01-04-2022 09:32 AM
I am facing issues in connecting a pc from outside interface to dmz interface on cisco 5505 asa firewall. The icmp ping is successfull from outside pc to dmz server but failed to establish any tcp connection.
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.6 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.1.1.10 255.255.255.252
!
object network dmz
host 10.1.1.9
object network inside
host 10.1.1.5
!
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
!
access-list icmp_http_ftp extended permit icmp any object inside
access-list icmp_http_ftp extended permit icmp any object dmz
access-list icmp_http_ftp extended permit tcp any object dmz eq www
access-list icmp_http_ftp extended permit tcp any object dmz eq ftp
!
!
access-group icmp_http_ftp in interface outside
object network dmz
nat (DMZ,outside) static 10.1.1.3
object network inside
nat (inside,outside) dynamic interface
class-map cmap
match default-inspection-traffic
!
policy-map pmap
class cmap
inspect ftp
inspect http
inspect icmp
!
service-policy pmap global
!
telnet timeout 5
ssh timeout 5
Kindly can anyone provide feedback of where i am going wrong.
01-05-2022 08:32 AM
Hello,
if this is a Packet Tracer project, post the zipped .pkt file. Your OUTSIDE VLAN2 uses subnet 10.1.1.0/29 which includes 10.1.1.1 - 10.1.1.6, your inside Vlan 1 (10.1.1.6/30) overlaps, is that on purpose ?
01-05-2022 10:33 AM - edited 01-05-2022 10:40 AM
01-05-2022 10:43 AM
Hello,
I'll have a look.
How do you establish the TCP connection ?
01-05-2022 10:46 AM
Hello,
Using pc2 web browser and server is statically natted with public ip (10.1.1.3/29) to the outside interface of firewall.
01-05-2022 11:47 AM
Hello,
I think you need to set up a DNS server and add at least one A record. If you try to access the server on HTTP (PC1 to Server1) on the inside Vlan (without the firewall being involved) you do not get a response either.
01-06-2022 04:21 PM
Hello
@sanglapruskerpatra666 wrote:
The icmp ping is successfull from outside pc to dmz server but failed to establish any tcp connection.
object network dmz
host 10.1.1.9
object network inside
host 10.1.1.5
object network dmz
nat (DMZ,outside) static 10.1.1.3
object network inside
nat (inside,outside) dynamic interface
class-map cmap
match default-inspection-traffic
Try the following -- you need to readdress vlan 1 subnet!
no object network dmz
no access-list icmp_http_ftp extended permit icmp any object inside
no access-list icmp_http_ftp extended permit icmp any object dmz
no access-list icmp_http_ftp extended permit tcp any object dmz eq www
no access-list icmp_http_ftp extended permit tcp any object dmz eq ftp
no access-group icmp_http_ftp in interface outside
interface Vlan1
ip address 10.1.1.13 255.255.255.252
object network inside
host 10.1.1.14
object network dmz_public
host 10.1.1.3
object network dmz_www
host 10.1.1.9
nat (DMZ,outside) static object dmz_public service www www
object network dmz_ftp
host 10.1.1.9
nat (DMZ,outside) static object dmz_public service ftp ftp
access-list icmp_http_ftp extended permit icmp any interface inside echo-reply
access-list icmp_http_ftp extended permit icmp any interface DMZ echo-reply
access-list icmp_http_ftp extended permit tcp any host 10.1.1.3 eq www
access-list icmp_http_ftp extended permit tcp any host 10.1.1.3 eq ftp
access-group icmp_http_ftp in interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide