- Cisco Community
- Technology and Support
- Security
- Network Security
- ASA 8.4 DMZ cannot get to internet
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA 8.4 DMZ cannot get to internet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 05:27 AM - edited 03-11-2019 03:58 PM
WE have a DMZ on ASA5510 8.4, it can access anything internal interface but cannot get out to internet or outside interface.
I try to ping from a host in the DMZ to 8.8.8.8 and get this in the log
| 6 | Apr 25 2012 | 08:24:43 | 110003 | 8.8.8.8 | 0 | 172.10.1.150 | 1 | Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1 |
Please help.
Thanks in advance.
here's the config:
: Saved
:
ASA Version 8.4(2)8
!
hostname ciscoasa
multicast-routing
names
dns-guard
!
interface Ethernet0/0
description xxxx shopInternet Connection
speed 100
duplex full
nameif outside
security-level 0
ip address 99.99.99.130 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
description xxxx internal connection from firewall to switch
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
description xxxx DMZ
nameif DMZ
security-level 100
ip address 172.10.1.1 255.255.255.0
!
interface Ethernet0/3
description Management Service-EEEE-40
speed 100
duplex full
nameif E-40
security-level 0
ip address 10.40.86.248 255.255.255.0
!
interface Management0/0
description management
nameif management
security-level 100
ip address 192.168.199.1 255.255.255.0
ospf cost 10
management-only
!
boot system disk0:/asa842-8-k8.bin
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
name-server 208.67.222.222
name-server 208.67.220.220
name-server 66.28.0.45
name-server 66.28.0.61
domain-name xxxxshop.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-172.30.1.0
subnet 172.30.1.0 255.255.255.0
object network obj-10.40.86.0
subnet 10.40.86.0 255.255.255.0
object network obj-192.168.99.0
subnet 192.168.99.0 255.255.255.0
object network obj-192.168.1.13
host 192.168.1.13
object network obj-192.168.1.13-01
host 192.168.1.13
object network obj-192.168.1.13-02
host 192.168.1.13
object network obj-172.30.1.70
host 172.30.1.70
object network obj-192.168.106.144
host 192.168.106.144
object network obj-192.168.106.144-01
host 192.168.106.144
object network obj-192.168.106.144-02
host 192.168.106.144
object network obj-192.168.10.2
host 192.168.10.2
object network obj-172.30.1.50
host 172.30.1.50
object network obj-172.30.1.40
host 172.30.1.40
object network obj-192.168.1.10
host 192.168.1.10
object network obj-192.168.106.99
host 192.168.106.99
object network obj-172.30.1.102
host 172.30.1.102
object network obj-172.30.1.31
host 172.30.1.31
object network obj-172.30.1.40-01
host 172.30.1.40
object network obj-172.30.1.50-01
host 172.30.1.50
object network obj-172.30.1.101
host 172.30.1.101
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj_any-06
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.0.0
object service ftp
service tcp source range ftp-data ftp destination range ftp-data ftp
object network obj-192.168.1.15
host 192.168.1.15
object network obj-192.168.1.15-01
host 192.168.1.15
object network NETWORK_OBJ_172.30.1.0_24
subnet 172.30.1.0 255.255.255.0
object network NETWORK_OBJ_172.31.2.0_24
subnet 172.31.2.0 255.255.255.0
object network obj-172.10.1.136
host 172.10.1.136
description VCS Express 01 NIC 01
object network obj-172.10.1.0
subnet 172.10.1.0 255.255.255.0
description DMZ
object network obj_any-08
subnet 0.0.0.0 0.0.0.0
object network obj-172.10.1.150
host 172.10.1.150
object-group service ExchangeOWA tcp
description Exchange Web and Mobile Access
port-object eq smtp
port-object eq https
port-object eq www
object-group network admin-ip
network-object host 192.168.1.199
network-object 172.30.1.0 255.255.255.0
network-object host 192.168.106.99
network-object host Snapstream_ott
network-object host 192.168.1.251
network-object host 192.168.1.190
network-object host 192.168.1.193
network-object host 192.168.1.10
network-object host 192.168.1.11
network-object host 192.168.1.14
network-object host 192.168.1.15
network-object host 192.168.1.6
network-object host 192.168.1.7
network-object host 192.168.1.8
network-object host 192.168.1.9
network-object host 192.168.2.199
network-object host 192.168.1.13
network-object 192.168.99.0 255.255.255.0
network-object 172.10.1.0 255.255.255.0
object-group network approved-ip
network-object host 99.99.99.141
network-object 172.30.1.0 255.255.255.0
object-group network tms-ip
