Announcement

Collapse
No announcement yet.

DMZ can't ping/telnet to INSIDE client.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DMZ can't ping/telnet to INSIDE client.

    I am new to security and I'm having a problem here with my setup.
    These are my equipments used.
    Cisco 2960G
    Cisco 3560G
    ASA 5510.

    I am setting up a test lab.
    Just a quick wrap up, Im having this issue with my remote access setup.
    There are 2 major things which Im concerning here. First and foremost is the ICA connection to the Citrix server and the other is RDP into the HIS/TS(inside client) from the Citrix server.
    For now, my primary objective is to have the Citrix server in DMZ to (ping, remote) into HIS/TS.
    Other things like all clients in inside are suppose to be assessing the http unless its being ruled out.
    Once we settle this then I will look into the Citrix ICA problem. As we believe could be other related matters in Citrix.
    I attached a simplified diagram and some configurations of the switches and the firewall.
    I really appreciate your help as this could be a major break through for me and for all of us.
    Please tell me if you need more information apart from the attachments I have provided.


    PS: The in-sw is not suppose to be there. I was having problem connecting the link from Inside to the FW initially.
    After putting it then it solve the problem. Thought of taking it out. Not too sure if this could be the issue.
    Attached Files

  • #2
    Re: DMZ can't ping/telnet to INSIDE client.

    I can only see a diagram here, no configs etc?

    What do you have setup to allow traffic between DMZ and inside?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: DMZ can't ping/telnet to INSIDE client.

      Hi Sir

      Sorry I forgotten bout the configurations.
      This is my ACL for my 5510
      http://i280.photobucket.com/albums/k.../acl190309.jpg
      http://i280.photobucket.com/albums/k...acl1903092.jpg

      As mentioned earlier I just need to get the Citrix to remote into the inside client call HIS/TS.
      But still I'm not able to ping or whatever.
      I"m able to ping to everywhere from the firewall.
      Not too sure if there's anything wrong with my configuration in the 5510.


