topic As Samer has said, the in Network Security

DMZ host is not accessible from outside/internet

drlbaluyut — Tue, 12 Mar 2019 07:18:05 GMT

I cannot access my trend micro mobile device manager from outside using this link to download the mdm agent.

http://outside_interface_public_ip:8080/mobile

https://outside_interface_public_ip:4343/mobile

My mdm is a DMZ host with ip 172.29.29.2 and nat rule to translate 172.29.29.2 to outside_interface_public_ip

nat (DMZ,outside) static interface service

I have access rule on outside to permit any to real ip of dmz host with service IP.

I did not permit specific port in the first place and use service IP for the meantime to allow all service.

Please help me.

Thanks

Hi,

Samer R. Saleem — Mon, 15 Feb 2016 11:25:33 GMT

Hi,

please put some packet trace from outside to DMZ ip and post in here, also test using the command

telnet public-address 8080

telnet public-addres 4343

from external machine and see if it is open or not.

regarding the packet trace try to see if the packets will be dropped somewhere on the rules

HTH

Samer.

Hi Samer.

drlbaluyut — Tue, 16 Feb 2016 01:41:24 GMT

Hi Samer.

Please see below packet trace output from random source ip. it is dropped at the end even though I have an access list on outside permitting any with service IP

**************************************************************************************************

SMMDZRA002# packet-tracer input outside tcp 192.0.2.123 12345 122.x.x.x 8080

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 122.x.x.x 255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

*****************************************************************************

SMMDZRA002# packet-tracer input outside tcp 192.0.2.123 12345 122.x.x.x 4343

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 122.x.x.x 255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

