cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1559
Views
0
Helpful
15
Replies

ASA 5545-x server to server communication in DMZ

swits0181
Level 1
Level 1

I'm running into a problem with a couple of my 5545-x ASA's.  Servers in the DMZ cannot contact each other over their public interfaces.  All other operations seem to be normal.  They can contact each other on their private interfaces no problem.  I have a 5508-x ASA with pretty much similar configs where this doesn't happen.  I think I'm overlooking something or perhaps there was a change in version 9.8 vs 9.6.  I have attached a scaled down config that has not worked either. 

 

Thanks,

Jeremy

 

: Saved
: 
: 
: Serial Number: 
: Hardware:   ASA5545, 12288 MB RAM, CPU Lynnfield 2659 MHz, 1 CPU (8 cores)
: Written by enable_15 at 07:14:08.509 PST Thu Dec 27 2018
!
ASA Version 9.8(2) 
!
hostname ciscoasa
enable password  encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.0.0.254 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 nameif DMZ
 security-level 50
 ip address 192.168.253.1 255.255.255.0 
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 4.4.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network DMZ-subnet
 subnet 192.168.253.0 255.255.255.0
object network DMZ-Host-mail
 host 10.0.0.10
object network DMZ-Host-mail-int
 host 192.168.253.10
object network DMZ-Host-mail2
 host 10.0.0.9
object network DMZ-Host-mail2-int
 host 192.168.253.9
object-group service MAIL-SERVER
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq imap4 
 service-object tcp destination eq 993 
 service-object tcp destination eq 995 
 service-object tcp destination eq pop3 
 service-object tcp destination eq 587 
 service-object tcp destination eq 465 
 service-object tcp destination eq smtp 
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail 
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail-int 
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2 
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int 
access-list snmp extended permit udp any eq snmptrap any 
access-list snmp extended permit udp any any eq snmp 
access-list dmz_access_in extended permit ip any any 
access-list dmz_access_in extended deny ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (any,outside) dynamic interface
object network DMZ-subnet
 nat (DMZ,outside) dynamic interface
object network DMZ-Host-mail-int
 nat (DMZ,outside) static DMZ-Host-mail
object network DMZ-Host-mail2-int
 nat (DMZ,outside) static DMZ-Host-mail2
!
nat (DMZ,outside) after-auto source dynamic any interface
access-group inbound in interface outside
access-group dmz_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 10.1.1.8 255.255.255.255 outside
http 10.1.1.5 255.255.255.255 outside
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh scopy enable
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
username admin password  encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:ad1e99a516d407b900e961264812b211
: end
15 Replies 15

Can you be more specific please. Does whole DMZ is not able to get connected from outside and they can not communicate in their own subnet with each other.

can you do a packet trace and put the out put here so we can take from there as you already shown us your config.

please do not forget to rate.

I have simplified your config which is relevant to your question.

===============================================================

Servers in the DMZ cannot contact each other over their public interfaces, They can contact each other on their private interfaces no problem


Serial Number:
: Hardware:   ASA5545, 12288 MB RAM, CPU Lynnfield 2659 MHz, 1 CPU (8 cores)
: Written by enable_15 at 07:14:08.509 PST Thu Dec 27 2018
!
ASA Version 9.8(2)
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.0.0.254 255.255.255.0
!
!
interface GigabitEthernet0/7
 nameif DMZ
 security-level 50
 ip address 192.168.253.1 255.255.255.0
!
!
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 4.4.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network DMZ-subnet
 subnet 192.168.253.0 255.255.255.0
object network DMZ-Host-mail
 host 10.0.0.10
object network DMZ-Host-mail-int
 host 192.168.253.10
object network DMZ-Host-mail2
 host 10.0.0.9
object network DMZ-Host-mail2-int
 host 192.168.253.9
object-group service MAIL-SERVER
 service-object tcp destination eq https
 service-object tcp destination eq ssh
 service-object tcp destination eq imap4
 service-object tcp destination eq 993
 service-object tcp destination eq 995
 service-object tcp destination eq pop3
 service-object tcp destination eq 587
 service-object tcp destination eq 465
 service-object tcp destination eq smtp
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail-int
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int
access-list snmp extended permit udp any eq snmptrap any
access-list snmp extended permit udp any any eq snmp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended deny ip any any
!
object network obj_any
 nat (any,outside) dynamic interface
object network DMZ-subnet
 nat (DMZ,outside) dynamic interface
!
object network DMZ-Host-mail-int
 nat (DMZ,outside) static DMZ-Host-mail
object network DMZ-Host-mail2-int
 nat (DMZ,outside) static DMZ-Host-mail2
!
nat (DMZ,outside) after-auto source dynamic any interface
access-group inbound in interface outside
access-group dmz_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
!

