Hi Rene,
Thanks for that. Still want clarification on something. If I want a subnet in the DMZ to access a subnet on the INSIDE, do I put the ACL on DMZ interface OR Inside Interface OR on Both? It’s just that in my live environment I see ACL on the DMZ interface for DMZ subnet to access INSIDE subnet so not sure if it is required.
Hello Bounpasong!
Please check your configuration again, it should function correctly. If you still have problems, please share the relevant portions of your configuration.
Thanks!
Laz
Hello Zahan!
In order to allow a subnet on the DMZ to access a subnet on the INSIDE, you will require an access list on the DMZ interface. Depending on your NAT configuration, you may also be required to configure a static NAT translation.
You can find additional information at the following Cisco support community link: https://supportforums.cisco.com/discussion/11011491/asa-5520-config-dmz-inside-access.
I hope this has been helpful!
Laz
Question about the icmp inspect. Does that automatically allow ping from outside to inside or outside to DMZ? Because typically when I would enable this is only to allow ping between DMZ and INSIDE.
Hi Ryan,
It won’t. You still have to explicitly permit the (ICMP) traffic if you want to go from a lower to a higher security level.
Rene
Hey Rene,
Is there another protocol/command to allow http traffic through an Cisco ASA other than a ACL?
Hi @iniguezjuan,
For traffic from INSIDE to OUTSIDE (and the return traffic), the default security levels will permit this. No need to add ACLs. You only need to use ACLs if you want to permit traffic that originated in the OUTSIDE and that goes to the INSIDE (or DMZ).
Rene
19 posts were merged into an existing topic: Cisco ASA Security Levels
Hi,quick question regarding the service policy placement on the ASA, not including global because that’s pretty self explanatory. I created just a simple topology where the ASA was in the middle and has 2 routers on either side, the outside interface had a security level of 0 and inside 100, the outside interface is also blocking all traffic coming in. I implemented NAT on the ASA as well to change the inside network IP’s to the outside interface.
My policy map inspects ICMP and i applied it to a service policy that was placed on the inside interface, i tested it and everything worked as it should. NAT worked and allowed the traffic back into the inside network, the outside router could not ping the outside ASA interface IP and any inside network addresses. So everything is fine there. The same was done for the outside interface and the same behaviour was present.
My main question is then, how does the traffic get back through when the service policy is placed on the inside interface, when the class map matches ICMP then the inspection is applied on the policy map and the service policy is assigned to the inside interface, so the source IP would be the private IP of the host on the inside network, it then goes through NAT where NAT changes the source IP to the outside IP, when the return traffic comes back then it comes back with a destination address of the ASA outside IP but the dynamic ACL return traffic is for the destination address of the private IP, so how does it get through when there is no ACL for the traffic coming into the outside interface?
This is different from assigning the service policy on the outside where the dynamic ACL is the outside IP as the destination which can then be allowed and then the NAT binding table can direct traffic along it’s merry way.
Does anyone know the answer to this?
Hi, Thanks From Post,
i have Done Everything and Worked find, unfortunately my firewall Dose not Allow DNS resolution from outside interface to in inside
should i apply another ACL or inspect DNS Traffic from outside to inside and VS ?
----------------------------------------------------------------------------------------------------------------------------
ASA3/SRV-A(config)# packet-tracer input TO-OUT tcp 0.0.0.0 53 6.6.6.6 53
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 6.6.6.6 255.255.255.255 inside
Result:
input-interface: TO-OUT
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
**ASA3/SRV-A(config)# show run**
: Saved
:
: Serial Number: 123456789AB
: Hardware: ASA5520, 512 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16 <context>
!
hostname SRV-A
domain-name mod.gov.af
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 172.16.3.1 255.255.255.0
hold-time eigrp 100 60
!
interface Ethernet2
nameif TO-OUT
security-level 0
ip address 172.16.8.2 255.255.255.0
hold-time eigrp 100 60
!
dns server-group DefaultDNS
domain-name mod.gov.af
access-list icmp extended permit icmp any any
pager lines 24
mtu inside 1500
mtu TO-OUT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group icmp in interface TO-OUT
!
router eigrp 100
eigrp router-id 33.33.33.33
network 172.16.3.0 255.255.255.0
network 172.16.5.0 255.255.255.0
network 172.16.8.0 255.255.255.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
message-length maximum server auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:bc0fd5f01c98ca935e7632181d832257
: endHello John.
