Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem configuring DMZ with CAT3750 & ASA5520 1

Status
Not open for further replies.
colinrmgt

colinrmgt

Programmer
Jul 9, 2008
8
GB
Forgive me if I'm posting this in the wrong forum as I'm not sure whether it's a switch config problem or an ASA config problem.

I have configured the DMZ shown below with one 5520 controlling access from devices on a 3750.

wireless-dmz.bmp


On the ASA I have an any any access-list (see config below). When I telnet onto the switch I can ping devices on the inside of the ASA, and see the ACL incrementing.

When I put a device (laptop with IP 10.1.10.50/24) on the switch I can ping to the switch 10.1.10.2 and to the outside interface of the ASA, however, when I try to ping a destination on the inside of the ASA it is unreachable, and the ASA monitoring shows nothing. I've also tried telnet'ing through to ensure I'm not blocking ICMP somewhere.

Can anyone suggest why I am able to hit devices on the inside from the switch, but unable to do so from a device on the switch?

Code: 
: Saved
: Written by enable_15 at 05:40:20.599 bst Wed Sep 24 2008
!
ASA Version 7.0(4) 
!
hostname HayfieldDMZASA
domain-name default.domain.invalid
enable password xxx encrypted
names
!
interface GigabitEthernet0/0
 nameif Hayfield_DMZ
 security-level 50
 ip address 10.1.10.5 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif internal_network
 security-level 100
 ip address 192.168.9.9 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd xxxx encrypted
ftp mode passive
clock timezone bst 0
clock summer-time bst recurring
access-list Hayfield_DMZ_access_in extended permit ip any any 
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging asdm informational
logging device-id hostname
mtu Hayfield_DMZ 1500
mtu internal_network 1500
no failover
monitor-interface Hayfield_DMZ
monitor-interface internal_network
icmp permit any Hayfield_DMZ
icmp permit any internal_network
asdm image disk0:/asdm-504.bin
asdm location 192.168.2.2 255.255.255.255 internal_network
no asdm history enable
arp timeout 14400
access-group Hayfield_DMZ_access_in in interface Hayfield_DMZ
route Hayfield_DMZ 0.0.0.0 0.0.0.0 10.1.10.2 1
route internal_network 192.168.0.0 255.255.0.0 192.168.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username xxxx password xxxx encrypted privilege 15
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
http server enable
http xxxx 255.255.255.0 internal_network
snmp-server host internal_network xxxx
no snmp-server location
snmp-server contact xxxx
snmp-server community xxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh xxxx 255.255.255.0 internal_network
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:5675ad1f2707c49e9e4d719f6d79d3c9
: end

Code: 
!
! Last configuration change at 05:48:45 UTC Thu Jul 24 2008
! NVRAM config last updated at 11:12:36 UTC Wed Mar 12 2008
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Hayfield_DMZ_SW
!
enable secret 5 xxxx
!
no aaa new-model
vtp mode transparent
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 description Connection to Hayfield DMZ ASA
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
 ip address 10.1.10.2 255.255.255.0
!
ip default-gateway 10.1.10.5
ip classless
ip http server
!
snmp-server community xxxx
snmp-server contact xxxx
snmp-server host xxxx
!
control-plane
!
!
line con 0
 password 7 xxxx
 login
line vty 0 4
 password 7 xxxx
 login
line vty 5 15
 no login
!
end
 
Sort by date Sort by votes
Hi,

Thanks for your reply.

Default gateway on the laptop is 10.1.10.2.

Thanks,
Colin
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
675
Sameer258
Sameer258
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
246
acabezas2014
acabezas2014
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
157
kythri
kythri
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
146
ISDPCMAN
ISDPCMAN
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
140
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top