Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 8.2 DMZ on Fast Ethernet

Status
Not open for further replies.
MikeArcade

MikeArcade

Technical User
Oct 15, 2007
97
US
I have a device plugged into a spare FastEthernet port on my ASA. I am wanting to permit ALL traffic to and from this device. However, after enabling the port and assigning IP addresses, and including the permit any any statement I still have dropped packets. When i run the packet tracer from ADSM it says the implicit deny is dropping the packet.
I have done all i know to do, but i cannot figure this out.

Michael
"I'm working on it!"
 
Sort by date Sort by votes
what model ASA?? post a scrubbed config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
This is on an ASA 5510. Is a scrubbed config different from a running config? I am not familiar with the term, but it sounds like a running config scrubbed of important info

Michael
"I'm working on it!"
 
Upvote 0 Downvote
current running-config "scrubbed" of external IP addreses and most of the unneeded config (vpn tunnels, user accounts, etc.) if you think i took out too much i can repost the missing pieces.

DixonASA# sh run
: Saved
:
ASA Version 8.2(2)12
!
hostname DixonASA
domain-name default.domain.invalid
dns-guard
!
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3 <<<<INTERFACE IN QUESTION
description Verizon Network Extender
nameif dmz4vzw
security-level 0
ip address 192.168.60.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-12-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid

access-list outside extended permit ip 192.168.60.0 255.255.255.0 any
access-list outside extended permit ip any 192.168.60.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip any 10.16.0.0 255.255.255.0
access-list DMZ/VZW_access_in extended permit ip any any
access-list DMZ/VZW_access_in extended permit tcp any any
access-list DMZ/VZW_access_in extended permit udp any any
access-list dmz4vzw_access_out extended permit ip interface outside interface dmz4vzw
access-list dmz4vzw_access_out extended permit ip interface dmz4vzw interface outside
access-list dmz4vzw_access_in extended permit ip interface dmz4vzw interface outside
access-list dmz4vzw_access_in extended permit ip interface outside interface dmz4vzw
access-list dmz4vzw extended permit ip any any
pager lines 24
logging enable
logging trap errors
logging asdm notifications
logging host inside WS01_Int
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu dmz4vzw 1500

ip local pool NewPool 192.168.50.100-192.168.50.200 mask 255.255.255.0
ip local pool VPNPool 192.168.50.50-192.168.50.99 mask 255.255.255.0
ip local pool test 192.168.50.201-192.168.50.202 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (outside,dmz4vzw) udp 192.168.60.4 4500 X.X.X.X 4500 netmask 255.255.255.252
static (outside,dmz4vzw) tcp 192.168.60.4 4500 X.X.X.X 4500 netmask 255.255.255.252
static (outside,dmz4vzw) udp 192.168.60.4 isakmp X.X.X.X isakmp netmask 255.255.255.252
static (outside,dmz4vzw) tcp 192.168.60.4 500 X.X.X.X 500 netmask 255.255.255.252
static (outside,dmz4vzw) udp 192.168.60.4 52428 X.X.X.X 52428 netmask 255.255.255.252
static (outside,dmz4vzw) tcp 192.168.60.4 52428 X.X.X.X 52428 netmask 255.255.255.252
static (dmz4vzw,outside) X.X.X.X 192.168.60.4 netmask 255.255.255.252
static (dmz4vzw,outside) Y.Y.Y.Y 192.168.60.5 netmask 255.255.255.255

access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
access-group dmz4vzw_access_in in interface dmz4vzw
access-group dmz4vzw_access_out out interface dmz4vzw
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside dixon_int 255.255.0.0 192.168.10.1 1
route inside WirelessDixon 255.255.255.0 192.168.2.1 1
url-server (outside) vendor smartfilter host 208.67.222.222 port 4005 timeout 60 protocol TCP connections 50
url-server (outside) vendor smartfilter host 208.67.220.220 port 4005 timeout 60 protocol TCP connections 50
http server enable
http 10.0.0.0 255.0.0.0 inside
http 192.168.2.0 255.255.255.0 inside
http Arcade 255.240.0.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside 10.15.21.178 community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.0.0 255.0.0.0 inside
telnet Arcade 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.60.5-192.168.60.6 dmz4vzw
dhcpd lease 86400 interface dmz4vzw
dhcpd enable dmz4vzw
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
wins-server value 10.15.21.101
dns-server value 10.15.21.101 10.15.21.103
vpn-tunnel-protocol IPSec webvpn
group-policy DixonRA internal
group-policy DixonRA attributes
vpn-tunnel-protocol IPSec
!
class-map inspection_default
match default-inspection-traffic


Michael
"I'm working on it!"
 
Upvote 0 Downvote
Looks to me that what you are trying to accomplish isn't possible. You only show a single IP to the outside interface. Yet you want to allow all traffic to that ip. You can allow certain ports into various devices without a problem just not all. The fw has some ports for itself in routed mode anyway.
 
Upvote 0 Downvote
it was possible. we eventually hired another network admin who figured it out. it has been running since 10/31

Michael
"I'm working on it!"
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
579
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
519
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
393
gkreg
gkreg
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
139
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
562
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top