topic Hi, in Network Security

Not able to reach DMZ host from inside hosts

rao.anirudhk — Tue, 12 Mar 2019 08:20:05 GMT

Hi I am new to ASA configuration. I wanted to configure a web server on a DMZ. I have followed Cisco configuration guide to set this up. The DMZ is stable and has internet access. Also the inside hosts have internet access. But I am not able to ping the DMZ host from my inside host also I am not able to ping the inside host from the ASA. Surprisingly the inside host is able to reach the internet. My inside host as an IP of 192.168.5.4 and the web server on DMZ has an IP of 192.168.10.11.

My Config is is attached to this discussion.

Also I have run the packet tracer and it says the re is no drop and all flows are allowed:

Any help is greatly appreciated. I want to make sure that the inside hosts are in communication with the DMZ host and vice-versa

Hi,

Aditya Ganjoo — Thu, 29 Sep 2016 01:20:33 GMT

Hi,

Can you enable "fixup protocol icmp" command and then test this ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I am also experiencing

dapo dimeji — Thu, 29 Sep 2016 20:33:07 GMT

I am also experiencing similar issue with my host from the inside interface of the ASA unable to communicate with a host i setup in the DMZ interface. From the Outside interface i am able to reach the host in the DMZ interface however from the inside interface i am having problems.

I also ran packet tracer and it had no drops and allowed both my access-list rule and my NAT entry.

@Aditya : i will try the "fixup protocol icmp" command you suggested.

Thanks Aditya, that solved

rao.anirudhk — Thu, 29 Sep 2016 20:38:11 GMT

Thanks Aditya, that solved the problem. Just as a note also my Windows machine firewall was blocking the pings, not sure why.

Really appreciate your help,

cheers

Hi Dapo, Sure thing.

Aditya Ganjoo — Fri, 30 Sep 2016 01:35:11 GMT

Hi Dapo,

Sure thing.

I have ran into another

rao.anirudhk — Tue, 04 Oct 2016 21:32:12 GMT

I have ran into another problem, the inside host is able to reach the DMZ but the DMZ is not able to reach the inside host. This is my config :

interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 162.17.40.167 255.255.255.240
!
interface Vlan10
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 68.87.77.130
name-server 68.87.72.130
same-security-traffic permit inter-interface
object-group network inside-subnet
object-group network inside_subnet
network-object 192.168.5.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
object-group network dmz-subnet
network-object 192.168.10.0 255.255.255.0
object-group network webserver
network-object host 162.17.40.167
object-group network webserver-internal
network-object host 192.168.10.10
access-list outside_acl extended permit tcp any host 192.168.10.10 eq www
access-list dmz_acl extended permit ip any any
access-list dmz_acl extended permit udp any eq domain any
access-list dmz_acl extended permit udp any host 68.87.72.130 eq domain
access-list dmz_acl extended permit tcp any host 192.168.5.4 eq www
access-list dmz_acl extended permit icmp any any
access-list dmz_acl extended permit tcp host 192.168.10.11 host 192.168.5.4 eq domain
access-list dmz_acl extended permit udp host 192.168.10.11 host 192.168.5.4 eq 88
access-list dmz_acl extended permit udp host 192.168.10.11 host 192.168.5.4 eq 389
access-list dmz_acl extended permit tcp host 192.168.10.11 host 192.168.5.4 eq www
access-list dmz_acl extended permit tcp any host 192.168.5.0 eq www
access-list dmz_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list dmz_acl extended permit tcp any host 192.168.10.0 eq www
access-list services extended permit tcp any host 162.17.40.167 eq www
access-list dmz-in extended permit ip any any
access-list dmz-in extended permit icmp any any
access-list inside extended permit ip any any
access-list inside extended permit tcp host 192.168.10.11 any eq www
access-list inside extended permit tcp host 192.168.10.11 any eq echo
access-list inside extended permit tcp host 192.168.10.11 any eq smtp
access-list nonat extended permit ip 192.168.5.0 255.255.255.0 host 192.168.10.11
access-list dmz_nat0 extended permit ip any 192.164.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.5.0 255.255.255.0
nat (dmz) 1 192.168.10.0 255.255.255.0
static (dmz,outside) tcp 162.17.40.174 www 192.168.10.11 www netmask 255.255.255.255
static (inside,dmz) tcp 192.168.5.0 www 192.168.10.11 www netmask 255.255.255.255
static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
access-group inside in interface inside
access-group services in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 162.17.40.174 1
route inside 192.168.5.0 255.255.255.0 192.168.10.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 60

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username pridevel password BG8S.aktpfGXJmz4 encrypted
!
class-map class_http
match port tcp eq 8080
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class class_http
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e515cdfe5f34a9a5c8331d8aec89491c
: end

And If I try using packet-tracer I get a deny on access-list. This is the output from the packet tracer

ciscoasa(config)# packet-tracer input dmz tcp 192.168.10.11 12345 192.168.5.4 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc64d5650, priority=1, domain=permit, deny=false
hits=2, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
match ip inside 192.168.5.0 255.255.255.0 dmz any
static translation to 192.168.5.0
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.5.0/0 to 192.168.5.0/0 using netmask 255.255.255.0

Phase: 4
Type: ACCESS-LIST
Subtype: no-forward-rule
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc64e0ea8, priority=500, domain=no forward CLI, deny=true
hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I am simply not able to solve why the trafiic is being denied from DMZ to the inside host.

Can you please help me out

Hi,

Aditya Ganjoo — Wed, 05 Oct 2016 01:13:04 GMT

Hi,

Under the interface config of DMZ:

interface Vlan10
no forward interface Vlan1

You have no forward interface configured, please remove the same and you should be good.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi,

Aditya Ganjoo — Wed, 05 Oct 2016 01:13:58 GMT

Hi,

Under the interface config of DMZ:

interface Vlan10
no forward interface Vlan1

You have no forward interface configured, please remove the same using the no form of the command and you should be good.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

That worked!!

rao.anirudhk — Wed, 05 Oct 2016 15:42:37 GMT

That worked!!

Thanks Aditya, you're awesome!!

Cheers

Hi Aditya,

rao.anirudhk — Thu, 06 Oct 2016 17:29:18 GMT

Hi Aditya,

Thank you so much for helping me out, Really solved a lot of problems for me. So I went ahead and created a web dispatcher on my DMZ machine, but it is not accessible from the outside or the internet. This is the last step. This is my config:

: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password QEYqExl1M5.wvO.b encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 162.17.40.167 255.255.255.240
!
interface Vlan10
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 68.87.77.130
name-server 68.87.72.130
same-security-traffic permit inter-interface
object-group network inside-subnet
object-group network inside_subnet
network-object 192.168.5.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
object-group network dmz-subnet
network-object 192.168.10.0 255.255.255.0
object-group network webserver
network-object host 162.17.40.167
object-group network webserver-internal
network-object host 192.168.10.10
access-list outside_acl extended permit tcp any host 192.168.10.10 eq www
access-list dmz_acl extended permit ip any any
access-list dmz_acl extended permit udp any eq domain any
access-list dmz_acl extended permit udp any host 68.87.72.130 eq domain
access-list dmz_acl extended permit tcp any host 192.168.5.4 eq www
access-list dmz_acl extended permit icmp any any
access-list dmz_acl extended permit tcp host 192.168.10.11 host 192.168.5.4 eq domain
access-list dmz_acl extended permit udp host 192.168.10.11 host 192.168.5.4 eq 88
access-list dmz_acl extended permit udp host 192.168.10.11 host 192.168.5.4 eq 389
access-list dmz_acl extended permit tcp host 192.168.10.11 host 192.168.5.4 eq www
access-list dmz_acl extended permit tcp any host 192.168.5.0 eq www
access-list dmz_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list dmz_acl extended permit tcp any host 192.168.10.0 eq www
access-list dmz_acl extended permit tcp host 192.168.10.11 host 192.168.5.0 eq 1433
access-list dmz_acl extended permit udp any host 162.17.40.167 eq www
access-list dmz_acl extended permit udp any host 162.17.40.167 eq 8000
access-list services extended permit tcp any host 162.17.40.167 eq www
access-list services extended permit tcp any host 162.17.40.167 eq 8000
access-list services extended permit tcp any host 162.17.40.167 eq 8080
access-list services extended permit tcp any host 192.168.10.11 eq www
access-list services extended permit tcp any host 192.168.10.11 eq 8000
access-list dmz-in extended permit ip any any
access-list dmz-in extended permit icmp any any
access-list inside extended permit ip any any
access-list inside extended permit tcp host 192.168.10.11 any eq www
access-list inside extended permit tcp host 192.168.10.11 any eq echo
access-list inside extended permit tcp host 192.168.10.11 any eq smtp
access-list nonat extended permit ip 192.168.5.0 255.255.255.0 host 192.168.10.11
access-list dmz_nat0 extended permit ip any 192.164.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.5.0 255.255.255.0
nat (dmz) 1 192.168.10.0 255.255.255.0
static (dmz,outside) tcp 162.17.40.174 www 192.168.10.11 www netmask 255.255.255.255
static (inside,dmz) tcp 192.168.5.0 www 192.168.10.11 www netmask 255.255.255.255
static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group inside in interface inside
access-group services in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 162.17.40.174 1
route inside 192.168.5.0 255.255.255.0 192.168.10.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 60

And when I run packet-tracer on the outside interface, I keep getting packet dropped due to a configured rule. This is the output.

ciscoasa# packet-tracer input outside tcp 162.17.40.174 12345 162.17.40.167 80$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 162.17.40.167 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Can you please help me out with this. I really appreciate your help.

Thank you