Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
0
Helpful
6
Replies

CISCO ASA 5505 TCP connection issue

sanglapruskerpatra666
Level 1
Level 1

‎01-04-2022 09:32 AM

I am facing issues in connecting a pc from outside interface to dmz interface on cisco 5505 asa firewall. The icmp ping is successfull from outside pc to dmz server but failed to establish any tcp connection.

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.6 255.255.255.252

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 10.1.1.10 255.255.255.252

!

object network dmz

host 10.1.1.9

object network inside

host 10.1.1.5

!

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

!

access-list icmp_http_ftp extended permit icmp any object inside

access-list icmp_http_ftp extended permit icmp any object dmz

access-list icmp_http_ftp extended permit tcp any object dmz eq www

access-list icmp_http_ftp extended permit tcp any object dmz eq ftp

!

!

access-group icmp_http_ftp in interface outside

object network dmz

nat (DMZ,outside) static 10.1.1.3

object network inside

nat (inside,outside) dynamic interface

class-map cmap

match default-inspection-traffic

!

policy-map pmap

class cmap

inspect ftp

inspect http

inspect icmp

!

service-policy pmap global

!

telnet timeout 5

ssh timeout 5

firewall_intervlan.PNG

Kindly can anyone provide feedback of where i am going wrong.

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎01-05-2022 08:32 AM

Hello,

 

if this is a Packet Tracer project, post the zipped .pkt file. Your OUTSIDE VLAN2 uses subnet 10.1.1.0/29 which includes 10.1.1.1 - 10.1.1.6, your inside Vlan 1 (10.1.1.6/30) overlaps, is that on purpose ?

0 Helpful

sanglapruskerpatra666
Level 1
Level 1
In response to Georg Pauwen

‎01-05-2022 10:33 AM - edited ‎01-05-2022 10:40 AM

Hi,

No that is not done on purpose. 

I am attaching the .pkt file, please find me some sollution for this as i am not able to understand where i am going wrong.

saves.zip
0 Helpful

Georg Pauwen
VIP
VIP
In response to sanglapruskerpatra666

‎01-05-2022 10:43 AM

Hello,

 

I'll have a look.

 

How do you establish the TCP connection ?

0 Helpful

sanglapruskerpatra666
Level 1
Level 1
In response to Georg Pauwen

‎01-05-2022 10:46 AM

Hello,

Using pc2 web browser and server is statically natted with public ip (10.1.1.3/29) to the outside interface of firewall.

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎01-05-2022 11:47 AM

Hello,

 

I think you need to set up a DNS server and add at least one A record. If you try to access the server on HTTP (PC1 to Server1) on the inside Vlan (without the firewall being involved) you do not get a response either.

0 Helpful

paul driver
VIP
VIP

‎01-06-2022 04:21 PM

Hello

@sanglapruskerpatra666 wrote:

 The icmp ping is successfull from outside pc to dmz server but failed to establish any tcp connection.

 

object network dmz

host 10.1.1.9

 

object network inside

host 10.1.1.5

 

object network dmz

nat (DMZ,outside) static 10.1.1.3

object network inside

 

nat (inside,outside) dynamic interface

class-map cmap

match default-inspection-traffic

 

Try the following -- you need to readdress vlan 1 subnet!

no object network dmz
no access-list icmp_http_ftp extended permit icmp any object inside
no access-list icmp_http_ftp extended permit icmp any object dmz
no access-list icmp_http_ftp extended permit tcp any object dmz eq www
no access-list icmp_http_ftp extended permit tcp any object dmz eq ftp
no access-group icmp_http_ftp in interface outside

interface Vlan1
ip address 10.1.1.13 255.255.255.252


object network inside
host 10.1.1.14

object network dmz_public
host 10.1.1.3


object network dmz_www
host 10.1.1.9
nat (DMZ,outside) static object dmz_public service www www

object network dmz_ftp
host 10.1.1.9
nat (DMZ,outside) static object dmz_public service ftp ftp


access-list icmp_http_ftp extended permit icmp any interface inside echo-reply
access-list icmp_http_ftp extended permit icmp any interface DMZ echo-reply
access-list icmp_http_ftp extended permit tcp any host 10.1.1.3 eq www
access-list icmp_http_ftp extended permit tcp any host 10.1.1.3 eq ftp
access-group icmp_http_ftp in interface outside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card