tcp any any eq 445 log
<--- More --->
access-list 103 extended permit tcp any any eq netbios-ssn log
access-list 103 extended permit tcp any any eq www log
access-list 103 extended permit udp any any eq bootps log
access-list 103 extended permit udp any any eq bootpc log
access-list 103 extended permit udp any any eq 50501 log
access-list 103 extended permit udp any any eq netbios-ns log
access-list 103 extended permit udp any any eq netbios-dgm log
access-list 103 extended permit udp any any eq 445 log
access-list 103 extended permit icmp any any log
access-list 103 extended permit tcp any any eq 161 log
access-list 103 extended permit tcp any any eq 8585 log
access-list 103 extended permit udp any any eq 8585 log
access-list 103 extended permit object-group TCPUDP any any eq 135
access-list 103 extended permit udp any any eq ntp log
access-list 103 extended permit tcp any any range 49153 49453 log
access-list 103 extended permit udp any any range 49153 49453 log
access-list 103 extended permit udp any any eq 135 log
access-list 103 extended permit tcp any any eq 135 log
access-list 108 extended permit ip any object SPT001 log
access-list 101 extended permit ip any object SPT001 log
access-list 101 extended permit ip object SPT001 any log
access-list 101 extended permit ip any any
access-list 101 extended permit tcp any any
access-list 101 extended permit udp any any
<--- More --->
access-list 101 extended permit icmp any any
access-list 111 extended permit object-group DM_INLINE_PROTOCOL_3 172.16.4.0 255.255.252.0 object SPT001 log
access-list 111 extended permit object-group DM_INLINE_PROTOCOL_1 object SPT001 172.16.4.0 255.255.252.0 log
access-list 111 extended permit object-group DM_INLINE_PROTOCOL_1 172.16.4.0 255.255.252.0 object SPT001
access-list 111 extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list 111 extended permit ip any4 any
access-list 111 extended permit ip 172.16.8.0 255.255.252.0 any
access-list 111 extended permit tcp 172.16.8.0 255.255.252.0 any
access-list 111 extended permit udp 172.16.8.0 255.255.252.0 any
access-list 109 extended permit icmp any any
access-list 116 extended permit ip any 172.16.12.0 255.255.252.0 log
access-list 117 extended permit ip 172.16.12.0 255.255.252.0 any log
access-list 117 extended permit ip any4 172.16.12.0 255.255.252.0
access-list 119 extended permit tcp 192.168.50.0 255.255.255.0 172.16.8.0 255.255.252.0 eq 135 log
access-list 119 extended permit icmp any any
access-list 120 extended permit udp any any
access-list 120 extended permit tcp any any
access-list 120 extended permit ip 172.16.8.0 255.255.252.0 172.16.16.0 255.255.252.0 log
access-list 120 extended permit ip 172.16.16.0 255.255.252.0 172.16.8.0 255.255.252.0 log
access-list 120 extended permit udp 172.16.4.0 255.255.252.0 172.16.16.0 255.255.252.0 eq ntp log inactive
access-list 120 extended permit icmp any any
access-list 121 extended permit ip any any log
access-list SPLUS_access_in extended permit ip security-group tag 100 172.16.4.0 255.255.252.0 security-group tag 50 172.16.8.0 255.255.252.0
access-list 500 extended permit ip 172.16.4.0 255.255.252.0 any
<--- More --->
access-list DMZ_access_in extended permit ip any any
access-list SPLUS_access_in_1 extended permit ip any any
access-list pcs1_access_in extended permit ip any any
access-list PCS_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list 100 extended permit icmp any any
access-list 104 extended permit icmp any any
access-list 105 extended permit icmp any any
access-list 106 extended permit icmp any any
access-list 107 extended permit icmp any any
access-list SSL-VPN webtype permit url rdp://172.16.8.1 log default
pager lines 24
logging asdm informational
mtu SPLUS 1500
mtu pcs1 1500
mtu pcs2 1500
mtu TIMEMGMT 1500
mtu opc 1500
mtu DMZ 1500
mtu WAN 1500
no failover
no monitor-interface PCS
no monitor-interface inside
no monitor-interface service-module
<--- More --->
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group SPLUS_access_in_1 in interface SPLUS
access-group pcs1_access_in in interface pcs1
access-group DMZ_access_in in interface DMZ
access-group PCS_access_in in interface PCS
access-group global_access global
route pcs1 0.0.0.0 0.0.0.0 192.168.1.5 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server abb protocol kerberos
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
<--- More --->
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization exec LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 pcs1
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config SPLUS
!
dhcpd address 192.168.1.5-192.168.1.254 pcs1
dhcpd enable pcs1
!
threat-detection basic-threat
<--- More --->
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$50BZa/Q4lAtck8yJ86539w==$mRim8VAyboFQ1I3iaMJVbw== pbkdf2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
<--- More --->
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:f36b7b9c377533ca6869df284920256b
: end
06-04-2019 04:28 AM
Can any one please tell me where i missed configuration and what configuration i need to do
06-04-2019 04:53 AM
you are currently allowing all IP on DMZ:
access-list DMZ_access_in extended permit ip any any
can you add icmp and log, to this acl.
also you might want to allow icmp from inside/LAN to your DMZ subnet.
if you are using asdm to configure, you can use the tracer tool to see where the packet gets blocked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide