Wait, wait...
same-security-traffic permit inter-interface ??
But he does have an explicit ACL permit on DMZ, so what's the sense in
this command?
I agree that the security level on DMZ is most probably 0 (because the
ASA logs inbound drops),
but my understanding was that "same-security" command permitted inter-interface
communication _without ACLs_ (and without nat even with nat-control enabled).
True or false?
=====================================
------------ Original message -------------------
Date: Tue, 27 Apr 2010 11:07:49 -0400
From: "Tyson Scott" <[email protected]>
Subject: Re: [OSL | CCIE_Security] problem pinging thru asa from DMZ
in WB2 Lab 12.
To: "'Willians Barboza'" <[email protected]>, "'Jimmy
Larsson'" <[email protected]>
Cc: 'OSL Security' <[email protected]>
Message-ID: <004e01cae61b$67f845f0$37e8d1...@com>
Content-Type: text/plain; charset="iso-8859-1"
Default security levels are 0 for both unless you changed it. If so you
need to allow
same-security-traffic permit inter-interface
Regards,
?
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Willians
Barboza
Sent: Tuesday, April 27, 2010 8:48 AM
To: Jimmy Larsson
Cc: OSL Security
Subject: Re: [OSL | CCIE_Security] problem pinging thru asa from DMZ in WB2
Lab 12.
Also, what are the security levels in each interface?
2010/4/27 Willians Barboza <[email protected]>:
> Did you allow the return of echo-replies on the outside interface? Or
> did you put the ICMP as an inspected protocol on the global inspection
> rule?
>
> 2010/4/27 Jimmy Larsson <[email protected]>:
>> What am I doing wrong here? Working with WB 2 lab 12, trying to ping
>> 6.6.4.32 (BB2) from R9 (on ASA DMZ) without success.
>> Error message in ASA:
>> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
>> (type 8, code 0)
>> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
>> (type 8, code 0)
>> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
>> (type 8, code 0)
>>
>> There is a translation:
>> ASA(config)# sh run static | incl DMZ
>> static (DMZ,outside) 6.6.146.9 10.17.17.9 netmask 255.255.255.255
>> There is a hole in acl:
>> ASA(config)# sh run access-group
>> access-group OUTSIDE in interface outside
>> access-group DMZ in interface DMZ
>> ASA(config)# sh run access-list DMZ
>> access-list DMZ extended permit udp host 10.17.17.9 host 6.6.99.1 eq ntp
>> access-list DMZ extended permit icmp any any echo
>> There is an inspect for icmp:
>> ASA(config)# sh service-policy global ?| incl icmp
>> ?? ? ?Inspect: icmp, packet 0, drop 0, reset-drop 0
>>
>> This is what packet-tracer say:
>> ASA(config)# packet-tracer input DMZ icmp 10.17.17.9 8 0 6.6.4.32
detailed
>> Phase: 1
>> Type: ACCESS-LIST
>> Subtype:
>> Result: ALLOW
>> Config:
>> Implicit Rule
>> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
>> (type 8, code 0)
>> Additional Information:
>> ?Forward Flow based lookup yields rule:
>> ?in ?id=0xd7c6a3d8, priority=1, domain=permit, deny=false
>> ?? ? ? ?hits=2640, user_data=0x0, cs_id=0x0, l3_type=0x8
>> ?? ? ? ?src mac=0000.0000.0000, mask=0000.0000.0000
>> ?? ? ? ?dst mac=0000.0000.0000, mask=0000.0000.0000
>> Phase: 2
>> Type: FLOW-LOOKUP
>> Subtype:
>> Result: ALLOW
>> Config:
>> Additional Information:
>> Found no matching flow, creating a new flow
>> Phase: 3
>> Type: ROUTE-LOOKUP
>> Subtype: input
>> Result: ALLOW
>> Config:
>> Additional Information:
>> in ? 6.6.4.0 ? ? ? ? 255.255.255.0 ? outside
>> Phase: 4
>> Type: ACCESS-LIST
>> Subtype:
>> Result: DROP
>> Config:
>> Implicit Rule
>> Additional Information:
>> ?Forward Flow based lookup yields rule:
>> ?in ?id=0xd7c6aa98, priority=110, domain=permit, deny=true
>> ?? ? ? ?hits=31, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
>> ?? ? ? ?src ip=0.0.0.0, mask=0.0.0.0, port=0
>> ?? ? ? ?dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>> Result:
>> input-interface: DMZ
>> input-status: up
>> input-line-status: up
>> output-interface: outside
>> output-status: up
>> output-line-status: up
>> Action: drop
>> Drop-reason: (acl-drop) Flow is denied by configured rule
>>
>> ASA(config)#
>>
>> Anyone?
>> Br Jimmy
>>
>>
>> --
>> -------
>> Jimmy Larsson
>> Ryavagen 173
>> s-26030 Vallakra
>> Sweden
>> http://blogg.kvistofta.nu
>> -------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