================================================== 

your configuration look ok. but my question is as long as your servers in DMZ can communicate on DMZ interface why you want to to communite them each other on their public interface. as according to your config  DMZ-Host-mail, DMZ-Host-mail2 are static nat binded to your outside addresses.

 

what you want to achieve here? what is your goal?

please do not forget to rate.

Thanks for the replies.  The servers can communicate with each other on the DMZ subnet.  When the mail server software wants to contact the other mailserver it does so by the public IP.   Its at that point that they can no longer communicate.  DNS lookups work fine from each machine.  In short something seems to be blocking 10.0.0.9 from talking to 10.0.0.10 on allowed ports.

oh i see. after looking carefully in to your config. you have an issue with you nat order. your static nat for DMZ server should be in section 1. at the moment they are in section 2, and again in section 2 you doing a dynamic PAT for dmz server that is why they can not talk to public server address to other server/s.

 

i have put one example rest you can do it your self.

 

nat (dmz,outside) source static DMZ-Host-mail-int DMZ-Host-mail

 

 

 

==========================================================

object network DMZ-subnet
 nat (DMZ,outside) dynamic interface
!
nat (DMZ,outside) after-auto source dynamic any interface

And why you define these rule again in two different nat section? they doing same thing but you put in two section any reason?

 ============================================================

 

let us know how it goes.

 

please do not forget to rate.

I changed it to where I only have these nats

 

nat (DMZ,outside) source static DMZ-Host-mail-int DMZ-Host-mail
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
!
object network DMZ-subnet
 nat (DMZ,outside) dynamic interface

That second nat "(DMZ,outside) after-auto source dynamic any interface" was not necessary and have removed it. The two servers still won't talk to eachother via their public IP's though.  Everything else is working correctly. 

 

run a packet tracer

 

packet tracer input outside 8.8.8.8 12345 192.168.253.9 ssh detail

 

or

packet tracer input outside 10.0.0.85 12345 192.168.253.9 ssh detail

please do not forget to rate.

Here are some packet-tracer examples

 

8.8.8.8 to 192.168.253.9

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.253.0   255.255.255.0   DMZ

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int 
object-group service MAIL-SERVER
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq imap4 
 service-object tcp destination eq 993 
 service-object tcp destination eq 995 
 service-object tcp destination eq pop3 
 service-object tcp destination eq 587 
 service-object tcp destination eq 465 
 service-object tcp destination eq smtp 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35a1f5f0, priority=13, domain=permit, deny=false
        hits=7, user_data=0x7fff2e3a8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.253.9, mask=255.255.255.255, port=22, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false
        hits=2021, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:      
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35962530, priority=0, domain=inspect-ip-options, deny=true
        hits=1506, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2b0c8900, priority=6, domain=nat-reverse, deny=false
        hits=15, user_data=0x7fff355d6320, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=DMZ
              
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Here is 8.8.8.8 to 10.0.0.9(Public IP)

 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
NAT divert to egress interface DMZ
Untranslate 10.0.0.9/22 to 192.168.253.9/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int 
object-group service MAIL-SERVER
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq imap4 
 service-object tcp destination eq 993 
 service-object tcp destination eq 995 
 service-object tcp destination eq pop3 
 service-object tcp destination eq 587 
 service-object tcp destination eq 465 
 service-object tcp destination eq smtp 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35a1f5f0, priority=13, domain=permit, deny=false
        hits=6, user_data=0x7fff2e3a8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.253.9, mask=255.255.255.255, port=22, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
Static translate 8.8.8.8/12345 to 8.8.8.8/12345
 Forward Flow based lookup yields rule:
 in  id=0x7fff2be46be0, priority=6, domain=nat, deny=false
        hits=12, user_data=0x7fff345800d0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.0.0.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=DMZ

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false
        hits=2004, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35962530, priority=0, domain=inspect-ip-options, deny=true
        hits=1496, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2b0c8900, priority=6, domain=nat-reverse, deny=false
        hits=14, user_data=0x7fff355d6320, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=DMZ

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff363bb7e0, priority=0, domain=user-statistics, deny=false
        hits=1440, user_data=0x7fff36385400, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false
        hits=2006, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:       
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff359bf8a0, priority=0, domain=inspect-ip-options, deny=true
        hits=1497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0x7fff363ba920, priority=0, domain=user-statistics, deny=false
        hits=1494, user_data=0x7fff36385400, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 11
Type: FLOW-CREATION
Subtype:      
Result: ALLOW
Config:
Additional Information:
New flow created with id 1496, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Hi sorry i mix up the ip addreses. I see the second result which is sucess. now nat is working perfectly. is 10.0.0.9 is a real ip address or you fake it up? you should be able to connect as we did a packet tracker where example address (8.8.8.8) google server can reach your address 10.0.0.9.

 

 

i understand your X-server in dmz need to go to internet and than get back so they can speak to software in another Y-DMZ server. as long as X-server and Y-server have the static nat they should be ok to talk to each other.

====================================================================

Here is 8.8.8.8 to 10.0.0.9(Public IP)

 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
NAT divert to egress interface DMZ
Untranslate 10.0.0.9/22 to 192.168.253.9/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int 
object-group service MAIL-SERVER
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq imap4 
 service-object tcp destination eq 993 
 service-object tcp destination eq 995 
 service-object tcp destination eq pop3 
 service-object tcp destination eq 587 
 service-object tcp destination eq 465 
 service-object tcp destination eq smtp 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35a1f5f0, priority=13, domain=permit, deny=false
        hits=6, user_data=0x7fff2e3a8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.253.9, mask=255.255.255.255, port=22, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
Static translate 8.8.8.8/12345 to 8.8.8.8/12345
 Forward Flow based lookup yields rule:
 in  id=0x7fff2be46be0, priority=6, domain=nat, deny=false
        hits=12, user_data=0x7fff345800d0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.0.0.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=DMZ

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false
        hits=2004, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35962530, priority=0, domain=inspect-ip-options, deny=true
        hits=1496, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2b0c8900, priority=6, domain=nat-reverse, deny=false
        hits=14, user_data=0x7fff355d6320, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=DMZ

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff363bb7e0, priority=0, domain=user-statistics, deny=false
        hits=1440, user_data=0x7fff36385400, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff34e77390, priority=0, domain=nat-per-session, deny=false
        hits=2006, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:       
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff359bf8a0, priority=0, domain=inspect-ip-options, deny=true
        hits=1497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0x7fff363ba920, priority=0, domain=user-statistics, deny=false
        hits=1494, user_data=0x7fff36385400, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 11
Type: FLOW-CREATION
Subtype:      
Result: ALLOW
Config:
Additional Information:
New flow created with id 1496, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

 

 

 

 

please do not forget to rate.

@swits0181I am sure your nat is in right order now. kindly could you please check there server side. does your server have more than one nick card?

 

could you do a wireshark on your server/s. please let us know how it goes.

please do not forget to rate.

All the nat'ing from the outside world seems to be working just fine.  I still can't get 10.0.0.10 to connect to 10.0.0.9.  Here is a trace of that.  

 

packet-tracer input outside tcp 10.0.0.10 1234 10.0.0.9 ssh deailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
NAT divert to egress interface DMZ
Untranslate 10.0.0.9/22 to 192.168.253.9/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit object-group MAIL-SERVER any object DMZ-Host-mail2-int 
object-group service MAIL-SERVER
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq imap4 
 service-object tcp destination eq 993 
 service-object tcp destination eq 995 
 service-object tcp destination eq pop3 
 service-object tcp destination eq 587 
 service-object tcp destination eq 465 
 service-object tcp destination eq smtp 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35a42620, priority=13, domain=permit, deny=false
	hits=6, user_data=0x7fff2e3a8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=192.168.253.9, mask=255.255.255.255, port=22, tag=0, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
Static translate 10.0.0.10/1234 to 10.0.0.10/1234
 Forward Flow based lookup yields rule:
 in  id=0x7fff3535f840, priority=6, domain=nat, deny=false
	hits=0, user_data=0x7fff34c06a60, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=10.0.0.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=DMZ

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff34e76cd0, priority=0, domain=nat-per-session, deny=false
	hits=553, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35980df0, priority=0, domain=inspect-ip-options, deny=true
	hits=503, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff3633b690, priority=13, domain=ipsec-tunnel-flow, deny=true
	hits=28, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2be47210, priority=6, domain=nat-reverse, deny=false
	hits=1, user_data=0x7fff34c32b90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0, dscp=0x0
	input_ifc=outside, output_ifc=DMZ

