No traffic from Outside1 (Security level 100) attached Networks to DMZ and Viceversa

edumatico
edumatico used Ask the Experts™
on
I have an ASA5510, i configured an Outside, 1 DMZ and 2 interfaces 100 security level (Outside1 and Inside). I can ping and have fluid traffic between DMZ and Inside interface, but don't have any kind of traffic between DMZ and the Outside1. I wrote the same configuration for both 100 Security Level interfaces. Also I have connected a Cisco 892 router to Outside1. When i have attached a computer instead of 892, traffic between Outside1 and DMZ is fluid. i need to have fluid traffic between networks connected to 892

Someone can help me? Here are the 2 configs:

ASA5510:

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name a.b.c

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address x.y.z.162 255.255.255.248

!

interface Ethernet0/1

 nameif Outside1

 security-level 100

 ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

 nameif DMZ

 security-level 10

 ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain

access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp

access-list dmz_in extended permit tcp host 172.16.31.2 any eq www

access-list dmz_in extended permit tcp host 172.16.31.2 any eq https

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.y.z.163 eq smtp

access-list 100 extended permit udp any host x.y.z.163 eq domain

access-list 100 extended permit tcp any host x.y.z.163 eq https

access-list 100 extended permit tcp any host x.y.z.163 eq www

access-list 100 extended permit tcp any host x.y.z.163 eq 3000

access-list 100 extended permit tcp any host x.y.z.163 eq 1000

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 192.168.0.22 Outside

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 172.16.31.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 DMZ

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

icmp permit 172.16.31.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) x.y.z.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.1.0 172.1.1.0 netmask 255.255.255.0

static (DMZ,Outside1) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.2.0 172.1.2.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.3.0 172.1.3.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (Outside1,DMZ) 172.1.1.0 172.1.1.0 netmask 255.255.255.0

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.y.z.161 20

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

route Outside1 172.1.2.0 255.255.255.0 192.168.2.2 1

route Outside1 172.1.3.0 255.255.255.0 192.168.2.2 1

route Outside1 192.1.0.0 255.255.192.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7441424d1fcf87c3eb837b569e84aa9e

: end

Cisco 892:

Current configuration : 3296 bytes
!
! Last configuration change at 01:15:13 UTC Tue Apr 29 2014 by eguerra
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterHQFCH
!
boot-start-marker
boot-end-marker
!
!
enable secret 4
!
no aaa new-model
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1580540949
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1580540949
 revocation-check none
 rsakeypair TP-self-signed-1580540949
!
!
crypto pki certificate chain TP-self-signed-1580540949
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
  34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
  E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
  5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
  0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
  0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
  03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
  2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
  52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
  B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
  4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
  23080B9D 9C5FD690 62C6B0C9 30C3AA
        quit
license udi pid C892FSP-K9 sn FTX180484TB
!
!
username servicios privilege 15 password 7
username eguerra privilege 15 password 7
!
!
!
!
!
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address 172.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet9
 ip address 172.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
 ip address 192.168.100.200 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip route 172.16.31.0 255.255.255.0 192.168.2.1
ip route 192.168.0.0 255.255.255.0 192.168.2.1
!
!
!
control-plane
!
!
!
line con 0
 password 7
 login
 no modem enable
line aux 0
line vty 0 4
 password 7
 login local
 transport input all
!
scheduler allocate 20000 1000
!
end

Thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Question: which of the routers' interfaces is connected to the ASA?

Author

Commented:
Vlan2 (192.168.2.2)

Author

Commented:
Sorry, correct interface is Vlan1
Senior Network Security  / Senior System Engineer
Commented:
Hi,

Can you make changes in ASA Configuration by adding access-list as below :

ASA#config-t
ASA(Config-t)#access-list 101 in interface DMZ (and moreover configure Policy mapping on ASA configuration as below ):
ASA#config-t
ASA(config-t)#policy-map global_policy
ASA(config-t)#class inspection_default
ASA(config-t)#Inspect ICMP

Once you do configuration changes on ASA try to ping from outside to DMZ this should work.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial