Solved: Problem getting access to tcp services in DMZ - Page 2

Trond Husoe · ‎09-27-2012

Output of: packet-tracer input outside tcp my.current.ip.address ftp 192.168.6.1 ftp

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.6.0 255.255.255.0 DMZ

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Output of packet-tracer input outside tcp my.current.ip.address ftp 192.168.6.1 ftp

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.6.0 255.255.255.0 DMZ

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

packet-tracer input outside tcp my.current.ip.address ftp public.ip.add.ress ftp

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in public.ip.add.ress 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Output of: sh run nat

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.128_27 NETWORK_OBJ_192.168.1.128_27 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.254.0_28 NETWORK_OBJ_192.168.254.0_28 no-proxy-arp route-lookup

nat (outside,outside) source dynamic NET-VPNPOOL interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network inside-net

nat (inside,outside) dynamic interface

object network dmz-ftpserver

nat (DMZ,outside) static interface service tcp ftp ftp

object network dmz-webserver

nat (DMZ,outside) static interface service tcp www www

output of: sh running-config access-list

access-list outside_access_in extended permit tcp any host 192.168.6.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.6.2 eq www

access-list VPN-INSIDE-SPORT_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

Output of: sh running-config object network

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_10.10.10.0_28

subnet 10.10.10.0 255.255.255.240

object network NETWORK_OBJ_192.168.1.128_27

subnet 192.168.1.128 255.255.255.224

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.254.0_28

subnet 192.168.254.0 255.255.255.240

object network dmz-ftpserver

host 192.168.6.1

description FTP server Host Object

object network dmz-webserver

host 192.168.6.2

description Web Server Host Object

output of: sh running-config route

route outside 0.0.0.0 0.0.0.0 public.ip.add.ress 1

The version is asa 8.4(2), and the box is a 5505.

Harish Balakrishnan · ‎09-27-2012

yeap excellent.. and thanks for rating me

Harish.