topic Problems when I put a server in the dmz in Network Security

Problems when I put a server in the dmz

Rafael Jimenez — Tue, 12 Mar 2019 00:06:52 GMT

I have a asa5505, with this software:

Cisco Adaptive Security Appliance Software Version 8.4(4)1

Device Manager Version 6.4(7).

Im using vlans interface. I have the following vlan interfaces configured:

outside (called isp1),inside,dmz.

The asa is connected to a switch via trunk. There are several ESXi servers with VMs connected to the same switch.

The isp1 vlan interface is asociated with the e0/0.

I have a problem, when I start any (linux or windows) server in the dmz, all the internal networks lose the internet connection (via isp1).

There is a static nat X.X.X.61 <-> 192.168.111.61 beetwen the test server and the outside.

There are dynamic nat (pat) between the internal networks and the public ip on the outside interface x.x.x.64.

After several attempts (with whatismyip.com) I get verify that the public ip is x.x.x.61

What is wrong?...

attached the most relevant config.

Problems when I put a server in the dmz

Jouni Forss — Tue, 09 Oct 2012 22:44:10 GMT

Hi,

Have you tried to check on the ASA in realtime what happens to the connections attempts throught it when you start up a server?

Do you mean that for the LAN to work normally you wont have any servers up and running on the DMZ? Seems abit odd.

You sure there isnt somekind of loop with the server platform and switches that chokes the whole network including ASA?

- Jouni

Problems when I put a server in the dmz

Rafael Jimenez — Wed, 24 Oct 2012 15:07:16 GMT

Hello Jouni,

checking the realtime log, only nomal Build and TearDown messages, no deny msg.

Yes. in the moment the server in dmz try to access the internet , for example http, or dns all the internet goes down for all the internal networks.

I did a test putting the ASA alone. Also I assingned dmz and inside IP´s to the fisical ports, connected one pc in the inside interface, another pc in the dmz interface.

The pc in the iside interface is able to access internet until I plug the (dmz) cable in the pc. Exactly when the pc try to access the dns servers or I open the http browser.

Im stucked because I need start the dmz for several servers.

Thanks.

Problems when I put a server in the dmz

Julio Carvajal — Wed, 24 Oct 2012 20:02:28 GMT

Hello,

Please share the show run NAT

Regards,

Problems when I put a server in the dmz

Rafael Jimenez — Wed, 24 Oct 2012 20:11:04 GMT

show run nat:

object network PCoIP-host

nat (dmz,isp1) static 190.147.134.61

object network web-mail-host

nat (dmz,isp1) static 190.147.134.48

object network smtp-host

nat (dmz1,isp2) static interface service tcp smtp smtp

object network www-host

nat (dmz1,isp2) static interface service tcp www www

object network pop3s-host

nat (dmz1,isp2) static interface service tcp 995 995

object network dns-tcp-host

nat (dmz1,isp2) static interface service tcp domain domain

object network dns-udp-host

nat (dmz1,isp2) static interface service udp domain domain

object network 172.16.1.x-190.147.134.64-PAT-network

nat (inside,isp1) dynamic interface

object network 172.16.1.x-200.116.11.57-PAT-network

nat (inside,isp2) dynamic interface

object network dvr-udp-host

nat (dmz,isp3) static interface service udp 8080 8080

object network dvr-tcp-host

nat (dmz,isp3) static interface service tcp 8080 8080

object network 10.10.10.x-190.147.134.64-PAT-network

nat (inside,isp1) dynamic interface

object network 10.10.10.x-200.116.11.57-PAT-network

nat (inside,isp2) dynamic interface

object network 172.16.1.48-190.147.134.64-PAT-network

nat (inside,isp1) dynamic interface

object network 172.16.1.48-200.116.11.57-PAT-network

nat (inside,isp1) dynamic interface

object network 192.168.x.x-200.116.11.57-PAT-network

nat (inside,isp2) dynamic interface

object network 192.168.10.x-190.147.134.64-PAT-network

nat (inside,isp1) static interface

object network 192.168.100.x-190.147.134.64-PAT-network

nat (inside,isp1) static interface

object network 192.168.15.x-190.147.134.64-PAT-network

nat (inside,isp1) static interface

object network 192.168.50.x-190.147.134.64-PAT-network

nat (inside,isp1) static interface

#show run object:

object network PCoIP-host

host 192.168.111.61

....

...

Problems when I put a server in the dmz

Julio Carvajal — Wed, 24 Oct 2012 20:33:47 GMT

Hello Rafael,

do the following:

packet-tracer input inside tcp 172.16.1.100 1025 4.2.2.2 80

Regards,

Problems when I put a server in the dmz

Rafael Jimenez — Wed, 24 Oct 2012 20:40:19 GMT

packet-tracer input inside tcp 172.16.1.100 1025 4.2.2.2 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 isp1

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 172.16.1.x-190.147.134.64-PAT-network
nat (inside,isp1) dynamic interface
Additional Information:
Dynamic translate 172.16.1.100/1025 to 190.147.134.64/1025

Phase: 5
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 61570, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: isp1
output-status: up
output-line-status: up
Action: allow

Problems when I put a server in the dmz

Julio Carvajal — Wed, 24 Oct 2012 20:43:56 GMT

Hello Rafael,

Okay so the packet-tracer shows the inside network gets Natted to the ISP1 interface. Configuration looks good.

Basically what you are saying is as soon as you have the DMZ servers all of the internal users are unable to go to the internet correct?

I would say the best way to handle this would be creating captures at the time you have the DMZ server on, what do you think?

Regards,

Problems when I put a server in the dmz

Rafael Jimenez — Wed, 07 Nov 2012 04:32:21 GMT

My friends,

I think that is a proxy arp issue. But I don't have a solution yet.

I need some help with this.

Thank.s

Problems when I put a server in the dmz

Julio Carvajal — Wed, 07 Nov 2012 05:13:59 GMT

Hello Rafael,

Can you do some captures when the server is in place?

From an inside host, so we can determine if there is a problem with the ASA,

Regards,

Problems when I put a server in the dmz

Rafael Jimenez — Wed, 07 Nov 2012 12:04:21 GMT

Hello Julio,

I did some changes to test. I just put the e0/0 and e0/1 in the outside vlan (isp).

The e0/2 is in the dmz vlan and the e0/3 is in the inside vlan.

internet in the isp vlan interface (E0/0) works fine alone. When I plug another pc in the E0/1 port, or if I plug a pc in the E0/2, all the traffic goin from the inside to internet (isp) goes down.

Also I just take off the ASA and put back a Cisco RV042 that was working before the ASA, I have the same problem.

the internet on the isp is ok. a Pc connecte alone in the modem works fine.

Problems when I put a server in the dmz

Julio Carvajal — Wed, 07 Nov 2012 17:40:57 GMT

Hello Rafael,

Okay here is what I want you to do:

put the e0/0 and e0/1 in the outside vlan (isp).

The e0/2 is in the dmz vlan and the e0/3 is in the inside vlan.

Then connect a PC to the inside vlan

capture capin interface inside match icmp any host 4.2.2.2

capture capout interface outside match icmp any host 4.2.2.2

Then try to ping from the inside host to 4.2.2.2 and afterwards provide

show cap capin

show cap capout

Regards

Re: Problems when I put a server in the dmz

Rafael Jimenez — Fri, 09 Nov 2012 11:34:57 GMT

Hi Julio,

After try everything, I decided do a wireshark capture. Everything looks fine, I just was curiously about a "IP checksum offload" message, doing some research with google, I saw the light. All the problems starts when the virtual machines migrated (due to drs) to one of the servers that have Gigabits NIC with TOE (Broadcom NetXtreme II 5709 Dual Port Ethernet PCIe Card with TOE and iSCSI Offload).

I just disabled the tso (tcp segmentation offload) for the affected OS. Now everything is fine.

Regards.

Re: Problems when I put a server in the dmz

Julio Carvajal — Fri, 09 Nov 2012 17:37:40 GMT

Rafael,

Great to hear that,

Some kudos for you,

Please mark the question as answered,

Regards