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff363f92d0, priority=0, domain=user-statistics, deny=false
	hits=470, user_data=0x7fff363c2ef0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=DMZ

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:       
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff34e76cd0, priority=0, domain=nat-per-session, deny=false
	hits=555, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff359de120, priority=0, domain=inspect-ip-options, deny=true
	hits=487, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=DMZ, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0x7fff363f8410, priority=0, domain=user-statistics, deny=false
	hits=485, user_data=0x7fff363c2ef0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=outside

Phase: 12
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 493, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
packet-tracer input DMZ tcp 192.168.253.9 1234 10.0.0.10 ssh detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0     255.255.255.0   outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface DMZ
access-list dmz_access_in extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff35a47840, priority=13, domain=permit, deny=false
	hits=565, user_data=0x7fff2e3a7f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=DMZ, output_ifc=any

Phase: 3
Type: NAT     
Subtype: 
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
Static translate 192.168.253.9/1234 to 10.0.0.9/1234
 Forward Flow based lookup yields rule:
 in  id=0x7fff3595fb10, priority=6, domain=nat, deny=false
	hits=27, user_data=0x7fff34c32b90, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=DMZ, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff34e76cd0, priority=0, domain=nat-per-session, deny=false
	hits=695, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff359de120, priority=0, domain=inspect-ip-options, deny=true
	hits=575, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=DMZ, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,outside) source static DMZ-Host-mail2-int DMZ-Host-mail2
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2bf59f50, priority=6, domain=nat-reverse, deny=false
	hits=27, user_data=0x7fff34c06a60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=192.168.253.9, mask=255.255.255.255, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=DMZ, output_ifc=outside

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff363f8410, priority=0, domain=user-statistics, deny=false
	hits=574, user_data=0x7fff363c2ef0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=outside

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff34e76cd0, priority=0, domain=nat-per-session, deny=false
	hits=697, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff35980df0, priority=0, domain=inspect-ip-options, deny=true
	hits=593, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW 
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0x7fff363f92d0, priority=0, domain=user-statistics, deny=false
	hits=559, user_data=0x7fff363c2ef0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=DMZ

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 582, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat  

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

 

Hi.

can you remover this command in your config and test if you can reach them these server in DMZ zone.

 

      no access-list dmz_access_in extended deny ip any any

 

up to now we have some good progress few thing which are we have fix the static nat issue. now your server can be reachable from the outside to dmz. where in the beginning you were having issue with them.

 

 

after apply the above command if its still not working than running the following command and share the output please.

 

capture DMZ-IN interface DMZ match ip host 192.168.253.9   192.168.253.10

caputer DMZ-OUT interface DMZ match ip host 192.168.253.10 192.168.253.9

!

show capture DMZ-IN

show caputer DMZ-OUT

!

no capture DMZ-IN interface DMZ match ip host 192.168.253.9   192.168.253.10

no caputer DMZ-OUT interface DMZ match ip host 192.168.253.10 192.168.253.9

Generate some traffic for example try to ping/ssh from one server to another and show us the result.

 

 

Regards,

Radio_City

 

 

please do not forget to rate.

@swits0181Kindly please update were you able to perform these test?

please do not forget to rate.

Inside the DMZ all servers are able to ping each other. 192.168.253.9 can ping .10 without a problem. Its when you try to have them ssh(no ping on public interfaces) from 10.0.0.9 to 10.0.0.10 is when the traffic gets stopped.

Kindly please run these command

 

capture DMZ-IN interface DMZ match ip host 10.0.0.9   10.10.10.10

caputer DMZ-OUT interface DMZ match ip host 10.0.0.10 10.0.0.9

!

show capture DMZ-IN

show caputer DMZ-OUT

!

no capture DMZ-IN interface DMZ match ip host 10.0.0.9   10.10.10.10

no caputer DMZ-OUT interface DMZ match ip host 10.0.0.10 10.0.0.9

 

or unless you are not bother to look into this as i have spent a good time to understand them and wanted to get this fixed for you. happy to hlep. as we already fix the NAT rule.

 

if you not interested than kindly if you mark this post as answer so it will help other like you and me how to fix the issue.

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: