Firewall – ASA Firewall Can PING cannot SSH to switch on different interface

access-controlcisco-asafirewall

There are three interfaces, TRUST (security level 100), UNTRUST (security level 0), and DMZ (security level 50).

I am on a network coming into the firewall via the UNTRUST interface. The switch I am able to use ICMP with but not SSH to (timeout) is connected via the DMZ interface. There are three rules which each included the same service group (including icmp, tcp/ssh, udp/tftp, tcp/telnet, udp/syslog). These rules are applied as follows:

DMZ Interface (incoming)
    DMZ_network any IP permit

TRUST Interface (incoming)
    DMZ_switch my_laptop service_group permit

UNTRUST Interface (incoming)
    my_laptop DMZ_switch service_group permit

So I am able to ICMP, and I see increment on the rules that have been applied, but I receive connection-timeout for SSH connection attempts. I've spent too much time hitting my head on the proverbial wall to not reach out for an assist here. I appreciate anyone and everyone who takes time to read or answer this question.

Regards,
lzer

Best Answer

Considering that your ruleset is correct... Have you checked on the switch side? There might be an access-class configured on your vty.

p.s. you may want to use packet-tracer on ASA to check if traffic would be permited or just check the logbuffer via CLI/ASDM to see what is really going on.

Let me know if you need any help.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Further reading: ISR static routing

I cannot get an ip address right now from the DHCP server (Windows). Any insight into why?

Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.

From what I can gather from your topology and configuration, the subnets 172.19.3.0/24, 172.19.12.0/28 and 172.20.100.0/27 should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.

You can remove the ip helper-address syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.

interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27

Vlan – Cisco ASA 8.2(5) same security routing issue

Without the use of same-security, traffic will not flow between interfaces at the same security level. That's the way it's designed, and the very purpose of those commands. No amount of ACLs can override that basic function. Once inter-interface/intra-interface is enabled -- thus allowing traffic at all -- ACLs will apply.

(You could set interfaces to different levels and use NAT/ACLs to control the traffic, but your restrictions don't allow that either. And it's a mess to maintain.)

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Vlan – Cisco ASA 8.2(5) same security routing issue

Related Topic