Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Pinging through a ASA 5510

Posted on 2007-12-04
2
Medium Priority
?
440 Views
Last Modified: 2010-04-09
Been working with an ASA 5510 - using access-lists I used to use on the PIX

Basically - I have a couple of hosts on a DMZ, and I want to be able to ping them.  I like to ping all the way through, and tracert too (accept inside)

Here is what my config looks like:

asdm image disk0:/asdm-507.bin
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname athena
domain-name minecode.com
enable password
names
dns-guard
!
interface Ethernet0/0
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address xxx.xx.xxx.x 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.18.0.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz_1
 security-level 50
 ip address 172.18.50.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd
ftp mode passive
access-list outside_int extended permit icmp any any echo-reply
access-list outside_int extended permit icmp any any source-quench
access-list outside_int extended permit icmp any any time-exceeded
access-list outside_int extended permit icmp any any unreachable
access-list outside_int extended permit tcp any host xxx.xx.xxx.xx eq ssh
access-list dmz1_int extended permit icmp 172.18.50.0 255.255.255.0 172.18.0.0 255.255.255.0 echo-reply
access-list dmz1_int extended permit icmp 172.18.50.0 255.255.255.0 172.18.0.0 255.255.255.0 time-exceeded
access-list dmz1_int extended permit icmp 172.18.50.0 255.255.255.0 172.18.0.0 255.255.255.0 unreachable
access-list dmz1_int extended permit icmp 172.18.50.0 255.255.255.0 172.18.0.0 255.255.255.0 source-quench
access-list dmz1_int extended deny ip any 172.18.0.0 255.255.255.0
access-list dmz1_int extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz_1 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz_1
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 xxx.xx.xxx.x
nat (inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (inside,dmz_1) 172.18.0.0 172.18.0.0 netmask 255.255.255.0
static (dmz_1,outside) xxx.xx.xxx.xx 172.18.50.10 netmask 255.255.255.255 dns
static (dmz_1,outside) xxx.xx.xxx.xx 172.18.50.11 netmask 255.255.255.255 dns
access-group outside_int in interface outside
access-group dmz1_int in interface dmz_1
route outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 172.18.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.18.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tftp-server inside 172.18.0.16 /
Cryptochecksum:2ae6113b03d710975b5385a2860e0f82
: end

**********

I can ping everywhere. just can't ping the DMZ host from the outside - wouldnt my access list on the outside interface let this happen?

Must be missing something...

0
Comment
Question by:stephen_wh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20408748
There are a few things you need to do here.

1.  You've only allowed echo replies inbound on the outside interface.  If you want to be able to initiate a ping from the outside to the dmz, then you will need to allow the ICMP type of "echo".  Here's how:

access-list outside_int extended permit icmp any any echo

Be careful with that because it opens you up for DoS attacks.  I would leave it in place just for testing and troubleshooting.

2.  You need to allow echo replies back from the dmz inbound into the dmz interface.  You already have an ACL applied to the dmz interface allow echo replies, but you've restricted where the echo replies can reply back to.  You'll need to open it up to allow dmz hosts to respond back to pings from any Internet host (since you don't specify what public IP's you're wanting to do this from).  Here's how:

access-list dmz1_int extended permit icmp 172.18.50.0 255.255.255.0 any echo-reply

One last thing...unless you're only trying to ping 172.18.50.10 and 172.18.50.11, you'll need some additional NAT configuration to allow pings from other 172.18.50.x hosts...you already have static NAT setup for those 2 hosts so pings to the translated public IP's of those two hosts should work OK after you put in the above access list statements.
0
 

Author Comment

by:stephen_wh
ID: 20416811
wow - I must be getting old - forgot echo....

:P

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question