01-04-2019 10:37 AM - edited 02-21-2020 08:37 AM
I'm running into a problem with a couple of my 5545-x ASA's. Servers in the DMZ cannot contact each other over their public interfaces. All other operations seem to be normal. They can contact each other on their private interfaces no problem. I have a 5508-x ASA with pretty much similar configs where this doesn't happen. I think I'm overlooking something or perhaps there was a change in version 9.8 vs 9.6. I have attached a scaled down config that has not worked either.
Thanks,
Jeremy
: Saved : : : Serial Number: : Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2659 MHz, 1 CPU (8 cores) : Written by enable_15 at 07:14:08.509 PST Thu Dec 27 2018 ! ASA Version 9.8(2) ! hostname ciscoasa enable password encrypted names ! interface GigabitEthernet0/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/1 nameif outside security-level 0 ip address 10.0.0.254 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 nameif DMZ security-level 50 ip address 192.168.253.1 255.255.255.0 ! interface Management0/0 management-only shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup outside dns domain-lookup DMZ dns server-group DefaultDNS name-server 8.8.8.8 name-server 4.4.4.4 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network DMZ-subnet subnet 192.168.253.0 255.255.255.0 object network DMZ-Host-mail host 10.0.0.10 object network DMZ-Host-mail-int host 192.168.253.10 object network DMZ-Host-mail2 host 10.0.0.9 object network DMZ-Host-mail2-int host 192.168.253.9 object-group service MAIL-SERVER service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq imap4 service-object tcp destination eq 993 service-object tcp destination eq 995 service-object tcp destination eq pop3 service-object tcp destination eq 587 service-object tcp destination eq 465 service-object tcp destination eq smtp access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail-int access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2 access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int access-list snmp extended permit udp any eq snmptrap any access-list snmp extended permit udp any any eq snmp access-list dmz_access_in extended permit ip any any access-list dmz_access_in extended deny ip any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu DMZ 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any nat (any,outside) dynamic interface object network DMZ-subnet nat (DMZ,outside) dynamic interface object network DMZ-Host-mail-int nat (DMZ,outside) static DMZ-Host-mail object network DMZ-Host-mail2-int nat (DMZ,outside) static DMZ-Host-mail2 ! nat (DMZ,outside) after-auto source dynamic any interface access-group inbound in interface outside access-group dmz_access_in in interface DMZ route outside 0.0.0.0 0.0.0.0 10.0.0.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 10.1.1.8 255.255.255.255 outside http 10.1.1.5 255.255.255.255 outside crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh scopy enable no ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 DMZ ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd ping_timeout 750 dhcpd auto_config outside ! ! tls-proxy maximum-session 1000 ! threat-detection basic-threat threat-detection scanning-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 username admin password encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context no call-home reporting anonymous hpm topN enable Cryptochecksum:ad1e99a516d407b900e961264812b211 : end
01-04-2019 04:48 PM
Can you be more specific please. Does whole DMZ is not able to get connected from outside and they can not communicate in their own subnet with each other.
can you do a packet trace and put the out put here so we can take from there as you already shown us your config.
01-05-2019 02:48 AM
I have simplified your config which is relevant to your question.
===============================================================
Servers in the DMZ cannot contact each other over their public interfaces, They can contact each other on their private interfaces no problem
Serial Number:
: Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2659 MHz, 1 CPU (8 cores)
: Written by enable_15 at 07:14:08.509 PST Thu Dec 27 2018
!
ASA Version 9.8(2)
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.0.0.254 255.255.255.0
!
!
interface GigabitEthernet0/7
nameif DMZ
security-level 50
ip address 192.168.253.1 255.255.255.0
!
!
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.4.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network DMZ-subnet
subnet 192.168.253.0 255.255.255.0
object network DMZ-Host-mail
host 10.0.0.10
object network DMZ-Host-mail-int
host 192.168.253.10
object network DMZ-Host-mail2
host 10.0.0.9
object network DMZ-Host-mail2-int
host 192.168.253.9
object-group service MAIL-SERVER
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object tcp destination eq imap4
service-object tcp destination eq 993
service-object tcp destination eq 995
service-object tcp destination eq pop3
service-object tcp destination eq 587
service-object tcp destination eq 465
service-object tcp destination eq smtp
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail-int
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int
access-list snmp extended permit udp any eq snmptrap any
access-list snmp extended permit udp any any eq snmp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended deny ip any any
!
object network obj_any
nat (any,outside) dynamic interface
object network DMZ-subnet
nat (DMZ,outside) dynamic interface
!
object network DMZ-Host-mail-int
nat (DMZ,outside) static DMZ-Host-mail
object network DMZ-Host-mail2-int
nat (DMZ,outside) static DMZ-Host-mail2
!
nat (DMZ,outside) after-auto source dynamic any interface
access-group inbound in interface outside
access-group dmz_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
!
==================================================
your configuration look ok. but my question is as long as your servers in DMZ can communicate on DMZ interface why you want to to communite them each other on their public interface. as according to your config DMZ-Host-mail, DMZ-Host-mail2 are static nat binded to your outside addresses.
what you want to achieve here? what is your goal?
01-07-2019 09:36 AM
Thanks for the replies. The servers can communicate with each other on the DMZ subnet. When the mail server software wants to contact the other mailserver it does so by the public IP. Its at that point that they can no longer communicate. DNS lookups work fine from each machine. In short something seems to be blocking 10.0.0.9 from talking to 10.0.0.10 on allowed ports.
01-07-2019 11:57 AM - edited 01-07-2019 12:29 PM
oh i see. after looking carefully in to your config. you have an issue with you nat order. your static nat for DMZ server should be in section 1. at the moment they are in section 2, and again in section 2 you doing a dynamic PAT for dmz server that is why they can not talk to public server address to other server/s.
i have put one example rest you can do it your self.
nat (dmz,outside) source static DMZ-Host-mail-int DMZ-Host-mail
==========================================================
object network DMZ-subnet
nat (DMZ,outside) dynamic interface
!
nat (DMZ,outside) after-auto source dynamic any interface
And why you define these rule again in two different nat section? they doing same thing but you put in two section any reason?
============================================================
let us know how it goes.
01-07-2019 01:17 PM
I changed it to where I only have these nats
nat (DMZ,outside) source static DMZ-Host-mail-int DMZ-Host-mail nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 ! object network DMZ-subnet nat (DMZ,outside) dynamic interface
That second nat "(DMZ,outside) after-auto source dynamic any interface" was not necessary and have removed it. The two servers still won't talk to eachother via their public IP's though. Everything else is working correctly.
01-07-2019 01:19 PM - edited 01-07-2019 01:23 PM
run a packet tracer
packet tracer input outside 8.8.8.8 12345 192.168.253.9 ssh detail
or
packet tracer input outside 10.0.0.85 12345 192.168.253.9 ssh detail
01-07-2019 03:07 PM
Here are some packet-tracer examples
8.8.8.8 to 192.168.253.9
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: in 192.168.253.0 255.255.255.0 DMZ Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inbound in interface outside access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int object-group service MAIL-SERVER service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq imap4 service-object tcp destination eq 993 service-object tcp destination eq 995 service-object tcp destination eq pop3 service-object tcp destination eq 587 service-object tcp destination eq 465 service-object tcp destination eq smtp Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35a1f5f0, priority=13, domain=permit, deny=false hits=7, user_data=0x7fff2e3a8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.253.9, mask=255.255.255.255, port=22, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false hits=2021, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35962530, priority=0, domain=inspect-ip-options, deny=true hits=1506, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 5 Type: NAT Subtype: rpf-check Result: DROP Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Forward Flow based lookup yields rule: out id=0x7fff2b0c8900, priority=6, domain=nat-reverse, deny=false hits=15, user_data=0x7fff355d6320, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=DMZ Result: input-interface: outside input-status: up input-line-status: up output-interface: DMZ output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Here is 8.8.8.8 to 10.0.0.9(Public IP)
Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: NAT divert to egress interface DMZ Untranslate 10.0.0.9/22 to 192.168.253.9/22 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inbound in interface outside access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int object-group service MAIL-SERVER service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq imap4 service-object tcp destination eq 993 service-object tcp destination eq 995 service-object tcp destination eq pop3 service-object tcp destination eq 587 service-object tcp destination eq 465 service-object tcp destination eq smtp Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35a1f5f0, priority=13, domain=permit, deny=false hits=6, user_data=0x7fff2e3a8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.253.9, mask=255.255.255.255, port=22, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Static translate 8.8.8.8/12345 to 8.8.8.8/12345 Forward Flow based lookup yields rule: in id=0x7fff2be46be0, priority=6, domain=nat, deny=false hits=12, user_data=0x7fff345800d0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=10.0.0.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=DMZ Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false hits=2004, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35962530, priority=0, domain=inspect-ip-options, deny=true hits=1496, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Forward Flow based lookup yields rule: out id=0x7fff2b0c8900, priority=6, domain=nat-reverse, deny=false hits=14, user_data=0x7fff355d6320, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=DMZ Phase: 7 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7fff363bb7e0, priority=0, domain=user-statistics, deny=false hits=1440, user_data=0x7fff36385400, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=DMZ Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false hits=2006, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fff359bf8a0, priority=0, domain=inspect-ip-options, deny=true hits=1497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=DMZ, output_ifc=any Phase: 10 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x7fff363ba920, priority=0, domain=user-statistics, deny=false hits=1494, user_data=0x7fff36385400, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=outside Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 1496, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: outside input-status: up input-line-status: up output-interface: DMZ output-status: up output-line-status: up Action: allow
01-07-2019 03:51 PM - edited 01-08-2019 12:20 AM
Hi sorry i mix up the ip addreses. I see the second result which is sucess. now nat is working perfectly. is 10.0.0.9 is a real ip address or you fake it up? you should be able to connect as we did a packet tracker where example address (8.8.8.8) google server can reach your address 10.0.0.9.
