topic Re: ASA DMZ server Access problem in Network Security

ASA DMZ server Access problem

CSCO12361421 — Fri, 21 Feb 2020 14:17:47 GMT

Dear Expert

I hava an issue with cisco ASA. In my ASA have three zone. like Inside, dmz, Outside. All DMZ server ip NATtranslation configure on Router which is connect with ASA outside zone. So when i wnat to ping from inside user pc to DMZ server public ip, i unable to ping. Same as DMZ server (DMZ zone one server want to ping other DMZ server Public ip )

Some log

--Inside user ip 192.168.0.10 want to ping DMZ server ip 200.200.200.4 local ip 192.168.10.53---

ASA(config)# %ASA-7-609001: Built local-host INSIDE:192.168.0.10
%ASA-7-609001: Built local-host OUTSIDE:200.200.200.4
%ASA-6-302020: Built outbound ICMP connection for faddr 200.200.200.4/0 gaddr 192.168.0.10/64447 laddr 192.168.0.10/64447
%ASA-7-609001: Built local-host OUTSIDE:192.168.0.10
%ASA-7-609001: Built local-host DMZ:192.168.10.53
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.0.10/64447 gaddr 192.168.10.53/0 laddr 192.168.10.53/0
%ASA-6-302020: Built outbound ICMP connection for faddr 200.200.200.4/0 gaddr 192.168.0.10/64959 laddr 192.168.0.10/64959
%ASA-6-302021: Teardown ICMP connection for faddr 200.200.200.4/0 gaddr 192.168.0.10/64447 laddr 192.168.0.10/64447
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.0.10/64447 gaddr 192.168.10.53/0 laddr 192.168.10.53/0
%ASA-7-609002: Teardown local-host OUTSIDE:192.168.0.10 duration 0:00:02
%ASA-7-609002: Teardown local-host DMZ:192.168.10.53 duration 0:00:02
%ASA-7-609001: Built local-host OUTSIDE:192.168.0.10
%ASA-7-609001: Built local-host DMZ:192.168.10.53
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.0.10/64959 gaddr 192.168.10.53/0 laddr 192.168.10.53/0
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.10.53/0 gaddr 192.168.0.10/64447 laddr 192.168.0.10/64447
%ASA-4-313004: Denied ICMP type=0, from laddr 192.168.10.53 on interface DMZ to 192.168.0.10: no matching session
%ASA-7-609001: Built local-host OUTSIDE:192.168.10.53
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.10.53/0 gaddr 192.168.0.10/64959 laddr 192.168.0.10/64959
%ASA-4-313004: Denied ICMP type=0, from laddr 192.168.10.53 on interface OUTSIDE to 192.168.0.10: no matching session
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.0.10/64959 gaddr 192.168.10.53/0 laddr 192.168.10.53/0
%ASA-7-609002: Teardown local-host OUTSIDE:192.168.0.10 duration 0:00:01
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.10.53/0 gaddr 192.168.0.10/64447 laddr 192.168.0.10/64447
%ASA-7-609002: Teardown local-host DMZ:192.168.10.53 duration 0:00:01
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.10.53/0 gaddr 192.168.0.10/64959 laddr 192.168.0.10/64959
%ASA-7-609002: Teardown local-host OUTSIDE:192.168.10.53 duration 0:00:00
%ASA-6-302021: Teardown ICMP connection for faddr 200.200.200.4/0 gaddr 192.168.0.10/64959 laddr 192.168.0.10/64959
%ASA-7-609002: Teardown local-host INSIDE:192.168.0.10 duration 0:00:04
%ASA-7-609002: Teardown local-host OUTSIDE:200.200.200.4 duration 0:00:04

---DMZ user ip 192.168.10.54 want to ping DMZ server ip 200.200.200.4 local ip 192.168.10.53---

ASA(config)# %ASA-7-609001: Built local-host DMZ:192.168.10.54
%ASA-7-609001: Built local-host OUTSIDE:200.200.200.4
%ASA-6-302020: Built outbound ICMP connection for faddr 200.200.200.4/0 gaddr 192.168.10.54/51648 laddr 192.168.10.54/51648
%ASA-7-609001: Built local-host OUTSIDE:192.168.10.54
%ASA-7-609001: Built local-host DMZ:192.168.10.53
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.10.54/51648 gaddr 192.168.10.53/0 laddr 192.168.10.53/0
%ASA-7-609001: Built local-host OUTSIDE:192.168.10.53
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.10.53/0 gaddr 192.168.10.54/51648 laddr 192.168.10.54/51648
%ASA-4-313004: Denied ICMP type=0, from laddr 192.168.10.53 on interface OUTSIDE to 192.168.10.54: no matching session
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.10.54/51648 gaddr 192.168.10.53/0 laddr 192.168.10.53/0
%ASA-7-609002: Teardown local-host OUTSIDE:192.168.10.54 duration 0:00:00
%ASA-7-609002: Teardown local-host DMZ:192.168.10.53 duration 0:00:00
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.10.53/0 gaddr 192.168.10.54/51648 laddr 192.168.10.54/51648
%ASA-7-609002: Teardown local-host OUTSIDE:192.168.10.53 duration 0:00:00
%ASA-6-302020: Built outbound ICMP connection for faddr 200.200.200.4/0 gaddr 192.168.10.54/52160 laddr 192.168.10.54/52160
%ASA-6-302021: Teardown ICMP connection for faddr 200.200.200.4/0 gaddr 192.168.10.54/51648 laddr 192.168.10.54/51648
%ASA-7-609001: Built local-host OUTSIDE:192.168.10.54
%ASA-7-609001: Built local-host DMZ:192.168.10.53
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.10.54/52160 gaddr 192.168.10.53/0 laddr 192.168.10.53/0
%ASA-7-609001: Built local-host OUTSIDE:192.168.10.53
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.10.53/0 gaddr 192.168.10.54/52160 laddr 192.168.10.54/52160
%ASA-4-313004: Denied ICMP type=0, from laddr 192.168.10.53 on interface OUTSIDE to 192.168.10.54: no matching session
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.10.54/52160 gaddr 192.168.10.53/0 laddr 192.168.10.53/0
%ASA-7-609002: Teardown local-host OUTSIDE:192.168.10.54 duration 0:00:00
%ASA-7-609002: Teardown local-host DMZ:192.168.10.53 duration 0:00:00
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.10.53/0 gaddr 192.168.10.54/52160 laddr 192.168.10.54/52160
%ASA-7-609002: Teardown local-host OUTSIDE:192.168.10.53 duration 0:00:00
%ASA-6-302021: Teardown ICMP connection for faddr 200.200.200.4/0 gaddr 192.168.10.54/52160 laddr 192.168.10.54/52160
%ASA-7-609002: Teardown local-host DMZ:192.168.10.54 duration 0:00:04
%ASA-7-609002: Teardown local-host OUTSIDE:200.200.200.4 duration 0:00:04

Re: ASA DMZ server Access problem

LJ Gabrillo — Tue, 12 Sep 2017 11:23:02 GMT

Can you attach the running-configuration on your device?
You might be missing firewall policies or misconfigured NAT statements

I'd advise to check the policies again.

Also, by default, ASA does NOT allow ping i.e., ICMP traffic to passthrough, even if you have firewall policies that allow it. You need to check and enable ICMP inspection in your service policy default rule. Additionally, the 'traceroute' commands has additional considerations as well

To allow traceroute you need to create a 'global' service policy set to use 'use class-default' and enable decrement ttl. Once that's done enable an inbound policy that allows ICMP ID 11

Re: ASA DMZ server Access problem

jumora1 — Tue, 12 Sep 2017 12:03:50 GMT

So if you have a NAT statement that goes from dmz to outside and you want to reach out to it on the inside you can configure the next

nat (dmz,outside) source static Dmz_IP Outside_ip_dmz

nat (inside,dmz) source dynamic any interface destination static Outside_ip_dmz Dmz_IP

nat (inside,dmz) source dynamic any interface destination static Dmz_IP Dmz_IP

Re: ASA DMZ server Access problem

LJ Gabrillo — Tue, 12 Sep 2017 12:27:51 GMT

Did you check your Service Profile inspection settings?

Also, considering your LAN and DMZ are controlled by you/IT admins. I'd advise not to NAT that. Just do normal routing. NAT is often executed on traffic going to and fro the internet

Additionally, please check your routing, please verify if you have routes going to your internal users/servers.

Re: ASA DMZ server Access problem

jumora1 — Tue, 12 Sep 2017 12:31:29 GMT

In most cases that I have seen is that you don't have local DNS server or entries for the servers that you host and also need to reach thus you end up using NAT since you see no sense on adding local records.

NAT is just a solution to save money or efforts in configuration.

Re: ASA DMZ server Access problem

CSCO12361421 — Wed, 13 Sep 2017 08:17:48 GMT

Hi jumora
Thanks for ur replay. I NAT DMZ server on router. You can find it topology. If i configure NAT on ASA its work fine.

Re: ASA DMZ server Access problem

CSCO12361421 — Wed, 13 Sep 2017 08:42:03 GMT

Thanks For Reolay..

-------ASA Configuration ----------

ASA(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 10.10.0.1 255.255.255.252
!
interface GigabitEthernet2
nameif INSIDE
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DNS-53-Global
network-object host 200.200.200.4
object-group network DNS-53-Local
network-object host 192.168.10.53
access-list 100 extended permit ip any any
pager lines 24
logging enable
mtu DMZ 1500
mtu OUTSIDE 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group 100 global
route OUTSIDE 0.0.0.0 0.0.0.0 10.10.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:547ba03f7d17fc22af36495f7104d72a
: end

------Router Configuration (R1)------------

R1#sh run
Building configuration...

Current configuration : 1400 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
description ### Connect To ASA Eth1 ###
ip address 10.10.0.2 255.255.255.252
ip nat inside
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
description ### Connect To Internet ###
ip address 200.200.200.1 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip nat inside source static 192.168.10.53 200.200.200.4 extendable
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.200.200.2
ip route 192.168.0.0 255.255.255.0 10.10.0.1
ip route 192.168.10.0 255.255.255.0 10.10.0.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

Re: ASA DMZ server Access problem

jumora1 — Thu, 14 Sep 2017 12:03:00 GMT

great so is everything resolved.