******************************************************************

Running config of ASA

******************************************************************

SMMDZRA002# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname SMMDZRA002
domain-name smmph.local
enable password 8T8R6XdsfHe6TaJO encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd iimrgUvTSQcRUuCl encrypted
names
ip local pool mypool 172.16.1.1-172.16.1.254
ip local pool mailpool 10.158.30.1-10.158.30.254
ip local pool 173.30POOL 172.30.30.1-172.30.30.50 mask 255.255.0.0
ip local pool 158POOL2 10.158.10.100-10.158.10.150 mask 255.255.0.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 122.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.158.2.6 255.255.0.0
!
interface GigabitEthernet0/2
shutdown
nameif intf2
security-level 0
no ip address
!
interface GigabitEthernet0/3
nameif dmz
security-level 50
ip address 172.29.29.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.193.1.250 255.255.0.0
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.193.1.1
name-server 10.193.1.6
domain-name smmph.local
same-security-traffic permit inter-interface
object network OBJ-10.158.2.25
host 10.158.2.25
object network OBJ-10.158.2.2
host 10.158.2.2
object network OBJ-10.159.1.2
host 10.159.1.2
object network obj-10.60.1.7
host 10.60.1.7
object network obj-10.60.1.60
host 10.60.1.60
object network obj-10.60.1.85
host 10.60.1.85
object network obj-10.60.1.91
host 10.60.1.91
object network obj-10.60.1.206
host 10.60.1.206
object network obj-10.60.1.241
host 10.60.1.241
object network obj-10.60.1.244
host 10.60.1.244
object network obj-10.60.1.245
host 10.60.1.245
object network obj-10.60.1.246
host 10.60.1.246
object network obj-10.60.1.247
host 10.60.1.247
object network obj-10.158.2.4
host 10.158.2.4
object network obj-10.158.2.11
host 10.158.2.11
object network obj-10.158.2.12
host 10.158.2.12
object network obj-10.158.2.28
host 10.158.2.28
object network obj-10.158.2.38
host 10.158.2.38
object network obj-10.158.2.50
host 10.158.2.50
object network obj-10.158.2.52
host 10.158.2.52
object network obj-10.158.10.6
host 10.158.10.6
object network obj-10.159.1.4
host 10.159.1.4
object network obj-10.159.1.10
host 10.159.1.10
object network obj-10.159.1.251
host 10.159.1.251
object network obj-10.159.1.253
host 10.159.1.253
object network obj-10.159.0.0_16
subnet 10.159.0.0 255.255.0.0
object network obj-172.16.1.0_24
subnet 172.16.1.0 255.255.255.0
object network obj-10.158.30.0_24
subnet 10.158.30.0 255.255.255.0
object network obj-10.158.0.0_16
subnet 10.158.0.0 255.255.0.0
object network obj-outside
host 203.177.11.5
object network obj-10.20.1.0_24
subnet 10.20.1.0 255.255.255.0
object network obj-10.30.1.0_24
subnet 10.30.1.0 255.255.255.0
object network obj-10.40.1.0_24
subnet 10.40.1.0 255.255.255.0
object network obj-10.50.1.0_24
subnet 10.50.1.0 255.255.255.0
object network obj-10.60.1.0_24
subnet 10.60.1.0 255.255.255.0
object network obj-10.70.1.0_24
subnet 10.70.1.0 255.255.255.0
object network obj-10.80.1.0_24
subnet 10.80.1.0 255.255.255.0
object network obj-10.90.1.0_24
subnet 10.90.1.0 255.255.255.0
object network obj-10.20.0.0_16
subnet 10.20.0.0 255.255.0.0
object network obj-10.30.0.0_16
subnet 10.30.0.0 255.255.0.0
object network obj-10.40.0.0_16
subnet 10.40.0.0 255.255.0.0
object network obj-10.50.0.0_16
subnet 10.50.0.0 255.255.0.0
object network obj-10.60.0.0_16
subnet 10.60.0.0 255.255.0.0
object network obj-10.70.0.0_16
subnet 10.70.0.0 255.255.0.0
object network obj-10.80.0.0_16
subnet 10.80.0.0 255.255.0.0
object network obj-10.90.0.0_16
subnet 10.90.0.0 255.255.0.0
object network obj-144.36.217.201
host 144.36.217.201
object network obj-58.137.205.2
host 58.137.205.2
object network obj-10.161.2.250
host 10.161.2.250
description Manila Proxy IP
object network SMMPH-IT_IP
range 10.161.2.96 10.161.2.102
description SMMPH-IT_IP
object network NETWORK_OBJ_10.158.0.0_16
subnet 10.158.0.0 255.255.0.0
object network NETWORK_OBJ_10.158.10.80_29
subnet 10.158.10.80 255.255.255.248
object network inside158
subnet 10.158.0.0 255.255.0.0
object network ServerSub2
subnet 10.193.1.0 255.255.255.0
object network ServerSubnet
subnet 10.193.0.0 255.255.0.0
object network IN158
subnet 10.158.0.0 255.255.0.0
object network IN161
subnet 10.161.0.0 255.255.0.0
object network IN193
subnet 10.193.1.0 255.255.255.0
object network INSIDE158
subnet 10.158.0.0 255.255.0.0
object network INSIDE161