i understand your X-server in dmz need to go to internet and than get back so they can speak to software in another Y-DMZ server. as long as X-server and Y-server have the static nat they should be ok to talk to each other.
====================================================================
Here is 8.8.8.8 to 10.0.0.9(Public IP)
Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: NAT divert to egress interface DMZ Untranslate 10.0.0.9/22 to 192.168.253.9/22 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inbound in interface outside access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int object-group service MAIL-SERVER service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq imap4 service-object tcp destination eq 993 service-object tcp destination eq 995 service-object tcp destination eq pop3 service-object tcp destination eq 587 service-object tcp destination eq 465 service-object tcp destination eq smtp Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35a1f5f0, priority=13, domain=permit, deny=false hits=6, user_data=0x7fff2e3a8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.253.9, mask=255.255.255.255, port=22, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Static translate 8.8.8.8/12345 to 8.8.8.8/12345 Forward Flow based lookup yields rule: in id=0x7fff2be46be0, priority=6, domain=nat, deny=false hits=12, user_data=0x7fff345800d0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=10.0.0.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=DMZ Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false hits=2004, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35962530, priority=0, domain=inspect-ip-options, deny=true hits=1496, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Forward Flow based lookup yields rule: out id=0x7fff2b0c8900, priority=6, domain=nat-reverse, deny=false hits=14, user_data=0x7fff355d6320, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=DMZ Phase: 7 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7fff363bb7e0, priority=0, domain=user-statistics, deny=false hits=1440, user_data=0x7fff36385400, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=DMZ Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false hits=2006, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fff359bf8a0, priority=0, domain=inspect-ip-options, deny=true hits=1497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=DMZ, output_ifc=any Phase: 10 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x7fff363ba920, priority=0, domain=user-statistics, deny=false hits=1494, user_data=0x7fff36385400, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=outside Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 1496, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: outside input-status: up input-line-status: up output-interface: DMZ output-status: up output-line-status: up Action: allow
01-08-2019 07:48 AM
@swits0181I am sure your nat is in right order now. kindly could you please check there server side. does your server have more than one nick card?
could you do a wireshark on your server/s. please let us know how it goes.
01-09-2019 03:19 PM
All the nat'ing from the outside world seems to be working just fine. I still can't get 10.0.0.10 to connect to 10.0.0.9. Here is a trace of that.
