topic ASA 8.4 DMZ cannot get to internet in Network Security

ASA 8.4 DMZ cannot get to internet

kpoon — Mon, 11 Mar 2019 22:58:04 GMT

WE have a DMZ on ASA5510 8.4, it can access anything internal interface but cannot get out to internet or outside interface.

I try to ping from a host in the DMZ to 8.8.8.8 and get this in the log

Apr 25 2012

08:24:43

110003

8.8.8.8

172.10.1.150

Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1

Please help.

Thanks in advance.

here's the config:

: Saved

ASA Version 8.4(2)8

hostname ciscoasa

multicast-routing

names

dns-guard

interface Ethernet0/0

description xxxx shopInternet Connection

speed 100

duplex full

nameif outside

security-level 0

ip address 99.99.99.130 255.255.255.224

ospf cost 10

interface Ethernet0/1

description xxxx internal connection from firewall to switch

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

ospf cost 10

interface Ethernet0/2

description xxxx DMZ

nameif DMZ

security-level 100

ip address 172.10.1.1 255.255.255.0

interface Ethernet0/3

description Management Service-EEEE-40

speed 100

duplex full

nameif E-40

security-level 0

ip address 10.40.86.248 255.255.255.0

interface Management0/0

description management

nameif management

security-level 100

ip address 192.168.199.1 255.255.255.0

ospf cost 10

management-only

boot system disk0:/asa842-8-k8.bin

boot system disk0:/asa824-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup DMZ

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

name-server 208.67.222.222

name-server 208.67.220.220

name-server 66.28.0.45

name-server 66.28.0.61

domain-name xxxxshop.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-172.30.1.0

subnet 172.30.1.0 255.255.255.0

object network obj-10.40.86.0

subnet 10.40.86.0 255.255.255.0

object network obj-192.168.99.0

subnet 192.168.99.0 255.255.255.0

object network obj-192.168.1.13

host 192.168.1.13

object network obj-192.168.1.13-01

host 192.168.1.13

object network obj-192.168.1.13-02

host 192.168.1.13

object network obj-172.30.1.70

host 172.30.1.70

object network obj-192.168.106.144

host 192.168.106.144

object network obj-192.168.106.144-01

host 192.168.106.144

object network obj-192.168.106.144-02

host 192.168.106.144

object network obj-192.168.10.2

host 192.168.10.2

object network obj-172.30.1.50

host 172.30.1.50

object network obj-172.30.1.40

host 172.30.1.40

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.106.99

host 192.168.106.99

object network obj-172.30.1.102

host 172.30.1.102

object network obj-172.30.1.31

host 172.30.1.31

object network obj-172.30.1.40-01

host 172.30.1.40

object network obj-172.30.1.50-01

host 172.30.1.50

object network obj-172.30.1.101

host 172.30.1.101

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj_any-03

subnet 0.0.0.0 0.0.0.0

object network obj_any-04

subnet 0.0.0.0 0.0.0.0

object network obj_any-05

subnet 0.0.0.0 0.0.0.0

object network obj_any-06

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.0.0

subnet 192.168.0.0 255.255.0.0

object service ftp

service tcp source range ftp-data ftp destination range ftp-data ftp

object network obj-192.168.1.15

host 192.168.1.15

object network obj-192.168.1.15-01

host 192.168.1.15

object network NETWORK_OBJ_172.30.1.0_24

subnet 172.30.1.0 255.255.255.0

object network NETWORK_OBJ_172.31.2.0_24

subnet 172.31.2.0 255.255.255.0

object network obj-172.10.1.136

host 172.10.1.136

description VCS Express 01 NIC 01

object network obj-172.10.1.0

subnet 172.10.1.0 255.255.255.0

description DMZ

object network obj_any-08

subnet 0.0.0.0 0.0.0.0

object network obj-172.10.1.150

host 172.10.1.150

object-group service ExchangeOWA tcp

description Exchange Web and Mobile Access

port-object eq smtp

port-object eq https

port-object eq www

object-group network admin-ip

network-object host 192.168.1.199

network-object 172.30.1.0 255.255.255.0

network-object host 192.168.106.99

network-object host Snapstream_ott

network-object host 192.168.1.251

network-object host 192.168.1.190

network-object host 192.168.1.193

network-object host 192.168.1.10

network-object host 192.168.1.11

network-object host 192.168.1.14

network-object host 192.168.1.15

network-object host 192.168.1.6

network-object host 192.168.1.7

network-object host 192.168.1.8

network-object host 192.168.1.9

network-object host 192.168.2.199

network-object host 192.168.1.13

network-object 192.168.99.0 255.255.255.0

network-object 172.10.1.0 255.255.255.0

object-group network approved-ip

network-object host 99.99.99.141

network-object 172.30.1.0 255.255.255.0

object-group network tms-ip

object-group service VNC tcp

description VNC

port-object eq 5900

object-group network DM_INLINE_NETWORK_2

network-object 172.30.1.0 255.255.255.0

network-object 192.168.0.0 255.255.0.0

object-group service VNC-Listen tcp

description VNC-Listen Ports

port-object eq 5500

object-group service Streaming-ASF tcp-udp

description Streaming-ASF

port-object eq 1755

object-group service Streaming-ASF-TCP tcp

description Streaming-ASF-TCP

port-object eq 1755

object-group service DM_INLINE_TCP_1 tcp

group-object Streaming-ASF

port-object eq www

group-object Streaming-ASF-TCP

port-object eq rtsp

port-object eq https

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_5

object-group network DM_INLINE_NETWORK_4

network-object host 172.19.4.50

network-object 192.168.123.0 255.255.255.0

object-group network DM_INLINE_NETWORK_6

network-object host 172.19.4.50

network-object 192.168.123.0 255.255.255.0

object-group network DM_INLINE_NETWORK_7

network-object host 172.19.4.50

network-object 192.168.123.0 255.255.255.0

object-group network DM_INLINE_NETWORK_8

network-object host 99.99.99.141

network-object host 99.99.99.144

object-group service DM_INLINE_TCP_2 tcp

port-object eq 8129

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_9

object-group service DM_INLINE_TCP_3 tcp

port-object eq ftp

port-object eq ftp-data

object-group network BypassFacebook

network-object host 192.168.1.182

network-object host 192.168.1.183

network-object host 192.168.1.184

network-object host 192.168.1.188

network-object host 192.168.1.189

network-object host 192.168.1.190

network-object host 192.168.1.193

network-object host 192.168.1.194

network-object host 192.168.1.195

network-object host 192.168.1.196

network-object host 192.168.1.199

network-object host 192.168.1.200

object-group network Facebook

network-object 69.63.176.0 255.255.240.0

network-object 66.220.144.0 255.255.240.0

object-group network DM_INLINE_NETWORK_1

network-object host 10.40.86.102

network-object host 10.40.86.31

network-object host 10.40.86.40

network-object host 10.40.86.50

network-object host 10.40.86.101

object-group network DM_INLINE_NETWORK_3

network-object object obj-172.30.1.0

network-object object obj-192.168.0.0

object-group network DM_INLINE_NETWORK_12

network-object 10.4.86.0 255.255.255.0

network-object 10.40.86.0 255.255.255.0

network-object 10.70.86.0 255.255.255.0

network-object 10.96.86.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp-udp destination eq sip

service-object tcp destination eq 1721

service-object tcp destination eq h323

service-object udp destination eq 1719

service-object tcp-udp destination eq www

service-object tcp destination eq https

service-object udp destination eq www

service-object udp destination eq ntp

object-group network DM_INLINE_NETWORK_1_2

network-object host 172.30.1.102

network-object host 172.30.1.31

network-object host 172.30.1.40

network-object host 172.30.1.50

network-object host 172.30.1.101

object-group network DM_INLINE_NETWORK_10

access-list inside_nat0_outbound_1 extended permit ip 172.30.1.0 255.255.255.0 10.40.86.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.99.0 255.255.255.0

access-list dzm extended permit ip any any

access-list dzm extended permit icmp any any

access-list ouside extended permit ip any any

access-list cont_in extended permit ip host 99.99.99.135 any

access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0

access-list Split_tunnel_ACL standard permit 172.30.1.0 255.255.255.0

access-list inside extended permit tcp host 192.168.1.13 any eq smtp

access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_9 eq smtp

access-list inside extended deny tcp any any eq smtp

access-list inside extended deny tcp any any eq pop3

access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_5 eq pptp

access-list inside extended deny tcp any any eq pptp

access-list inside extended permit tcp object-group BypassFacebook object-group Facebook eq https

access-list inside extended deny tcp any object-group Facebook eq https

access-list inside extended permit ip any any

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.99.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 172.19.4.50

access-list E-40_access_out extended permit ip any any

access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0

access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_4 host 192.168.1.18 inactive

access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_6 host 192.168.1.19 inactive

access-list inside-out-acl extended deny ip object-group DM_INLINE_NETWORK_7 any inactive

access-list inside-out-acl extended permit ip any any

access-list throttle_frontline extended permit ip host 74.213.162.33 any inactive

access-list throttle_frontline extended permit ip any host 74.213.162.33 inactive

access-list outside remark Migration, ACE (line 3) expanded: permit tcp any object-group DM_INLINE_NETWORK_8

access-list outside extended permit tcp any host 99.99.99.141 eq 8129

access-list outside extended permit tcp any host 172.30.1.70 eq www

access-list outside extended permit tcp any host 99.99.99.141 eq https

access-list outside extended permit tcp any host 192.168.106.144 eq 8129

access-list outside extended permit tcp any host 192.168.106.144 eq www

access-list outside extended permit tcp any host 192.168.106.144 eq https

access-list outside remark Migration: End of expansion

access-list outside remark Migration, ACE (line 4) expanded: permit tcp any host 99.99.99.133 object-group ExchangeOWA

access-list outside extended permit tcp any host 192.168.1.13 eq smtp

access-list outside extended permit tcp any host 192.168.1.13 eq https

access-list outside extended permit tcp any host 192.168.1.13 eq www

access-list outside extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.1.15 object-group DM_INLINE_TCP_3

access-list outside remark Migration: End of expansion

access-list outside extended permit ip any host 192.168.106.99

access-list outside extended permit tcp any host 192.168.1.10 eq pptp

access-list outside extended permit gre any host 192.168.1.10

access-list outside extended permit tcp any host 192.168.10.2 eq telnet inactive

access-list outside extended permit tcp any host 172.30.1.40 object-group DM_INLINE_TCP_1

access-list outside extended permit ip object-group tms-ip host 172.30.1.50

access-list outside extended permit ip any host 172.10.1.150

access-list outside extended permit icmp any any echo-reply

access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.0 172.31.2.0 255.255.255.0

access-list DMZ_access_out extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in_1 extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging trap debugging

logging asdm informational

logging facility 19

logging host inside 192.168.1.15 format emblem

logging permit-hostdown

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu E-40 1500

mtu management 1500

ip local pool xxxx-pool 192.168.99.1-192.168.99.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static obj-172.30.1.0 obj-172.30.1.0 destination static obj-10.40.86.0 obj-10.40.86.0 no-proxy-arp

nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.99.0 obj-192.168.99.0 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_172.30.1.0_24 NETWORK_OBJ_172.30.1.0_24 destination static NETWORK_OBJ_172.31.2.0_24 NETWORK_OBJ_172.31.2.0_24 no-proxy-arp route-lookup