subnet 10.161.0.0 255.255.0.0
object network INSIDE193
subnet 10.193.0.0 255.255.0.0
object network obj10.158.2.50
host 10.158.2.50
object network 203.177.11.3
host 203.177.11.3
object network obj10.158.2.25
host 10.158.2.25
object network 203.177.11.3(S)
host 203.177.11.3
object network obj-10.60.1.242
host 10.60.1.242
object network obj-10.60.1.243
host 10.60.1.243
object network 173.30POOL
subnet 172.30.0.0 255.255.0.0
object network IN173
subnet 10.173.0.0 255.255.0.0
object network NETWORK_OBJ_172.30.30.0_28
subnet 172.30.30.0 255.255.255.240
object network INSIDE159
subnet 10.159.0.0 255.255.0.0
object network VPNPOOL158
subnet 10.158.0.0 255.255.0.0
object network INSIDE173
subnet 10.173.0.0 255.255.0.0
object network VPN161POOL
subnet 10.161.0.0 255.255.0.0
object network NETWORK_OBJ_172.30.30.0_26
subnet 172.30.30.0 255.255.255.192
object network NETWORK_OBJ_10.158.10.0_24
subnet 10.158.10.0 255.255.255.0
object network dmz-subnet
subnet 172.29.29.0 255.255.255.0
object network mdmserver
host 172.29.29.2
object network dns-server
host 10.193.1.6
access-list dmz_acl extended permit ip any object dns-server
access-list dmz_acl extended deny ip any interface inside
access-list dmz_acl extended permit ip any any
access-list 101 extended permit ip 10.159.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list 101 extended permit ip 10.159.0.0 255.255.0.0 10.158.30.0 255.255.255.0
access-list 101 extended permit ip 10.158.0.0 255.255.0.0 10.158.30.0 255.255.255.0
access-list ftp.jgc.co.jp extended permit tcp host 10.158.10.130 host 150.5.65.99 eq ftp
access-list acl-outside extended deny tcp host 60.254.0.0 any eq www
access-list 102 extended permit ip 10.158.0.0 255.255.0.0 host 144.36.217.201
access-list 103 extended permit ip 10.159.0.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.20.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.30.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.40.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.50.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.60.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.70.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.80.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.90.1.0 255.255.255.0 host 144.36.217.201
access-list 104 extended permit ip 10.158.0.0 255.255.0.0 host 58.137.205.2
access-list 105 extended permit ip 10.159.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.20.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.30.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.40.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.50.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.60.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.70.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.80.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.90.0.0 255.255.255.0 host 58.137.205.2
access-list inside_access_in remark Cisco IronPort C170
access-list inside_access_in extended permit ip object OBJ-10.158.2.25 any inactive
access-list inside_access_in remark Manila Mail Server
access-list inside_access_in extended permit ip object OBJ-10.158.2.2 any inactive
access-list inside_access_in remark Manila Proxy
access-list inside_access_in remark Blue Coat 300
access-list inside_access_in extended permit ip object obj-10.161.2.250 any
access-list inside_access_in remark Manila Proxy
access-list inside_access_in extended permit ip object obj-10.158.2.50 any
access-list inside_access_in extended permit ip host 10.158.2.103 any
access-list inside_access_in extended permit ip object dns-server 172.29.29.0 255.255.255.0 inactive
access-list inside_access_in extended permit ip object dns-server object 173.30POOL inactive
access-list SMMPH standard permit 10.193.0.0 255.255.0.0
access-list outside_access_in extended permit ip any object mdmserver
no pager
logging enable
logging buffered debugging
logging trap notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu management 1500
mtu dmz 1500
ip verify reverse-path interface outside
ip audit attack action alarm drop reset
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static INSIDE193 INSIDE193 destination static 173.30POOL 173.30POOL no-proxy-arp route-lookup
nat (inside,any) source static INSIDE158 INSIDE158 destination static 173.30POOL 173.30POOL no-proxy-arp route-lookup
nat (inside,any) source static INSIDE159 INSIDE159 destination static 173.30POOL 173.30POOL no-proxy-arp route-lookup
nat (dmz,outside) source static dmz-subnet dmz-subnet destination static 173.30POOL 173.30POOL no-proxy-arp route-lookup
nat (inside,outside) source static INSIDE159 INSIDE159 destination static NETWORK_OBJ_10.158.10.0_24 NETWORK_OBJ_10.158.10.0_24 no-proxy-arp route-lookup
nat (inside,dmz) source static INSIDE193 INSIDE193 destination static dmz-subnet dmz-subnet no-proxy-arp route-lookup inactive
nat (inside,outside) source static obj-10.159.0.0_16 obj-10.159.0.0_16 destination static obj-172.16.1.0_24 obj-172.16.1.0_24 inactive
nat (inside,outside) source static obj-10.159.0.0_16 obj-10.159.0.0_16 destination static obj-10.158.30.0_24 obj-10.158.30.0_24
nat (inside,outside) source static obj-10.158.0.0_16 obj-10.158.0.0_16 destination static obj-10.158.30.0_24 obj-10.158.30.0_24
nat (inside,outside) source dynamic obj-10.158.0.0_16 interface
nat (inside,outside) source dynamic obj-10.20.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.30.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.40.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.50.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.60.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.70.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.80.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.90.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.158.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.159.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.20.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.30.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.40.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.50.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.60.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.70.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.80.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.90.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source static NETWORK_OBJ_10.158.0.0_16 NETWORK_OBJ_10.158.0.0_16 destination static NETWORK_OBJ_10.158.10.80_29 NETWORK_OBJ_10.158.10.80_29 no-proxy-arp route-lookup inactive
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.158.10.80_29 NETWORK_OBJ_10.158.10.80_29 no-proxy-arp route-lookup inactive
!
object network OBJ-10.159.1.2
nat (inside,outside) static 203.177.11.2 net-to-net
object network obj-10.60.1.7
nat (inside,outside) dynamic interface
object network obj-10.60.1.60
nat (inside,outside) dynamic interface
object network obj-10.60.1.85
nat (inside,outside) dynamic interface
object network obj-10.60.1.91
nat (inside,outside) dynamic interface
object network obj-10.60.1.206
nat (inside,outside) dynamic interface
object network obj-10.60.1.241
nat (inside,outside) dynamic interface
object network obj-10.60.1.244
nat (inside,outside) dynamic interface
object network obj-10.60.1.245
nat (inside,outside) dynamic interface
object network obj-10.60.1.246
nat (inside,outside) dynamic interface
object network obj-10.60.1.247
nat (inside,outside) dynamic interface
object network obj-10.158.2.4
nat (inside,outside) dynamic interface
object network obj-10.158.2.28
nat (inside,outside) dynamic interface
object network obj-10.158.2.38
nat (inside,outside) dynamic interface
object network obj-10.158.2.50
nat (inside,outside) dynamic interface
object network obj-10.158.2.52
nat (inside,outside) dynamic interface
object network obj-10.158.10.6
nat (inside,outside) dynamic interface
object network obj-10.159.1.4
nat (inside,outside) dynamic interface
object network obj-10.159.1.10
nat (inside,outside) dynamic interface
object network obj-10.159.1.251
nat (inside,outside) dynamic interface
object network obj-10.159.1.253
nat (inside,outside) dynamic interface
object network obj-10.60.1.242
nat (inside,outside) dynamic interface
object network obj-10.60.1.243
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network mdmserver
nat (dmz,outside) static interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 122.x.x.x 1
route inside 10.0.0.0 255.0.0.0 10.158.1.1 1
route inside 10.159.0.0 255.255.0.0 10.158.2.100 1
route management 10.161.2.0 255.255.255.0 10.193.255.254 1
route inside 192.168.10.0 255.255.255.252 10.158.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record DAP-GP-VPNAC-TEST3
dynamic-access-policy-record DAP-GP-VPNCL-TEST
webvpn
url-list value MNL-FS
dynamic-access-policy-record DAP-GP-VPNAC-MNL
dynamic-access-policy-record DAP-GP-VPNAC-PAL
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server SG-GP-VPNAC-TEST protocol ldap
aaa-server SG-GP-VPNAC-TEST (inside) host 10.193.1.1
ldap-base-dn dc=smmph, dc=local
ldap-scope subtree
ldap-naming-attribute SamAccountName
ldap-login-password *****
ldap-login-dn cn=administrator, cn=users, dc=smmph, dc=local
server-type microsoft
aaa-server SG-GP-VPNCL-TEST protocol ldap
aaa-server SG-GP-VPNCL-TEST (inside) host 10.193.1.1
ldap-base-dn dc=smmph, dc=local
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn cn=administrator, cn=users, dc=smmph, dc=local
server-type microsoft
aaa-server SG-GP-VPNAC-MNL protocol ldap
aaa-server SG-GP-VPNAC-MNL (inside) host 10.193.1.1
timeout 5
ldap-base-dn dc=smmph, dc=local
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn cn=administrator, cn=users, dc=smmph, dc=local
server-type microsoft
aaa-server SG-GP-VPNAC-PAL protocol ldap
aaa-server SG-GP-VPNAC-PAL (inside) host 10.193.1.1
ldap-base-dn dc=smmph, dc=local
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn cn=administrator, cn=users, dc=smmph, dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.158.0.0 255.255.0.0 inside
http 10.159.1.16 255.255.255.255 inside
http 10.161.2.0 255.255.255.0 inside
http 10.161.2.99 255.255.255.255 management
http 10.161.2.101 255.255.255.255 management
http 10.161.2.102 255.255.255.255 management
http 10.161.2.98 255.255.255.255 management
http 10.161.2.96 255.255.255.255 management
http 10.161.2.97 255.255.255.255 management
http 10.193.1.0 255.255.255.0 inside
snmp-server host inside 10.158.254.254 poll community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
crypto dynamic-map dynmap 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ca trustpoint SMMDZRA002_TrustPoint0
enrollment self
subject-name CN=SMMDZRA002
keypair SMMDZRA002KP
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpool policy
crypto ca server
lifetime ca-certificate 3650
lifetime certificate 3650
subject-name-default cn=SMMDZRA002, o=smmph
issuer-name cn=SMMDZRA002, o=smmph
crypto ca certificate chain SMMDZRA002_TrustPoint0
certificate d9ac7656
    308201fb 30820164 a0030201 020204d9 ac765630 0d06092a 864886f7 0d010105
    05003042 31133011 06035504 03130a53 4d4d445a 52413030 32312b30 2906092a
    864886f7 0d010902 161c534d 4d445a52 41303032 2e436973 636f4153 412d3535
    34352e63 6f6d301e 170d3136 30313231 30373236 33345a17 0d323630 31313830
    37323633 345a3042 31133011 06035504 03130a53 4d4d445a 52413030 32312b30
    2906092a 864886f7 0d010902 161c534d 4d445a52 41303032 2e436973 636f4153
    412d3535 34352e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
    30818902 818100b8 4eb35cdb f45b2a35 aeee5a0c 8ff0b915 04a71205 7eea4f1d
    4f8416a4 23f44f0a 34745bfb 188b25a2 fc4ce95a 7c434084 bc553439 518d52e2
    68f41793 58b40c17 254c3854 c05708be ce28597b a6e4174a 78d5bcda 926dfec2
    a1a187d0 6237fff8 dc19814a ea902e02 a0c4cb79 75ead721 f48a2bd4 27212348
    151657fc b9909502 03010001 300d0609 2a864886 f70d0101 05050003 81810047
    6ae1e858 25a8c692 4f1efbfc 31ad9c00 bb24285c 6a6d6b20 ce24ba54 2f45347b
    d4852c07 5445fd63 291e7a56 72804cbf aa23bb9f 40775a46 785efcd1 4cf28531
    3562e30e d1b27787 86f46c66 80807934 5b115e56 14c29d88 3df5870a 4d708763
    2c442855 701da13f 5574ee6e 3e74f342 72742440 cfcefc37 eb7ee98b 0dfcb3
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
    30820223 3082018c a0030201 02020101 300d0609 2a864886 f70d0101 05050030
    25310e30 0c060355 040a1305 736d6d70 68311330 11060355 0403130a 534d4d44
    5a524130 3032301e 170d3136 30323032 30383530 30395a17 0d313930 32303130
    38353030 395a3025 310e300c 06035504 0a130573 6d6d7068 31133011 06035504
    03130a53 4d4d445a 52413030 3230819f 300d0609 2a864886 f70d0101 01050003
    818d0030 81890281 8100c50d d6782f24 4d1bd8ae 6ece49b9 fe3937b6 ec69b668
    e7ad49bb 6c7ebf71 31fc0721 fe4f79ee abdd6dd8 90f024a6 38883756 93255e8c
    b404a9dc 420f2d25 b091a005 b1c6eb7a d8a9c26f f3b84a5d 3b422c12 d19aa382
    9f7c4929 30729af2 420960de ba2d9194 fc6ca772 ea636f3b 8140ad98 f3ce36fd
    8dba140f 0a05c519 11fb0203 010001a3 63306130 0f060355 1d130101 ff040530
    030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680
    142a8ebe e5671138 288ca6a1 55fb326b 367bfbbe fd301d06 03551d0e 04160414
    2a8ebee5 67113828 8ca6a155 fb326b36 7bfbbefd 300d0609 2a864886 f70d0101
    05050003 81810097 bf94ed09 8f4bd0c2 d0a62ac4 6712b8e1 3503c904 bfd5b6e0