      This is the config for the 5510
      sh run
      : Saved
      :
      ASA Version 8.0(4)
      !
      hostname ciscoasa
      enable password 8Ry2YjIyt7RRXU24 encrypted
      passwd 2KFQnbNIdI.2KYOU encrypted
      names
      name 10.131.27.3 OFF_10.131.27.3
      name 172.22.1.11 DMZ_172.22.1.11
      name 10.131.27.5 OFF_10.131.27.5
      name 10.131.26.106 OFF_10.131.26.106
      name 10.131.27.8 OFF_10.131.27.8
      name 10.131.27.4 OFF_10.131.27.4
      name 172.21.1.100 INS_172.21.1.100
      name 172.21.1.17 INS_172.21.1.17
      !
      interface Ethernet0/0
      shutdown
      no nameif
      no security-level
      no ip address
      !
      interface Ethernet0/1
      description outside
      nameif outside
      security-level 0
      ip address 10.131.27.1 255.255.255.0
      !
      interface Ethernet0/2
      nameif dmz
      security-level 50
      ip address 172.22.1.1 255.255.255.0
      !
      interface Ethernet0/3
      nameif inside
      security-level 100
      ip address 172.21.3.2 255.255.255.0
      !
      interface Management0/0
      shutdown
      no nameif
      no security-level
      no ip address
      !
      ftp mode passive
      object-group protocol TCPUDP
      protocol-object udp
      protocol-object tcp
      object-group service DM_INLINE_SERVICE_1
      service-object icmp
      service-object tcp eq 3389
      service-object tcp eq citrix-ica
      service-object tcp eq www
      service-object tcp eq https
      service-object tcp eq telnet
      service-object tcp eq 2598
      service-object udp eq 1604
      object-group network DM_INLINE_NETWORK_2
      network-object host OFF_10.131.26.106
      network-object host OFF_10.131.27.5
      object-group service DM_INLINE_SERVICE_3
      service-object icmp
      service-object tcp eq citrix-ica
      service-object tcp eq www
      service-object tcp eq https
      service-object tcp eq telnet
      service-object tcp eq 3389
      service-object tcp eq 2598
      service-object udp
      service-object tcp
      object-group service DM_INLINE_TCP_2 tcp
      port-object eq www
      port-object eq https
      object-group service DM_INLINE_SERVICE_4
      service-object icmp
      service-object tcp eq 3389
      service-object tcp eq www
      service-object tcp eq https
      object-group network DM_INLINE_NETWORK_3
      network-object 172.22.1.0 255.255.255.0
      network-object host DMZ_172.22.1.11
      object-group service DM_INLINE_SERVICE_2
      service-object icmp
      service-object udp
      service-object tcp-udp eq www
      service-object tcp eq 3389
      service-object tcp eq citrix-ica
      service-object tcp eq www
      service-object tcp eq https
      service-object tcp eq telnet
      object-group service DM_INLINE_SERVICE_5
      service-object icmp
      service-object udp
      service-object tcp-udp eq www
      service-object tcp eq 3389
      service-object tcp eq citrix-ica
      service-object tcp eq www
      service-object tcp eq https
      service-object tcp eq telnet
      access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_2 host OFF_10.131.27.3
      access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host OFF_10.131.27.3
      access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host 10.130.30.38 172.21.3.0 255.255.255.0
      access-list dmz_access_in extended permit icmp host DMZ_172.22.1.11 host OFF_10.131.27.5
      access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 10.130.30.38 eq www
      access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 host OFF_10.131.27.3 any
      access-list dmz_access_in extended permit ip host DMZ_172.22.1.11 any
      access-list dmz_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 172.21.3.0 255.255.255.0
      access-list dmz_int extended permit tcp host DMZ_172.22.1.11 eq 3389 any
      access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 host INS_172.21.1.17 host DMZ_172.22.1.11
      access-list dmz_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 host DMZ_172.22.1.11 host INS_172.21.1.17
      pager lines 24
      logging enable
      logging asdm informational
      mtu outside 1500
      mtu dmz 1500
      mtu inside 1500
      no failover
      icmp unreachable rate-limit 1 burst-size 1
      icmp permit any outside
      icmp permit any dmz
      icmp permit any inside
      asdm image disk0:/asdm-615.bin
      no asdm history enable
      arp timeout 14400
      nat (dmz) 0 access-list dmz_nat0_outbound
      static (dmz,outside) OFF_10.131.27.3 DMZ_172.22.1.11 netmask 255.255.255.255
      static (inside,dmz) 172.21.0.0 172.21.0.0 netmask 255.255.0.0
      access-group outside_access_in in interface outside
      access-group dmz_access_in_1 in interface dmz
      access-group inside_access_in in interface inside
      route outside 0.0.0.0 0.0.0.0 10.131.27.254 1
      route inside 172.21.0.0 255.255.0.0 172.21.3.1 1
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
      dynamic-access-policy-record DfltAccessPolicy
      http server enable
      http 10.131.27.10 255.255.255.255 outside
      http 10.131.100.119 255.255.255.255 outside
      http OFF_10.131.27.5 255.255.255.255 outside
      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart
      crypto ipsec security-association lifetime seconds 28800
      crypto ipsec security-association lifetime kilobytes 4608000
      telnet timeout 5
      ssh timeout 5
      console timeout 0
      threat-detection basic-threat
      threat-detection statistics access-list
      no threat-detection statistics tcp-intercept
      username admin password GFmFcTo82NyxIt1I encrypted privilege 15
      !
      class-map inspection_default
      match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
      parameters
      message-length maximum 512
      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
      !
      service-policy global_policy global
      prompt hostname context
      Cryptochecksum:fdd8e452f3f2211d8a586c6762faddb9
      : end
      ciscoasa#

      Comment


      • #4
        Re: DMZ can't ping/telnet to INSIDE client.

        Hi folks

        Just wanna update that now I'm able to ICA into my Citrix server. So now I just need to RDP from my Citrix to my inside client(172.21.1.16)
        And I need all my hosts in DMZ and inside to have web access from outside LAN. Is there anything wrong or missing with my configurations?

        thanks

        Comment


        • #5
          Re: DMZ can't ping/telnet to INSIDE client.

          I've taken a quick look at your ACLs. You've mentioned RDP so are you using AD domain based user account? Since you have mentioned that your Citrix server needed RDP access to your Inside LAN, I think you would need Active Directory ports open from DMZ to your Inside LAN.

          Now I know when I say opening AD ports to the INSIDE LAN would give some administrators the chills and there are lot of discussions about this, however its out of the scope of this thread. The above suggestion is just a "quick fix" to your question.

          Comment


          • #6
            Re: DMZ can't ping/telnet to INSIDE client.

            Don't forget to turn on your logging for dropped packets. This way you know what ports/protocols are being blocked.

            Comment

            Working...
            X