EODJack
asked on
Cannot Ping DMZ from Inside
I have the NAT in place and the ACL configured but still cannot allow traffic from Inside into my DMZ.
:
ASA Version 7.2(4)
!
hostname
domain-name
enable password encrypted
passwd encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec
boot system disk0:/asa724-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 64.80.223.226
name-server 10.0.0.6
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SMB tcp
description SMB TCP
port-object eq 445
port-object eq netbios-ssn
object-group service SMBUDP udp
description SMB UDP
port-object eq netbios-dgm
port-object eq netbios-ns
port-object eq 445
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Outside_access_in remark NTP UDP
access-list Outside_access_in remark NTP TCP
access-list Outside_access_in remark Ping
access-list Outside_access_in remark SMB TCP
access-list Outside_access_in extended permit tcp any object-group SMB any object-
group SMB
access-list Outside_access_in remark SMB UDP
access-list Outside_access_in extended permit udp any object-group SMBUDP any object-
group SMBUDP
access-list Outside_access_in remark SMTP
access-list Outside_access_in remark Terminal Services
access-list Outside_access_in extended permit tcp any host eq www
access-list Outside_access_in extended permit tcp any host eq domain
access-list Outside_access_in extended permit tcp any host eq 8800
access-list Outside_access_in extended permit tcp any host eq 2703
access-list Outside_access_in extended permit tcp any host eq 6277
access-list Outside_access_in extended permit tcp any host eq ftp
access-list Outside_access_in extended permit udp any host eq domain
access-list Outside_access_in extended permit udp any host eq ntp
access-list Outside_access_in extended permit tcp any host eq ftp
access-list Outside_access_in extended permit tcp any host eq 3389
access-list Outside_access_in extended permit ip 170.0.0.0 255.0.0.0 10.0.0.0
255.255.255.0
access-list capin extended permit tcp any any eq smtp
access-list capin extended permit ip any host 170.30.108.138
access-list capin extended permit ip host 170.30.108.138 any
access-list capin extended permit icmp any any
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 170.30.0.0 255.255.0.0
access-list capout2 extended permit ip any host 63.138.90.180
access-list capout2 extended permit ip host 63.138.90.180 any
access-list capout2 extended permit icmp any any
access-list capin5 extended permit ip host 10.0.0.252 any
access-list capin5 extended permit ip any host 10.0.0.252
access-list capout5 extended permit ip any host 63.138.90.180
access-list capout5 extended permit ip host 63.138.90.180 any
access-list DMZ_access_in extended permit tcp any host 172.16.0.20 eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp any host 172.16.0.20 eq 3389
access-list DMZ_access_in extended permit tcp host 172.16.0.20 any eq https
access-list DMZ_access_in extended permit tcp host 172.16.0.20 any eq 3389
access-list DMZ_access_in extended permit icmp host 172.16.0.20 any
access-list Inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging asdm informational
logging from-address
logging recipient-address level errors
logging recipient-address level errors
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
icmp permit any DMZ
asdm image disk0:/pdm
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (Inside) 1 interface
nat (Inside) 1 10.0.0.0 255.255.255.0
static (Inside,Outside) tcp www 10.0.0.6 www netmask 255.255.255.255
static (Inside,Outside) tcp domain 10.0.0.6 domain netmask
255.255.255.255
static (Inside,Outside) udp domain 10.0.0.6 domain netmask
255.255.255.255
static (Inside,Outside) tcp 2703 10.0.0.6 2703 netmask 255.255.255.255
static (Inside,Outside) tcp 6277 10.0.0.6 6277 netmask 255.255.255.255
static (Inside,Outside) udp ntp 10.0.0.6 ntp netmask 255.255.255.255
static (Inside,Outside) tcp ftp 10.0.0.4 ftp netmask 255.255.255.255
static (Inside,Outside) tcp ftp 10.0.0.201 ftp netmask 255.255.255.255
static (Inside,Outside) tcp smtp 10.0.0.6 smtp netmask 255.255.255.255
static (Inside,Outside) tcp 3389 10.0.0.252 3389 netmask 255.255.255.255
static (DMZ,Outside) tcp https 172.16.0.20 https netmask 255.255.255.255
static (Inside,Inside) 10.10.108.138 netmask 255.255.255.255
Static (Inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 192.168.1.0 255.255.255.0 management
http 10.0.0.19 255.255.255.255 Inside
http 10.0.0.77 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
telnet 0.0.0.0 0.0.0.0 Outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 20
console timeout 0
management-access Outside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server 192.5.41.41 source Outside prefer
username root password encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.0.0.6
prompt hostname context
Cryptochecksum:
: end
PmutASA#
:
ASA Version 7.2(4)
!