packet-tracer input outside tcp 10.0.0.10 1234 10.0.0.9 ssh deailed Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: NAT divert to egress interface DMZ Untranslate 10.0.0.9/22 to 192.168.253.9/22 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inbound in interface outside access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int object-group service MAIL-SERVER service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq imap4 service-object tcp destination eq 993 service-object tcp destination eq 995 service-object tcp destination eq pop3 service-object tcp destination eq 587 service-object tcp destination eq 465 service-object tcp destination eq smtp Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35a42620, priority=13, domain=permit, deny=false hits=6, user_data=0x7fff2e3a8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.253.9, mask=255.255.255.255, port=22, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Static translate 10.0.0.10/1234 to 10.0.0.10/1234 Forward Flow based lookup yields rule: in id=0x7fff3535f840, priority=6, domain=nat, deny=false hits=0, user_data=0x7fff34c06a60, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=10.0.0.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=DMZ Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff34e76cd0, priority=0, domain=nat-per-session, deny=false hits=553, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35980df0, priority=0, domain=inspect-ip-options, deny=true hits=503, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff3633b690, priority=13, domain=ipsec-tunnel-flow, deny=true hits=28, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 7 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Forward Flow based lookup yields rule: out id=0x7fff2be47210, priority=6, domain=nat-reverse, deny=false hits=1, user_data=0x7fff34c32b90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=DMZ Phase: 8 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7fff363f92d0, priority=0, domain=user-statistics, deny=false hits=470, user_data=0x7fff363c2ef0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=DMZ Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fff34e76cd0, priority=0, domain=nat-per-session, deny=false hits=555, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fff359de120, priority=0, domain=inspect-ip-options, deny=true hits=487, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=DMZ, output_ifc=any Phase: 11 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x7fff363f8410, priority=0, domain=user-statistics, deny=false hits=485, user_data=0x7fff363c2ef0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=outside Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 493, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: outside input-status: up input-line-status: up output-interface: DMZ output-status: up output-line-status: up Action: allow
packet-tracer input DMZ tcp 192.168.253.9 1234 10.0.0.10 ssh detail Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: in 10.0.0.0 255.255.255.0 outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group dmz_access_in in interface DMZ access-list dmz_access_in extended permit ip any any Additional Information: Forward Flow based lookup yields rule: in id=0x7fff35a47840, priority=13, domain=permit, deny=false hits=565, user_data=0x7fff2e3a7f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=DMZ, output_ifc=any Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Static translate 192.168.253.9/1234 to 10.0.0.9/1234 Forward Flow based lookup yields rule: in id=0x7fff3595fb10, priority=6, domain=nat, deny=false hits=27, user_data=0x7fff34c32b90, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=DMZ, output_ifc=outside Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff34e76cd0, priority=0, domain=nat-per-session, deny=false hits=695, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff359de120, priority=0, domain=inspect-ip-options, deny=true hits=575, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=DMZ, output_ifc=any Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2 Additional Information: Forward Flow based lookup yields rule: out id=0x7fff2bf59f50, priority=6, domain=nat-reverse, deny=false hits=27, user_data=0x7fff34c06a60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=DMZ, output_ifc=outside Phase: 7 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7fff363f8410, priority=0, domain=user-statistics, deny=false hits=574, user_data=0x7fff363c2ef0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=outside Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fff34e76cd0, priority=0, domain=nat-per-session, deny=false hits=697, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fff35980df0, priority=0, domain=inspect-ip-options, deny=true hits=593, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 10 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x7fff363f92d0, priority=0, domain=user-statistics, deny=false hits=559, user_data=0x7fff363c2ef0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=DMZ Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 582, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: DMZ input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
01-10-2019 12:57 AM - edited 01-10-2019 12:59 AM
Hi.
can you remover this command in your config and test if you can reach them these server in DMZ zone.
no access-list dmz_access_in extended deny ip any any
up to now we have some good progress few thing which are we have fix the static nat issue. now your server can be reachable from the outside to dmz. where in the beginning you were having issue with them.
after apply the above command if its still not working than running the following command and share the output please.
capture DMZ-IN interface DMZ match ip host 192.168.253.9 192.168.253.10
caputer DMZ-OUT interface DMZ match ip host 192.168.253.10 192.168.253.9
!
show capture DMZ-IN
show caputer DMZ-OUT
!
no capture DMZ-IN interface DMZ match ip host 192.168.253.9 192.168.253.10
no caputer DMZ-OUT interface DMZ match ip host 192.168.253.10 192.168.253.9
Generate some traffic for example try to ping/ssh from one server to another and show us the result.
Regards,
Radio_City
01-11-2019 11:06 AM
@swits0181Kindly please update were you able to perform these test?
01-16-2019 03:14 PM
01-16-2019 03:29 PM
Kindly please run these command
capture DMZ-IN interface DMZ match ip host 10.0.0.9 10.10.10.10
caputer DMZ-OUT interface DMZ match ip host 10.0.0.10 10.0.0.9
!
show capture DMZ-IN
show caputer DMZ-OUT
!
no capture DMZ-IN interface DMZ match ip host 10.0.0.9 10.10.10.10
no caputer DMZ-OUT interface DMZ match ip host 10.0.0.10 10.0.0.9
or unless you are not bother to look into this as i have spent a good time to understand them and wanted to get this fixed for you. happy to hlep. as we already fix the NAT rule.
if you not interested than kindly if you mark this post as answer so it will help other like you and me how to fix the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: