topic Re: Host in DMZ cannot get outside (ASA 5505) in Network Security

Host in DMZ cannot get outside (ASA 5505)

ralf.rottmann — Mon, 11 Mar 2019 23:06:46 GMT

Hi there,

Based on the configuration pasted below, we believe the host (10.0.2.200 / 255.255.255.0 GW: 10.0.2.1 with external DNS servers configured) should have access to the web. However, it cannot resolve any names nor can it connect outside. Any idea why? Your help is greatly appreciated.

Here is the config:

ciscoasa# show running-configuration

ERROR: % Invalid input detected at '^' marker.

ciscoasa# show runn

ciscoasa# show running-config

: Saved

ASA Version 8.4(3)

hostname ciscoasa

enable password *** encrypted

passwd *** encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

switchport access vlan 12

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 195.14.245.70 255.255.255.224

interface Vlan12

nameif dmz

security-level 50

ip address 10.0.2.1 255.255.255.0

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 194.8.194.60

name-server 213.168.112.60

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 195.14.245.65 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

***

quit

telnet timeout 5

ssh 10.0.1.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns 194.8.194.60 213.168.112.60

dhcpd auto_config inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username *** password *** encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class class-default

user-statistics accounting

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

hpm topN enable

Cryptochecksum:***

: end

Host in DMZ cannot get outside (ASA 5505)

Kevin P Sheahan — Mon, 14 May 2012 19:04:56 GMT

Hi,

You are currently nat'ing inside traffic to go outside, you need to do the same to allow your DMZ to get out.

nat (dmz,outside) dynamic interface

Kind Regards,

Kevin

**Please rate helpful posts and remember to mark your question as answered once resolved!

Host in DMZ cannot get outside (ASA 5505)

ralf.rottmann — Mon, 14 May 2012 19:12:47 GMT

Wow, that was a speedy response. Thanks!

Could you explain how I do that on a) CLI and b) ASDM? That would be just fantastic!

Re: Host in DMZ cannot get outside (ASA 5505)

Kevin P Sheahan — Mon, 14 May 2012 19:17:29 GMT

Copy and paste the line below in your CLI.

nat (dmz,outside) dynamic interface

Sent from Cisco Technical Support iPhone App

Re: Host in DMZ cannot get outside (ASA 5505)

ralf.rottmann — Mon, 14 May 2012 19:20:11 GMT

Getting an error:

gcxfw(config)# nat (dmz,outside) dynamic interface

ERROR: % Invalid input detected at '^' marker.

Re: Host in DMZ cannot get outside (ASA 5505)

Kevin P Sheahan — Mon, 14 May 2012 19:25:28 GMT

Ok,

Try this...

nat (dmz,outside) 2 source dynamic any interface

Make sure you copy and paste or type it verbatim.. there is a in between "nat" and "(dmz,outside)".

Re: Host in DMZ cannot get outside (ASA 5505)

ralf.rottmann — Mon, 14 May 2012 19:27:42 GMT

The command did work but the host stil seems to be unable to go outside...

Host in DMZ cannot get outside (ASA 5505)

varrao — Mon, 14 May 2012 19:28:26 GMT

You need to add:

object network obj_any_dmz

subnet 0.0.0.0 0.0.0.0

nat (dmz,outside) dynamic interface.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Host in DMZ cannot get outside (ASA 5505)

ralf.rottmann — Mon, 14 May 2012 19:29:58 GMT

Varun, thanks for checking back in. 🙂

I'll add that in a moment. How can I rewoke this one before:

nat (dmz,outside) 2 source dynamic any interface

Best,

-Ralf

Host in DMZ cannot get outside (ASA 5505)

varrao — Mon, 14 May 2012 19:43:02 GMT

Just put a "no" in front of it in the config mode.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Re: Host in DMZ cannot get outside (ASA 5505)

ralf.rottmann — Mon, 14 May 2012 19:52:43 GMT

And repeat the exact command?

Sent from Cisco Technical Support iPhone App

Host in DMZ cannot get outside (ASA 5505)

varrao — Mon, 14 May 2012 21:37:20 GMT

Yes, once you delete it, you need to add this:

object network obj_any_dmz

subnet 0.0.0.0 0.0.0.0

nat (dmz,outside) dynamic interface.

Re: Host in DMZ cannot get outside (ASA 5505)

ralf.rottmann — Mon, 14 May 2012 21:41:20 GMT

Worked like a charm. Could you briefly explain what the command does?