hostname
domain-name
enable password encrypted
passwd encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec
boot system disk0:/asa724-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 64.80.223.226
name-server 10.0.0.6
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SMB tcp
description SMB TCP
port-object eq 445
port-object eq netbios-ssn
object-group service SMBUDP udp
description SMB UDP
port-object eq netbios-dgm
port-object eq netbios-ns
port-object eq 445
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Outside_access_in remark NTP UDP
access-list Outside_access_in remark NTP TCP
access-list Outside_access_in remark Ping
access-list Outside_access_in remark SMB TCP
access-list Outside_access_in extended permit tcp any object-group SMB any object-
group SMB
access-list Outside_access_in remark SMB UDP
access-list Outside_access_in extended permit udp any object-group SMBUDP any object-
group SMBUDP
access-list Outside_access_in remark SMTP
access-list Outside_access_in remark Terminal Services
access-list Outside_access_in extended permit tcp any host eq www
access-list Outside_access_in extended permit tcp any host eq domain
access-list Outside_access_in extended permit tcp any host eq 8800
access-list Outside_access_in extended permit tcp any host eq 2703
access-list Outside_access_in extended permit tcp any host eq 6277
access-list Outside_access_in extended permit tcp any host eq ftp
access-list Outside_access_in extended permit udp any host eq domain
access-list Outside_access_in extended permit udp any host eq ntp
access-list Outside_access_in extended permit tcp any host eq ftp
access-list Outside_access_in extended permit tcp any host eq 3389
access-list Outside_access_in extended permit ip 170.0.0.0 255.0.0.0 10.0.0.0
255.255.255.0
access-list capin extended permit tcp any any eq smtp
access-list capin extended permit ip any host 170.30.108.138
access-list capin extended permit ip host 170.30.108.138 any
access-list capin extended permit icmp any any
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 170.30.0.0 255.255.0.0
access-list capout2 extended permit ip any host 63.138.90.180
access-list capout2 extended permit ip host 63.138.90.180 any
access-list capout2 extended permit icmp any any
access-list capin5 extended permit ip host 10.0.0.252 any
access-list capin5 extended permit ip any host 10.0.0.252
access-list capout5 extended permit ip any host 63.138.90.180
access-list capout5 extended permit ip host 63.138.90.180 any
access-list DMZ_access_in extended permit tcp any host 172.16.0.20 eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp any host 172.16.0.20 eq 3389
access-list DMZ_access_in extended permit tcp host 172.16.0.20 any eq https
access-list DMZ_access_in extended permit tcp host 172.16.0.20 any eq 3389
access-list DMZ_access_in extended permit icmp host 172.16.0.20 any
access-list Inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging asdm informational
logging from-address
logging recipient-address level errors
logging recipient-address level errors
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
icmp permit any DMZ
asdm image disk0:/pdm
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (Inside) 1 interface
nat (Inside) 1 10.0.0.0 255.255.255.0
static (Inside,Outside) tcp www 10.0.0.6 www netmask 255.255.255.255
static (Inside,Outside) tcp domain 10.0.0.6 domain netmask
255.255.255.255
static (Inside,Outside) udp domain 10.0.0.6 domain netmask
255.255.255.255
static (Inside,Outside) tcp 2703 10.0.0.6 2703 netmask 255.255.255.255
static (Inside,Outside) tcp 6277 10.0.0.6 6277 netmask 255.255.255.255
static (Inside,Outside) udp ntp 10.0.0.6 ntp netmask 255.255.255.255
static (Inside,Outside) tcp ftp 10.0.0.4 ftp netmask 255.255.255.255
static (Inside,Outside) tcp ftp 10.0.0.201 ftp netmask 255.255.255.255
static (Inside,Outside) tcp smtp 10.0.0.6 smtp netmask 255.255.255.255
static (Inside,Outside) tcp 3389 10.0.0.252 3389 netmask 255.255.255.255
static (DMZ,Outside) tcp https 172.16.0.20 https netmask 255.255.255.255
static (Inside,Inside) 10.10.108.138 netmask 255.255.255.255
Static (Inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 192.168.1.0 255.255.255.0 management
http 10.0.0.19 255.255.255.255 Inside
http 10.0.0.77 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
telnet 0.0.0.0 0.0.0.0 Outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 20
console timeout 0
management-access Outside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server 192.5.41.41 source Outside prefer
username root password encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.0.0.6
prompt hostname context
Cryptochecksum:
: end
PmutASA#
What are you using as a test of the traffic flow?
ASKER
I was trying to ping from the inside interface to the DMZ interface.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You were correct it was the access-group entry.
Also that was a mistake adding the ip any any to the inside.
Thanks!!!
Also that was a mistake adding the ip any any to the inside.
Thanks!!!
That's what I got from Packet Tracer
ciscoasa# packet-tracer input DMZ icmp 20.20.20.45 0 8 30.30.30.45 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc122630, priority=1, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=DMZ, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 30.30.30.0 255.255.255.0 DMZ
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc1235f8, priority=111, domain=permit, deny=true
hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=DMZ
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#