    6e408455 15521b21 eab1234b 9607257f 3c73c572 66b3b9c8 43d1e0cf d63e256f
    54040347 acb8b7df 9245a872 84bb52bb 4e27473f ad6c5aed 7c23a1b7 e1d311be
    9b332ade 103c2349 148f473e 1edd3b40 5a7d9ffd 8f0b6f0e 9f00203d f6b70031
    e9cf0d3b 6bf222
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint SMMDZRA002_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.158.0.0 255.255.0.0 inside
telnet 10.159.0.0 255.255.0.0 inside
telnet 10.60.1.0 255.255.255.0 inside
telnet 10.158.0.0 255.255.0.0 intf2
telnet 10.159.0.0 255.255.0.0 intf2
telnet 10.60.1.0 255.255.255.0 intf2
telnet timeout 5
ssh 10.161.2.98 255.255.255.255 inside
ssh 10.161.2.99 255.255.255.255 inside
ssh 10.161.2.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access inside
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point SMMDZRA002_TrustPoint0 inside
ssl trust-point SMMDZRA002_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.2.01035-k9.pkg 2
anyconnect profiles CP-GP-VPNAC-MNL_client_profile disk0:/CP-GP-VPNAC-MNL_client_profile.xml
anyconnect profiles CP-GP-VPNAC-PAL_client_profile disk0:/CP-GP-VPNAC-PAL_client_profile.xml
anyconnect profiles CP-GP-VPNAC-TEST_client_profile disk0:/CP-GP-VPNAC-TEST_client_profile.xml
anyconnect profiles CP-VPNAC-TEST2_client_profile disk0:/CP-VPNAC-TEST2_client_profile.xml
anyconnect profiles CP-VPNAC-TEST3_client_profile disk0:/CP-VPNAC-TEST3_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_CP-GP-VPNAC-MNL internal
group-policy GroupPolicy_CP-GP-VPNAC-MNL attributes
wins-server none
dns-server value 10.193.1.1 10.193.1.6
vpn-tunnel-protocol ikev2 ssl-client
default-domain value smmph.local
webvpn
anyconnect profiles value CP-GP-VPNAC-MNL_client_profile type user
group-policy GroupPolicy_CP-GP-VPNAC-PAL internal
group-policy GroupPolicy_CP-GP-VPNAC-PAL attributes
wins-server none
dns-server value 10.193.1.1 10.193.1.6
vpn-tunnel-protocol ikev2 ssl-client
default-domain value smmph.local
webvpn
anyconnect profiles value CP-GP-VPNAC-PAL_client_profile type user
group-policy GrpPolicy-GP-VPNCL-TEST internal
group-policy GrpPolicy-GP-VPNCL-TEST attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value MNL-FS
group-policy GroupPolicy_CP-VPNAC-TEST3 internal
group-policy GroupPolicy_CP-VPNAC-TEST3 attributes
wins-server none
dns-server value 10.193.1.1 10.193.1.6
vpn-tunnel-protocol ikev2 ssl-client
default-domain value smmph.local
webvpn
anyconnect profiles value CP-VPNAC-TEST3_client_profile type user
username danb password DgJTLLr60YlCc/qa encrypted privilege 15
username sumitomoph password 2HHy4WoREOxqpVos encrypted privilege 15
username trends password /A/vfSkRhckIGmQX encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted
username ryant password VkL8b6LC.2VB9B9S encrypted privilege 15
username mailserver password gohYQXFN3/pIjNMt encrypted
tunnel-group CP-GP-VPNAC-MNL type remote-access
tunnel-group CP-GP-VPNAC-MNL general-attributes
address-pool 173.30POOL
authentication-server-group SG-GP-VPNAC-MNL
default-group-policy GroupPolicy_CP-GP-VPNAC-MNL
tunnel-group CP-GP-VPNAC-MNL webvpn-attributes
authentication aaa certificate
group-alias CP-GP-VPNAC-MNL enable
tunnel-group CP-GP-VPNAC-PAL type remote-access
tunnel-group CP-GP-VPNAC-PAL general-attributes
address-pool 158POOL2
authentication-server-group SG-GP-VPNAC-PAL
default-group-policy GroupPolicy_CP-GP-VPNAC-PAL
tunnel-group CP-GP-VPNAC-PAL webvpn-attributes
authentication aaa certificate
group-alias CP-GP-VPNAC-PAL enable
tunnel-group CP-VPNAC-TEST3 type remote-access
tunnel-group CP-VPNAC-TEST3 general-attributes
address-pool 173.30POOL
authentication-server-group SG-GP-VPNAC-TEST
default-group-policy GroupPolicy_CP-VPNAC-TEST3
tunnel-group CP-VPNAC-TEST3 webvpn-attributes
authentication aaa certificate
group-alias CP-VPNAC-TEST3 enable
tunnel-group CP-GP-VPNCL-TEST type remote-access
tunnel-group CP-GP-VPNCL-TEST general-attributes
authentication-server-group SG-GP-VPNCL-TEST
default-group-policy GrpPolicy-GP-VPNCL-TEST
tunnel-group CP-GP-VPNCL-TEST webvpn-attributes
group-alias CP-GP-VPNCL-TEST enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect http
inspect icmp
class class-default
set connection decrement-ttl
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 23
subscribe-to-alert-group configuration periodic monthly 23
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:035c8fa008ba5587e044c2beb7782ac3
: end

I also cannot telnet to the

drlbaluyut — Tue, 16 Feb 2016 01:49:22 GMT

I also cannot telnet to the public-address

Looks like the traffic is not

Marius Gunnerud — Tue, 16 Feb 2016 04:36:29 GMT

Looks like the traffic is not matching your NAT statement and therefore not matching your ACL. I would suggest trying to place the NAT statement in manual NAT.

object service tcp_8080

nat (dmz,outside) static mdmserver interface service tcp_8080 tcp_8080

Please remember to select a correct answer and rate helpful posts

Hi

drlbaluyut — Tue, 16 Feb 2016 05:21:48 GMT

The traffic is still blocked.

But I changed the public ip to my ISP default gateway and the packet trace result is now allowed.

So I cannot use the ip of outside interface as a translated IP of dmz host?

SMMDZRA002# packet-tracer input outside tcp 192.0.2.123 12345 122.x.x.x 8080

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network mdmserver
nat (dmz,outside) static 122.x.x.x
Additional Information:
NAT divert to egress interface dmz
Untranslate 122.x.x.x/8080 to 172.29.29.2/8080

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any object mdmserver
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network mdmserver
nat (dmz,outside) static 122.x.x.x
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5211034, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Is that the ideal output?

**********************

Still I cannot access the mdm host from outside using the links below

http://ISP_defaultgateway:8080/mobile

https://ISP_defaultgateway:4343/mobile

Hi,

Samer R. Saleem — Tue, 16 Feb 2016 10:37:42 GMT

Hi,

this is the right output for your configuration, you dont have any drop at any point.

if you can scan your device you trying to access if there is firewall settings on it that prevents you accessing, also make scan port for it to see which port is open on it.

regards,

Hi,

Shivapramod M — Tue, 16 Feb 2016 13:15:23 GMT

Hi,

Packet tracer usually used to verify whether the configuration on the ASA is correct or not. Since the firewall is not dropping the packet we have to take the packet capture on the ASA with the real traffic. you can take capture on the outside and dmz interface using he correct IP. Please note that when we set the capture on dmz interface the destination host IP will the private or translated IP.

cap capin interface outside match tcp host <sourceip> host 122.x.x.x eq 8080

cap capout interface dmz match tcp host <sourceip> host 172.29.29.2 eq 8080

to view the capture--show cap capin / show cap capout

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi

drlbaluyut — Wed, 17 Feb 2016 04:43:46 GMT

The source ip is s public ip?

Hi,

Shivapramod M — Wed, 17 Feb 2016 08:14:51 GMT

Hi,

Yes, Source IP is the device IP address from where you are initiating the traffic. So if you are testing from a PC in internet then the public IP address of the PC.