Sent from Cisco Technical Support iPad App

Host in DMZ cannot get outside (ASA 5505)

varrao — Mon, 14 May 2012 21:48:55 GMT

Hi,

The command just nats all your traffic from the DMZ interface to the outside interface of the ASA, glad it helped.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Host in DMZ cannot get outside (ASA 5505)

ralf.rottmann — Tue, 15 May 2012 06:49:34 GMT

Thanks again. I thought NAT is only required for inbound traffic. Why do I have to NAT outgoing connections?

Host in DMZ cannot get outside (ASA 5505)

Amos Kafwembe — Tue, 18 Dec 2012 10:18:27 GMT

hello.

I dont mean to highjack this thread but I have a similar situation as this one, only that i would like to NAT only my webserver which is the DMZ to the outside on a specified IP address and not PAT. my firewall wont allow the command

nat (dmz,outside) dynamic interface.

unless, nat (dmz) 1......................................(am not certain how the command shoule end.

how can i do this translation so that my webserver can be seen? also, i need it to be seen only on ports 80,443 and 20.

thanks.

Re: Host in DMZ cannot get outside (ASA 5505)

Jouni Forss — Tue, 18 Dec 2012 10:47:52 GMT

Hi,

With ASA software 8.3 and above the configuration format is the following

Port Forward Configuration using the "outside" interface public IP address

object network STATIC-TCP20

host 10.10.10.10

nat (dmz,outside) static interface service tcp 20 20

object network STATIC-TCP80

host 10.10.10.10

nat (dmz,outside) static interface service tcp 80 80

object network STATIC-TCP443

host 10.10.10.10

nat (dmz,outside) static interface service tcp 443 443

access-list OUTSIDE-IN permit tcp any object STATIC-TCP20 eq 20

access-list OUTSIDE-IN permit tcp any object STATIC-TCP80 eq 80

access-list OUTSIDE-IN permit tcp any object STATIC-TCP443 eq 443

access-group OUTSIDE-IN in interface outside

Where

10.10.10.10 = example DMZ host IP address
STATIC-TCPxx = object name for each translation/portforward
OUTSIDE-IN = example outside interface ACL name
access-group = attach the ACL to outside interface (unless you already have an ACL attached)

IF you have a dedicated public IP address for the server -> REPLACE "interface" with the public IP address.

object network STATIC-DMZ

host 10.10.10.10

nat (dmz,outside) static 1.2.3.4

access-list OUTSIDE-IN permit tcp any object STATIC-DMZ eq 20

access-list OUTSIDE-IN permit tcp any object STATIC-DMZ eq 80

access-list OUTSIDE-IN permit tcp any object STATIC-DMZ eq 443

access-group OUTSIDE-IN in interface outside

Where

10.10.10.10 = example DMZ host IP address
STATIC-DMZ = object name for the 1:1 Static NAT (in other words 10.10.10.10 owns this public IP address)
1.2.3.4 = example public IP address

If this solves your question please rate. Otherwise make another thread asking about this (copy/paste content there perhaps) and we will look furhter.

- Jouni

Host in DMZ cannot get outside (ASA 5505)

Amos Kafwembe — Tue, 18 Dec 2012 17:51:15 GMT

Hi,

thanks for taking time to respond. my ASA version is pasted below. The command line is quite different.

ciscoasa# sh run

: Saved

ASA Version 7.2(4)

hostname ciscoasa

domain-name default.domain.invalid

enable password Cxy6Egno9r1.xcqd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

Re: Host in DMZ cannot get outside (ASA 5505)

Jouni Forss — Tue, 18 Dec 2012 17:57:05 GMT

Ah,

Missunderstood/missread your post then.

With the above software level the NAT command format is the following (unless I typo something or remember wrong)

Port Forward (Using "outside" interface IP address)

static (dmz,outside) tcp interface 20 10.10.10.10 20 netmask 255.255.255.255

static (dmz,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255

static (dmz,outside) tcp interface 443 10.10.10.10 443 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any host eq 20

access-list OUTSIDE-IN permit tcp any host eq 80

access-list OUTSIDE-IN permit tcp any host eq 443

Static NAT (Using own public IP address for server)

static (dmz,outside) 1.2.3.4 10.10.10.10 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any host 1.2.3.4 eq 20

access-list OUTSIDE-IN permit tcp any host 1.2.3.4 eq 80

access-list OUTSIDE-IN permit tcp any host 1.2.3.4 eq 443

- Jouni

Host in DMZ cannot get outside (ASA 5505)

Amos Kafwembe — Tue, 18 Dec 2012 19:22:20 GMT

thanks for this......but now i need my webserver to be accessible form the inside as well. because i cant even ping it from inside. how do i enable communication between the web server and the inside network?