First of all, when you apply a global service policy as you have done here (service-policy global_policy global), it is applied as an ingress policy on all interfaces. So, for all inspections, including DNS, the inspection occurs on the inside interface for all outgoing DNS traffic and on the outside interface for all incoming DNS traffic. So inspection does indeed occur for both outside to inside and inside to outside directions for DNS.
Now I can’t see off hand why your DNS resolution requests are not being allowed through. Are you sure it’s just DNS traffic that is being blocked or all traffic? Can you try to apply an ACL for the specific DNS server you are using to see if that does allow it through? Let us know your results so we can further help you in the troubleshooting process.
I hope this has been helpful!
Laz
Hello Rene, my name is Peter and I am new to this forum.
please can you post the syntax to permit icmp from outside?
Hello Peter
Take a look at this lesson which describes how to apply an access list to allow traffic from OUTSIDE to INSIDE. In the example, it is Telnet traffic that is allowed, but instead of Telnet you can apply it to ICMP.
I hope this has been helpful!
Laz
Hello Rene,
There is something magical in my Lab that I cannot figure out.
The topology is the same as in this lesson. I cannot ping from High security level to low security level. I can only ping Peer routers. I did this Lab on physical equipment and it was not working. I now did it on EVE-NG and still having same issue.
Here is my topology:
And here is my configuration:
R1#show run
Building configuration...
Current configuration : 2905 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end
/////////////////////////////////////////////////////////////////////////////////////////////////////
ASA# show run
: Saved
:
: Serial Number: JMX1203L0NN
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet1
nameif OUTSIDE
security-level 0
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:57778cb62f3fd7b1b912f6b3e6d00a12
: end
////////////////////////////////////////////////////////////////////////////////////////////////////
R2#show run
Building configuration...
Current configuration : 2909 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip default-gateway 192.168.2.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end
///////////////////////////////////////////////////////////////////////////////////////////
R3#show run
Building configuration...
Current configuration : 1225 bytes
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.3.3 255.255.255.0
duplex auto
!
interface Ethernet0/1
no ip address
shutdown
duplex auto
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
interface Ethernet1/0
no ip address
shutdown
duplex auto
!
interface Ethernet1/1
no ip address
shutdown
duplex auto
!
interface Ethernet1/2
no ip address
shutdown
duplex auto
!
interface Ethernet1/3
no ip address
shutdown
duplex auto
!
ip default-gateway 192.168.3.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
!
endHello Ayong
At first glance, there doesn’t seem to be anything wrong with your configs. I’m not sure what you mean when you say that you can only ping “peer routers”. I assume you mean you can ping from the ASA to each individual router?
If you are unable to ping, then there may be something else configured in the ASA that is blocking this. I believe the easiest way to find it is to use the packet tracer feature of the ASA. This will tell you how and why a particular packet is dropped. You can find out more about it at the following lesson:
I hope this has been helpful!
Laz
Thank you so much Laz.
I fixed it. All I needed was a vacation.
I forgot to enter the no ip routing command on R1, R2, and R3.
It so strange that I did same error on real router and repeatedly when I tried on EVE-NG. 
dont laugh at me.
Hello Ayong
No worries, we’ve all been there!! 
Sometimes it really just is a matter of needing a vacation… Thanks for sharing that the problem has been resolved!
Laz
Hello Rene,
i have setup a lab exactly like the one you have set up.
i cannot pint other side of outside and DMZ from the firewall but i can ping the other side inside from the firewall.
Can you help please?
Hello Star
This is the normal default behavior for an ASA for security reasons. Take a look at this NetworkLessons note about this particular behavior.
I hope this has been helpful!
Laz
how stupid of me. I also had the problem that icmp didn’t come through. During my coffee break I discovered my own mistake.
I didn’t specify that if R1 - 3 want to reach another subnet what the exit interface is.
sometimes it’s the little things you don’t see.