object network obj-192.168.1.13

nat (inside,outside) static 99.99.99.133 service tcp smtp smtp

object network obj-192.168.1.13-01

nat (inside,outside) static 99.99.99.133 service tcp www www

object network obj-192.168.1.13-02

nat (inside,outside) static 99.99.99.133 service tcp https https

object network obj-172.30.1.70

nat (inside,outside) static 99.99.99.141 service tcp www www

object network obj-192.168.106.144

nat (inside,outside) static 99.99.99.144 service tcp www www

object network obj-192.168.106.144-01

nat (inside,outside) static 99.99.99.144 service tcp https https

object network obj-192.168.106.144-02

nat (inside,outside) static 99.99.99.144 service tcp 8129 8129

object network obj-192.168.10.2

nat (inside,outside) static 99.99.99.132 service tcp telnet telnet

object network obj-172.30.1.50

nat (inside,outside) static 99.99.99.134

object network obj-172.30.1.40

nat (inside,outside) static 99.99.99.139

object network obj-192.168.1.10

nat (inside,outside) static 99.99.99.137

object network obj-192.168.106.99

nat (inside,outside) static 99.99.99.140

object network obj-172.30.1.102

nat (inside,E-40) static 10.40.86.102

object network obj-172.30.1.31

nat (inside,E-40) static 10.40.86.31

object network obj-172.30.1.40-01

nat (inside,E-40) static 10.40.86.40

object network obj-172.30.1.50-01

nat (inside,E-40) static 10.40.86.50

object network obj-172.30.1.101

nat (inside,E-40) static 10.40.86.101

object network obj_any

nat (inside,outside) dynamic interface

object network obj_any-01

nat (inside,outside) dynamic obj-0.0.0.0

object network obj_any-02

nat (inside,DMZ) dynamic obj-0.0.0.0

object network obj_any-03

nat (inside,E-40) dynamic obj-0.0.0.0

object network obj_any-04

nat (management,outside) dynamic obj-0.0.0.0

object network obj_any-05

nat (management,DMZ) dynamic obj-0.0.0.0

object network obj_any-06

nat (management,E-40) dynamic obj-0.0.0.0

object network obj-192.168.1.15

nat (inside,outside) static 99.99.99.138 service tcp ftp ftp

object network obj-192.168.1.15-01

nat (inside,outside) static 99.99.99.138 service tcp ftp-data ftp-data

object network obj_any-08

nat (DMZ,outside) dynamic interface

access-group outside in interface outside

access-group inside in interface inside

access-group inside-out-acl out interface inside

access-group DMZ_access_in_1 in interface DMZ control-plane

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

access-group 40_access_in in interface E-40

access-group E-40_access_out out interface E-40

route outside 0.0.0.0 0.0.0.0 99.99.99.129 1

route E-40 10.4.86.0 255.255.255.0 10.40.86.249 1

route E-40 10.70.86.0 255.255.255.0 10.40.86.249 1

route E-40 10.96.86.0 255.255.255.0 10.40.86.249 1

route inside 172.20.20.0 255.255.255.0 192.168.10.2 1

route inside 172.30.1.0 255.255.255.0 192.168.10.2 1

route inside 192.168.1.0 255.255.255.0 192.168.10.2 1

route inside 192.168.2.0 255.255.255.0 192.168.10.2 1

route inside 192.168.3.0 255.255.255.0 192.168.10.2 1

route inside 192.168.6.0 255.255.255.0 192.168.10.2 1

route inside 192.168.99.0 255.255.255.0 192.168.10.2 255

route inside 192.168.101.0 255.255.255.0 192.168.10.2 1

route inside 192.168.102.0 255.255.255.0 192.168.10.2 1

route inside 192.168.103.0 255.255.255.0 192.168.10.2 1

route inside 192.168.106.0 255.255.255.0 192.168.10.2 1

route inside 192.168.201.0 255.255.255.0 192.168.10.2 1

route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

http 172.10.1.0 255.255.255.0 DMZ

http 192.168.199.0 255.255.255.0 management

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.0.0 inside

telnet 172.10.1.0 255.255.255.0 DMZ

telnet 192.168.199.0 255.255.255.0 management

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.0.0 255.255.0.0 inside

ssh 172.10.1.0 255.255.255.0 DMZ

ssh 192.168.199.0 255.255.255.0 management

ssh timeout 10

console timeout 0

management-access inside

vpn-sessiondb max-anyconnect-premium-or-essentials-limit 10

dhcpd address 192.168.199.101-192.168.199.109 management

dhcpd dns 192.168.1.10 192.168.1.11 interface management

dhcpd

domain

xxxxshop.com interface management

dhcpd enable management

priority-queue outside

priority-queue inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.1.10 source inside

ntp server 129.6.15.29 source outside prefer

ntp server 129.6.15.28 source outside preferEEEE

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.4.0202-k9.pkg 18

anyconnect image disk0:/anyconnect-macosx-i386-2.4.0196-k9.pkg 20 regex "Intel Mac OS X"

anyconnect image disk0:/anyconnect-linux-2.4.0202-k9.pkg 21 regex "Linux"

anyconnect enable

cache

disable

group-policy xxxxIPsec internal

group-policy xxxxIPsec attributes

dns-server value 192.168.1.13

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_tunnel_ACL

default-domain value xxxxshop.com

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.10 192.168.1.11

vpn-idle-timeout 10

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_tunnel_ACL

default-domain value xxxxshop.com

webvpn

url-list value xxxxApps

anyconnect ask enable default webvpn

hidden-shares visible

group-policy GroupPolicy_198.103.180.120 internal

group-policy GroupPolicy_198.103.180.120 attributes

vpn-tunnel-protocol ikev1

tunnel-groupppp DefaultRAGroup general-attributes

address-pool xxxx-pool

authentication-server-group radius LOCAL

tunnel-group DefaultRAGroup webvpn-attributes

group-alias DefaultRA enable

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool xxxx-pool

authentication-server-group radius LOCAL

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias DefaultWeb enable

tunnel-group xxxxIPsec type remote-access

tunnel-group xxxxIPsec general-attributes

address-pool xxxx-pool

authentication-server-group radius LOCAL

default-group-policy xxxxIPsec

tunnel-group xxxxIPsec webvpn-attributes

group-alias xxxxIPSec enable

group-alias IPSec disable

tunnel-group xxxxIPsec ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group xxxxSSL type remote-access

tunnel-group xxxxSSL general-attributes

address-pool xxxx-pool

authentication-server-group radius LOCAL

tunnel-group xxxxSSL webvpn-attributes

group-alias xxxxSSL enable

group-url

https://99.99.99.130/xxxxSSL

enable

tunnel-group 1.1.1.120 type ipsec-l2l

tunnel-group 1.1.1.120 general-attributes

default-group-policy GroupPolicy_1.1.1.120

tunnel-group 1.1.1.120 ipsec-attributes

ikev1 pre-shared-key *****

class-map global-class

match default-inspection-traffic

class-map csc-class

match access-list cscTraffic

class-map throttle_frontline

match access-list throttle_frontline

policy-map type inspect sip DefaultSIP

parameters

max-forwards-validation action drop log

policy-map throttle-policy

class throttle_frontline

police input 600000 2000

police output 600000 2000

policy-map global-policy

class global-class

inspect pptp

inspect ftp

inspect ipsec-pass-thru

inspect xdmcp

inspect h323 h225

inspect h323 ras

inspect sip

class csc-class

csc fail-open

policy-map type inspect h323 DefaultH323

parameters

service-policy global-policy global

service-policy throttle-policy interface outside

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

: end

asdm image disk0:/asdm-645-206.bin

asdm location 192.168.100.0 255.255.255.192 outside

asdm location 192.168.0.0 255.255.0.0 inside

asdm location 192.168.123.0 255.255.255.0 inside

asdm location 192.168.123.0 255.255.255.0 outside

asdm location 192.168.111.0 255.255.255.0 inside

asdm location 192.168.10.0 255.255.255.0 outside

asdm location 192.168.10.254 255.255.255.255 outside

asdm location 99.99.99.133 255.255.255.255 outside

asdm location 192.168.1.16 255.255.255.255 inside

asdm location 172.30.1.0 255.255.255.0 inside

asdm location 172.30.1.50 255.255.255.255 inside

asdm location 192.168.1.13 255.255.255.255 insideEEEE

no asdm history enable

Re: ASA 8.4 DMZ cannot get to internet

Jouni Forss — Wed, 25 Apr 2012 12:49:04 GMT

Hi,

Seems the traffic gets forwarded to totally wrong interface.

The destination network for the ICMP reply is directly connected to the ASA.

Still it gets forwarded to INSIDE instead of DMZ

So i guess you have some NAT configuration wrong. It also seems you have alot of strange NAT configurations. (0.0.0.0 objects)

- Jouni

ASA 8.4 DMZ cannot get to internet

kpoon — Wed, 25 Apr 2012 12:54:16 GMT

Hi,

Shouldn't this statement work?

object network obj_any-08

nat (DMZ,outside) dynamic interface

I can't seem to pinpoint the problem.

Ken

ASA 8.4 DMZ cannot get to internet

Jouni Forss — Wed, 25 Apr 2012 13:00:21 GMT

Hi,

I guess that should handle it.

Another configuration that you seem to have is

object network obj_any-02

nat (inside,DMZ) dynamic obj-0.0.0.0

Though I'm not sure why you have it configured or what its supposed to do?

Have you used the "packet-tracer" command on the ASA to see what happens for example to a TCP/80/http connection taken from DMZ to some random public IP address?

- Jouni

ASA 8.4 DMZ cannot get to internet

Jouni Forss — Wed, 25 Apr 2012 13:02:34 GMT

Hi,

I just noticed you have the DMZ network routed towards an IP address on your INSIDE interface? Why is that?

interface Ethernet0/1

description xxxx internal connection from firewall to switch

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

ospf cost 10

interface Ethernet0/2

description xxxx DMZ

nameif DMZ

security-level 100

ip address 172.10.1.1 255.255.255.0

route DMZ 172.10.1.0 255.255.255.0 192.168.10.2 1

- Jouni

ASA 8.4 DMZ cannot get to internet

kpoon — Wed, 25 Apr 2012 13:05:20 GMT

That route was removed last night., we were trying different things to figure out the problem. Sorry forgot to update the config txt file.

ASA 8.4 DMZ cannot get to internet

kpoon — Wed, 25 Apr 2012 13:07:09 GMT

object network obj_any-02

nat (inside,DMZ) dynamic obj-0.0.0.0

This was auto translated when we upgrade from 8.2 to 8.4. We hadn't touched anything since we started to deploy a DMZ. Should we remove it?

We've also done packet tracer and everything shows ok without problem.

ASA 8.4 DMZ cannot get to internet

Jouni Forss — Wed, 25 Apr 2012 13:10:39 GMT

Ah ok,

I dont usually let ASA generate the new 8.4 version configuration so I just write the configurations to my liking.

I just havent done a similiar configuration yet.

Could you post the output of the packet-tracer here when you issue it from the command line interface?

- Jouni

ASA 8.4 DMZ cannot get to internet

kpoon — Wed, 25 Apr 2012 13:17:53 GMT

Sure, here it is.

ciscoasa# packet-tracer input DMZ tcp 172.10.1.150 80 8.8.8.8 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ_access_in in interface DMZ

access-list DMZ_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: SSM-DIVERT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: SSM_SERVICE

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any-09

nat (DMZ,outside) dynamic interface

Additional Information:

Dynamic translate 172.10.1.150/80 to 38.103.153.130/434

Phase: 7

Type: SSM_SERVICE

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 73578100, packet dispatched to next module

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ASA 8.4 DMZ cannot get to internet

kpoon — Wed, 25 Apr 2012 13:20:04 GMT

Also this:

ciscoasa# packet-tracer input outside tcp 172.10.1.150 80 8.8.8.8 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA 8.4 DMZ cannot get to internet

Jouni Forss — Wed, 25 Apr 2012 13:58:30 GMT

Hi,

I don't really know why the ASA is saying the network would be behind the inside interface.

The first packet-tracer shows all working normally. The second one will naturally fail as you have source interface outside and the DMZ host isnt located behind it.

For ICMP to go through in a normal situation without opening the outside access-lsit for the echo-replys you would need the following configuration

policy-map global-policy

class global-class

inspect icmp

Though in this situation it wont help.

I'm not sure what the tunnel default route is as I havent used it ever myself.

- Jouni

ASA 8.4 DMZ cannot get to internet

kpoon — Wed, 25 Apr 2012 14:02:54 GMT

Thanks Jouni, appreciate your help. Hopefully someone can figure it out.

Re: ASA 8.4 DMZ cannot get to internet

Rick Rowe — Wed, 25 Apr 2012 17:48:59 GMT

If your still getting the same error msg:

"Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1"

Try the route DMZ xxxx xxxx xxxx 2

as the "2" for metric if routing failed.

Usually you get an error for a route, if you already had a route with a "1" listed.

ASA 8.4 DMZ cannot get to internet

Julio Carvajal — Wed, 25 Apr 2012 17:51:20 GMT

Hello,

I can see on the first packet tracer:

packet-tracer input DMZ tcp 172.10.1.150 80 8.8.8.8 80

That everything is good related to the ASA configuration.

I want the following outputs:

-Sh run nat

-Sh run route

Also create the following captures

capture capdmz interface dmz circular-buffer

capture capdmz match ip host 172.10.1.150 host 8.8.8.8

capture capout interface outside circular-buffer

capture capout match ip host 38.103.153.130 host 8.8.8.8

Then generate real traffic ( Not packet tracer) from 172.10.1.150 to 8.8.8.8 ( A ping would do it)

and post the show cap capout and show cap capin

Regards,

Do rate all the helpful posts,

Julio

Re: ASA 8.4 DMZ cannot get to internet

kpoon — Wed, 25 Apr 2012 18:08:43 GMT

Here's sh run nat:

ciscoasa# sh run nat

nat (inside,any) source static obj-172.30.1.0 obj-172.30.1.0 destination static obj-10.40.86.0 obj-10.40.86.0 no-proxy-arp

nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.99.0 obj-192.168.99.0 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_172.30.1.0_24 NETWORK_OBJ_172.30.1.0_24 destination static NETWORK_OBJ_172.31.2.0_24 NETWORK_OBJ_172.31.2.0_24 no-proxy-arp route-lookup

object network obj-192.168.1.13

nat (inside,outside) static 99.99.99.133 service tcp smtp smtp

object network obj-192.168.1.13-01

nat (inside,outside) static 99.99.99.133 service tcp www www

object network obj-192.168.1.13-02

nat (inside,outside) static 99.99.99.133 service tcp https https

object network obj-172.30.1.70

nat (inside,outside) static 99.99.99.141 service tcp www www

object network obj-192.168.106.144

nat (inside,outside) static 99.99.99.144 service tcp www www

object network obj-192.168.106.144-01

nat (inside,outside) static 99.99.99.144 service tcp https https

object network obj-192.168.106.144-02

nat (inside,outside) static 99.99.99.144 service tcp 8129 8129

object network obj-192.168.10.2

nat (inside,outside) static 99.99.99.132 service tcp telnet telnet

object network obj-172.30.1.50

nat (inside,outside) static 99.99.99.134

object network obj-172.30.1.40

nat (inside,outside) static 99.99.99.139

object network obj-192.168.1.10

nat (inside,outside) static 99.99.99.137

object network obj-192.168.106.99

nat (inside,outside) static 99.99.99.140

object network obj-172.30.1.102

nat (inside,E-40) static 10.40.86.102

object network obj-172.30.1.31

nat (inside,E-40) static 10.40.86.31

object network obj-172.30.1.40-01

nat (inside,E-40) static 10.40.86.40

object network obj-172.30.1.50-01

nat (inside,E-40) static 10.40.86.50

object network obj-172.30.1.101

nat (inside,E-40) static 10.40.86.101

object network obj_any

nat (inside,outside) dynamic interface

object network obj_any-01

nat (inside,outside) dynamic obj-0.0.0.0

object network obj_any-03

nat (inside,E-40) dynamic obj-0.0.0.0

object network obj_any-04

nat (management,outside) dynamic obj-0.0.0.0

object network obj_any-05

nat (management,DMZ) dynamic obj-0.0.0.0

object network obj_any-06

nat (management,E-40) dynamic obj-0.0.0.0

object network obj-192.168.1.15

nat (inside,outside) static 99.99.99.138 service tcp ftp ftp

object network obj-192.168.1.15-01

nat (inside,outside) static 99.99.99.138 service tcp ftp-data ftp-data

object network obj_any-09

nat (DMZ,outside) dynamic obj-0.0.0.0

here's sh run route:

ciscoasa# sh run route

route outside 0.0.0.0 0.0.0.0 38.103.153.129 1

route E-40 10.4.86.0 255.255.255.0 10.40.86.249 1

route E-40 10.70.86.0 255.255.255.0 10.40.86.249 1

route E-40 10.96.86.0 255.255.255.0 10.40.86.249 1

route inside 172.20.20.0 255.255.255.0 192.168.10.2 1

route inside 172.30.1.0 255.255.255.0 192.168.10.2 1

route inside 192.168.1.0 255.255.255.0 192.168.10.2 1

route inside 192.168.2.0 255.255.255.0 192.168.10.2 1

route inside 192.168.3.0 255.255.255.0 192.168.10.2 1

route inside 192.168.6.0 255.255.255.0 192.168.10.2 1

route inside 192.168.99.0 255.255.255.0 192.168.10.2 255

route inside 192.168.101.0 255.255.255.0 192.168.10.2 1

route inside 192.168.102.0 255.255.255.0 192.168.10.2 1

route inside 192.168.103.0 255.255.255.0 192.168.10.2 1

route inside 192.168.106.0 255.255.255.0 192.168.10.2 1

route inside 192.168.201.0 255.255.255.0 192.168.10.2 1

route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled

here's sh cap capout:

1988: 14:11:01.895659 38.103.153.130 > 8.8.8.8: icmp: echo request

1989: 14:11:01.921567 8.8.8.8.53 > 38.103.153.130.23510: udp 183

1990: 14:11:01.922117 38.103.153.130.29404 > 8.8.8.8.53: udp 46

1991: 14:11:01.922971 8.8.8.8.53 > 38.103.153.130.42987: udp 183

1992: 14:11:01.923551 38.103.153.130.4473 > 8.8.8.8.53: udp 46

1993: 14:11:01.932141 8.8.8.8 > 38.103.153.130: icmp: echo reply

1994: 14:11:01.952129 8.8.8.8.53 > 38.103.153.130.29404: udp 157

1995: 14:11:01.963084 38.103.153.130.8335 > 8.8.8.8.53: udp 46

1996: 14:11:01.963634 8.8.8.8.53 > 38.103.153.130.4473: udp 157

1997: 14:11:01.965236 38.103.153.130.58306 > 8.8.8.8.53: udp 46

1998: 14:11:01.966334 38.103.153.130.48999 > 8.8.8.8.53: udp 46

1999: 14:11:01.992578 8.8.8.8.53 > 38.103.153.130.8335: udp 183

2000: 14:11:01.993463 38.103.153.130.64168 > 8.8.8.8.53: udp 46

2001: 14:11:01.995615 8.8.8.8.53 > 38.103.153.130.58306: udp 183

2002: 14:11:01.995981 8.8.8.8.53 > 38.103.153.130.48999: udp 183

2003: 14:11:01.996271 38.103.153.130.26453 > 8.8.8.8.53: udp 46

2004: 14:11:01.996576 38.103.153.130.45822 > 8.8.8.8.53: udp 46

2005: 14:11:02.026777 8.8.8.8.53 > 38.103.153.130.26453: udp 157

2006: 14:11:02.035978 8.8.8.8.53 > 38.103.153.130.64168: udp 157

2007: 14:11:02.044370 8.8.8.8.53 > 38.103.153.130.45822: udp 157

2008: 14:11:02.443595 38.103.153.130.2912 > 8.8.8.8.53: udp 59

2009: 14:11:02.505634 8.8.8.8.53 > 38.103.153.130.2912: udp 123

2010: 14:11:02.517536 38.103.153.130.5549 > 8.8.8.8.53: udp 57

2011: 14:11:02.546923 8.8.8.8.53 > 38.103.153.130.5549: udp 104

2012: 14:11:02.548372 38.103.153.130.23158 > 8.8.8.8.53: udp 65

2013: 14:11:02.612334 8.8.8.8.53 > 38.103.153.130.23158: udp 65

2014: 14:11:02.624143 38.103.153.130.38857 > 8.8.8.8.53: udp 57

2015: 14:11:02.761099 8.8.8.8.53 > 38.103.153.130.38857: udp 110

2016: 14:11:02.762518 38.103.153.130.5218 > 8.8.8.8.53: udp 59

2017: 14:11:02.844911 8.8.8.8.53 > 38.103.153.130.5218: udp 108

2018: 14:11:02.846910 38.103.153.130.16398 > 8.8.8.8.53: udp 80

2019: 14:11:02.899321 8.8.8.8.53 > 38.103.153.130.16398: udp 143

2020: 14:11:03.353405 38.103.153.130.22221 > 8.8.8.8.53: udp 44

2021: 14:11:03.392191 8.8.8.8.53 > 38.103.153.130.22221: udp 77

2022: 14:11:03.393656 38.103.153.130.43410 > 8.8.8.8.53: udp 44

2023: 14:11:03.429985 8.8.8.8.53 > 38.103.153.130.43410: udp 60

2024: 14:11:05.213291 38.103.153.130.16398 > 8.8.8.8.53: udp 79

2025: 14:11:05.257310 8.8.8.8.53 > 38.103.153.130.16398: udp 95

2026: 14:11:06.903212 38.103.153.130 > 8.8.8.8: icmp: echo request

2027: 14:11:06.932126 8.8.8.8 > 38.103.153.130: icmp: echo reply

here's sh cap capdmz:

ciscoasa# sh cap capdmz

8 packets captured

1: 14:06:02.022352 802.3 encap packet

2: 14:06:03.163001 802.3 encap packet

3: 14:06:03.163077 802.3 encap packet

4: 14:06:04.027143 802.3 encap packet

5: 14:06:06.032133 802.3 encap packet

6: 14:06:08.038755 802.3 encap packet

7: 14:06:10.042127 802.3 encap packet

8: 14:06:12.046719 802.3 encap packet

8 packets shown