topic thanks Jon for the info... in Network Security

unable to access internet from DMZ server

mudasir05 — Tue, 12 Mar 2019 05:43:04 GMT

Hello All,

I have a Server connected to the Vlan on 2960 switch which is connected to the ASA 5545.

The Server is accessed from outside as iam able to ping its public ip as well as able to ssh it,however the problem is iam not able to access the Internet from the Server.

I am using ASA version 9.1,also i created access-list and Nat rule through Public Server feature of the ASDM.

kindly help where iam wrong.

Thanks

Hi,If you check the NAT for

Vibhor Amrodia — Mon, 30 Mar 2015 10:19:04 GMT

Hi,

If you check the NAT for the Server , Is this a Static PAT/Port Forward or One-one Static NAT ?

If it is port Forward/Static PAT , Outbound ping would need a Dynamic NAT for the ping to be allowed to the internet.

Also , other than this , check these things:-

1) ICMP inspection is no ACL is applied on the Private Interface

2) Allow ICMP ACE on the ACL is applied on the private interface

Thanks and Regards,

Vibhor Amrodia

thanks Vibhor,I have a static

mudasir05 — Mon, 30 Mar 2015 10:47:01 GMT

thanks Vibhor,

I have a static one to one Nat applied,no port forwarding is done.

Kindly let me know how to allow icmp inspect for a particular interface.

Thanks

Hi,You just need to run this

Vibhor Amrodia — Mon, 30 Mar 2015 11:29:57 GMT

Hi,

You just need to run this command:- fixup protocol icmp

This is a global feature and will be enabled for the complete device.

Also , run a packet trace to find out what policies are being hit on the ASA device for this traffic ?

Refer:-

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

i have a ubunto server which

mudasir05 — Mon, 30 Mar 2015 14:51:33 GMT

i have a ubunto server which i am not able to update or upgrade as its not able to access the internet...

not sure where the problem is....i ran the packet tracer it shows the implicit configured rule is the problem for the configured dmz and when i checked that rule its there by default as iam unable to edit or delete it.

How are you trying to access

Jon Marshall — Mon, 30 Mar 2015 15:04:09 GMT

How are you trying to access the internet from the server ie. what port are you testing on ?

Can you post the ASA configuration.

Jon

I have a Ubuntu Server which

mudasir05 — Mon, 30 Mar 2015 15:59:57 GMT

I have a Ubuntu Server which is connected to the dmz port of the ASA and from there i try to ping google dns which iam not,also iam not able to update and upgrade my server.

object network water_private

nat (dmz5,Jeraisy) static waterlevel_public

access-group Jeraisy_access in interface Jeraisy

access-list Jeraisy_access extended permit object-group DM_INLINE_SERVICE_6 any4 object water_private

route Jeraisy 0.0.0.0 0.0.0.0 83.101.xx.xx 2

Hi,I see that you mentioned

Vibhor Amrodia — Tue, 31 Mar 2015 00:45:08 GMT

Hi,

I see that you mentioned the packet tracer drops this traffic ? Can you post the trace output ?

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,I tried with the

mudasir05 — Tue, 31 Mar 2015 14:45:56 GMT

Hi Vibhor,

I tried with the fixup protocol icmp but didn't worked.

kindly find the attached packet tracer from my outside interface to google dns..

I thought "Jeraisy" was your

Jon Marshall — Tue, 31 Mar 2015 15:17:42 GMT

I thought "Jeraisy" was your outside interface but that's not what your packet tracer is saying.

Can you just post the configuration of the firewall.

Jon

Hi Jon, yes Jeraisy is our

mudasir05 — Tue, 31 Mar 2015 15:42:17 GMT

Hi Jon,

yes Jeraisy is our another outside interface facing another ISP.

plz find attached config

route outside 0.0.0.0 0.0.0.0

Jon Marshall — Tue, 31 Mar 2015 16:02:27 GMT

Can you post "sh route"

Jon

Okay I think the problem is

Jon Marshall — Tue, 31 Mar 2015 16:14:12 GMT

Okay I think the problem is you have two outside interfaces.

Your default route is pointing to the outside interface.

So when the server initiates the connection you have setup a static to the Jeraisy interface IP but the ASA routes the traffic to the outside interface and there is no translation for your server.

You cannot have multiple default routes via different interfaces.

So what you may have to do is -

1) setup static PAT translations for the ports you want using the Jeraisy interface

2) then setup up a dynamic NAT for the server to the outside interface for traffic it initiates.

You won't, unless Vibhor knows a way, be able to use the Jeraisy ISP for traffic initiated from the server.

Unless of course you wanted to use contexts in which case you could have the server DMZ and the Jeraisy outside interface in their own context.

Jon

thanks Jon,if somehow I setup

mudasir05 — Wed, 01 Apr 2015 06:15:11 GMT

thanks Jon,

if somehow I setup the static PAT translations and Dynamic NAT then in that case also I have to configure the static route.....am I right?

Hi,I agree with Jon on this

Vibhor Amrodia — Wed, 01 Apr 2015 11:07:53 GMT

Hi,

I agree with Jon on this issue that because you have two ISP and the one which is secondary , would never be used for routing the traffic outbound to the internet.

There is a Workaround that can be used but that should only be used cautiously:-

If you are okay to route all the outbound traffic for a specific destination port out through the ISP 2 (Jeraisy ) For ex:-

If you want all the outbound traffic destined to port 80 to go out through this interface , you can create a statement like this:-

static (Jeraisy ,DMZ5) tcp 0.0.0.0 80 0.0.0.0 80

You can refer to these articles for all the possible options in this scenario:-

https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options

https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa

Thanks and Regards,

Vibhor Amrodia

thanks Vibhor,Do i need to

mudasir05 — Wed, 01 Apr 2015 14:10:16 GMT

thanks Vibhor,

Do i need to add router also in my topology?

A router in front of your

Jon Marshall — Wed, 01 Apr 2015 17:05:26 GMT

A router in front of your firewall would allow you to connect both ISPs to the router and only have one outside interface on the ASA.

Then you can use PBR on the router to direct traffic via whichever ISP you wanted based on the source IP address of the device i.e you would translate your server to a specific IP and then send it down the Jeraisy link.

PBR can also distinguish with ports as well which gives you more flexibility.

That said I believe there is a release of code for the ASA due soon that will support PBR and that would also solve your issue.

Perhaps Vibhor could provide some more details on that.

Jon

thanks Jon for the info...

mudasir05 — Thu, 02 Apr 2015 06:25:17 GMT

thanks Jon for the info....

will try this definitely on my router and will let u know..

Hi,Yes , I think we already

Vibhor Amrodia — Thu, 02 Apr 2015 10:13:57 GMT

Hi,

Yes , I think we already have the ASA code 9.4.1 which supports PBR. SO , an upgrade should help you out with this issue 🙂

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

Thanks and Regards,

Vibhor Amrodia