Thanks,

Shiva

Ah ok...here is the problem

Marius Gunnerud — Sat, 20 Feb 2016 07:15:12 GMT

Ah ok...here is the problem "Untranslate 122.x.x.x/8080 to 172.29.29.2/8080"

The server is only listening for port 80 so the command I gave you earlier is incorrect.

Please change it to the following

nat (dmz,outside) static mdmserver interface service tcp 80 8080

For the sake of cleaing up the configuration you might also want to remove the previous NAT command before applying this new one.

Please remember to select a correct answer and rate helpful posts

Hi all

drlbaluyut — Tue, 23 Feb 2016 01:51:02 GMT

Hi all

My dmz mdm server is now accessible from outside.

It was resolved when i assigned a different public ip for translation.

However, i cannot ping this public IP from outside, inside and dmz.

how can i ping the public IP from inside and outside? is it ISP related?

Thanks

Hi,

Samer R. Saleem — Tue, 23 Feb 2016 05:07:50 GMT

Hi,

good to hear that, regarding ping you need to check icmp inspection or if you allowing icmp packets from outside to your firewall

regarding pinging the public IP from inside interface, you will not be able to do that and its not related to ISP, its firewall default behavior

good luck.

As Samer has said, the

Marius Gunnerud — Wed, 24 Feb 2016 07:04:04 GMT

As Samer has said, the default behavior is to drop packets that the ASA expects to see on another interface other than the ingress interface. so since the ASA expects to see packets for the public IP of the server on the outside interface, all other packets entering other interfaces will be dropped....by default.

There are ways to get around this. You can do hairpinning on the inside interface so that traffic going to the public IP of the server will be translated to the private IP of the server and sendt back out the inside interface (please forgive me but I can not be bothered to scroll up and find exact IPs, so I will use my own made up IPs for this example). For example:

object network SERVER-PRIVATE

host 192.168.1.10

object network SERVER-PUBLIC

host 62.192.76.80

object network INSIDE-LAN

subnet 172.16.1.0 255.255.255.0

nat (inside,inside) source static INSIDE-LAN INSIDE-LAN destination static SERVER-PUBLIC SERVER-PRIVATE

same-security-traffic permit intra-interface

Please remember to select a correct answer and rate helpful posts

Hi

drlbaluyut — Wed, 24 Feb 2016 09:09:13 GMT

unfortunately the mdm is unaccessible from outside again. Damn. I just removed the lan cables from the switch that connects to dmz host yesterday afternoon. Putting it back again in the morning. Suddenly it is not working and it is not a faulty cable. How weird could that be! Can it be a problem to the public ip?

I could be a problem with the

Marius Gunnerud — Wed, 24 Feb 2016 22:09:35 GMT

I could be a problem with the routing of the public IP...but that is very unlikely.

in the ASDM realtime log viewer do you see any drops or asynchronous NAT...

Please remember to select a correct answer and rate helpful posts

No async nat on viewer when

drlbaluyut — Wed, 24 Feb 2016 23:07:38 GMT

No async nat on viewer when pinging 8.8.8.8 from dmz host. But i can see the permit hit count increase on dmz access rules permit any any. Also. On the real time viewer, teardown icmp can be seen and no drop. It worked one day then the next morning it became intermittent up to not working at all.

I suggest setting up a packet

Marius Gunnerud — Thu, 25 Feb 2016 11:32:35 GMT

I suggest setting up a packet capture between the interfaces for the specific server

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

And see if you see traffic flow in both directions.

Please remember to select a correct answer and rate helpful posts

Hi

drlbaluyut — Tue, 01 Mar 2016 01:00:05 GMT

It is working again now. It cannot work when I set a specific TCP port 4343 in access-list for outside going in. After I changed to IP it worked. But I wonder why it cannot work after permitting only specific ports.

Hi,

Samer R. Saleem — Tue, 01 Mar 2016 07:23:54 GMT

Hi,

1.check the inspection list on firewall

2. if it is working on [ IP ] check the ports that is in listening on both ends to see which port is in use and then check if its permitted on your firewall or not.

try capture traffic between the two hosts on firewall and analyze the traffic.

HTH

Samer.