Allow access from DMZ to Inside using a Cisco ASA 5505

I've been working on this problem for about 2 weeks now and for the life of me cannot figure out how to allow traffic to pass from my DMZ to my Inside network. I'm trying to allow ssh and icmp echo and echo-reply. I've searched the web and even followed the commands in Cisco's own documentation. I've created the static nat and the acces-list. Traffic just will not reach the destination. The DMZ host is 172.16.20.3 and the Inside host is 192.168.2.52. Please help. I'm pulling my hair out here. My config is below and thanks in advance.


omeasa> enable
Password: ********

homeasa# sh run  
: Saved
:
ASA Version 7.2(3) 
!
hostname homeasa
domain-name 
names
ddns update method OpenDNS
!
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.34 255.255.255.224 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan12
 nameif DMZ
 security-level 50
 ip address 172.16.20.2 255.255.255.0 
<--- More --->
              
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport monitor Ethernet0/0 
 switchport monitor Ethernet0/1 
 switchport monitor Ethernet0/2 
 switchport monitor Ethernet0/3 
 switchport monitor Ethernet0/4 
 switchport monitor Ethernet0/5 
!
interface Ethernet0/7
 switchport access vlan 12
<--- More --->
              
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 208.67.220.220
 name-server 208.67.222.222
 domain-name 
access-list inside_nat0_outbound extended permit ip 192.168.2.32 255.255.255.224 10.50.1.0 255.255.255.0 
access-list vpnusers_splitTunnelAcl standard permit 192.168.2.32 255.255.255.224 
access-list vpnusers_splitTunnelAcl standard permit any 
access-list vpnusers_splitTunnelAcl_1 standard permit 192.168.2.32 255.255.255.224 
access-list vpnusers_splitTunnelAcl_1 standard permit any 
access-list egress extended deny tcp host 192.168.2.52 any log 
access-list outside_access_in extended permit tcp any interface outside eq ssh log 
access-list outside_access_in extended permit tcp any interface outside eq ftp log 
access-list outside_access_in extended permit tcp any interface outside eq ftp-data log 
access-list DMZtoInside extended permit tcp host 172.16.20.3 host 172.16.20.99 eq ssh 
access-list DMZtoInside extended permit icmp host 172.16.20.3 host 172.16.20.99 echo 
access-list DMZtoInside extended permit icmp host 172.16.20.3 host 172.16.20.99 echo-reply 
pager lines 24
logging enable
<--- More --->
              
logging timestamp
logging standby
logging monitor informational
logging trap informational
logging asdm informational
logging facility 22
logging host inside 192.168.2.52
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN_Pool 10.50.1.0-10.50.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.2.32 255.255.255.224
nat (inside) 1 10.196.10.0 255.255.255.0
nat (DMZ) 1 172.16.20.0 255.255.255.0
<--- More --->
              
static (DMZ,outside) tcp interface ssh 172.16.20.3 ssh netmask 255.255.255.255 
static (DMZ,outside) tcp interface ftp 172.16.20.3 ftp netmask 255.255.255.255 
static (DMZ,outside) tcp interface ftp-data 172.16.20.3 ftp-data netmask 255.255.255.255 
static (inside,DMZ) 172.16.20.99 192.168.2.52 netmask 255.255.255.255  
access-group outside_access_in in interface outside
access-group DMZtoInside in interface DMZ
!
router ospf 1
 network 192.168.2.32 255.255.255.224 area 0
 log-adj-changes
 redistribute static subnets
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.2.32 255.255.255.224 inside
snmp-server host inside 192.168.2.52 poll community 
no snmp-server location
<--- More --->
              
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh scopy enable
<--- More --->
              
ssh 192.168.2.32 255.255.255.224 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.2.40-192.168.2.50 inside
dhcpd dns 208.67.220.220 208.67.222.222 interface inside
dhcpd enable inside
!
dhcpd address 172.16.20.3-172.16.20.10 DMZ
dhcpd enable DMZ
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
<--- More --->
              
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp server 192.43.244.18
group-policy vpnusers internal
group-policy vpnusers attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnusers_splitTunnelAcl
 default-domain value 
tunnel-group vpnusers type ipsec-ra
<--- More --->
              
tunnel-group vpnusers general-attributes
 address-pool VPN_Pool
 default-group-policy vpnusers
tunnel-group vpnusers ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:62e763e01b248e36518046755469a8cb
: end

homeasa# exit

Open in new window

LVL 1
CompushareAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sidetrackedCommented:
have u added the statement in the asa to allow traffic through the firewall wihout address translation?

u can find it under NAT in ASDM

if so, then u won't need to NAT between LAN and DMZ, basic routing should occur

if u wan't NAT between DMZ and LAN then u have to add policy NAT instead.
0
CompushareAuthor Commented:
I added the no nat-control command. I'm not sure how to configure policy NAT.
0
CompushareAuthor Commented:
Policy nat didn't work for me. I may have configured it wrong.

I added a static nat statement...

static (inside,dmz) 192.168.2.52 192.168.2.52 netmask 255.255.255.255

and the traffic started to pass from my DMZ to the Internal network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sidetrackedCommented:
U should be able to use basic routing without having to use nat from LAN to DMZ and vice versa, but this will work too, a bit more to configure, but still managable.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.