object-group service VNC tcp
description VNC
port-object eq 5900
object-group network DM_INLINE_NETWORK_2
network-object 172.30.1.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
object-group service VNC-Listen tcp
description VNC-Listen Ports
port-object eq 5500
object-group service Streaming-ASF tcp-udp
description Streaming-ASF
port-object eq 1755
object-group service Streaming-ASF-TCP tcp
description Streaming-ASF-TCP
port-object eq 1755
object-group service DM_INLINE_TCP_1 tcp
group-object Streaming-ASF
port-object eq www
group-object Streaming-ASF-TCP
port-object eq rtsp
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_5
object-group network DM_INLINE_NETWORK_4
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object host 99.99.99.141
network-object host 99.99.99.144
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8129
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_9
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq ftp-data
object-group network BypassFacebook
network-object host 192.168.1.182
network-object host 192.168.1.183
network-object host 192.168.1.184
network-object host 192.168.1.188
network-object host 192.168.1.189
network-object host 192.168.1.190
network-object host 192.168.1.193
network-object host 192.168.1.194
network-object host 192.168.1.195
network-object host 192.168.1.196
network-object host 192.168.1.199
network-object host 192.168.1.200
object-group network Facebook
network-object 69.63.176.0 255.255.240.0
network-object 66.220.144.0 255.255.240.0
object-group network DM_INLINE_NETWORK_1
network-object host 10.40.86.102
network-object host 10.40.86.31
network-object host 10.40.86.40
network-object host 10.40.86.50
network-object host 10.40.86.101
object-group network DM_INLINE_NETWORK_3
network-object object obj-172.30.1.0
network-object object obj-192.168.0.0
object-group network DM_INLINE_NETWORK_12
network-object 10.4.86.0 255.255.255.0
network-object 10.40.86.0 255.255.255.0
network-object 10.70.86.0 255.255.255.0
network-object 10.96.86.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp-udp destination eq sip
service-object tcp destination eq 1721
service-object tcp destination eq h323
service-object udp destination eq 1719
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
service-object udp destination eq ntp
object-group network DM_INLINE_NETWORK_1_2
network-object host 172.30.1.102
network-object host 172.30.1.31
network-object host 172.30.1.40
network-object host 172.30.1.50
network-object host 172.30.1.101
object-group network DM_INLINE_NETWORK_10
access-list inside_nat0_outbound_1 extended permit ip 172.30.1.0 255.255.255.0 10.40.86.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.99.0 255.255.255.0
access-list dzm extended permit ip any any
access-list dzm extended permit icmp any any
access-list ouside extended permit ip any any
access-list cont_in extended permit ip host 99.99.99.135 any
access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0
access-list Split_tunnel_ACL standard permit 172.30.1.0 255.255.255.0
access-list inside extended permit tcp host 192.168.1.13 any eq smtp
access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_9 eq smtp
access-list inside extended deny tcp any any eq smtp
access-list inside extended deny tcp any any eq pop3
access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_5 eq pptp
access-list inside extended deny tcp any any eq pptp
access-list inside extended permit tcp object-group BypassFacebook object-group Facebook eq https
access-list inside extended deny tcp any object-group Facebook eq https
access-list inside extended permit ip any any
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.99.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 172.19.4.50
access-list E-40_access_out extended permit ip any any
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_4 host 192.168.1.18 inactive
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_6 host 192.168.1.19 inactive
access-list inside-out-acl extended deny ip object-group DM_INLINE_NETWORK_7 any inactive
access-list inside-out-acl extended permit ip any any
access-list throttle_frontline extended permit ip host 74.213.162.33 any inactive
access-list throttle_frontline extended permit ip any host 74.213.162.33 inactive
access-list outside remark Migration, ACE (line 3) expanded: permit tcp any object-group DM_INLINE_NETWORK_8
access-list outside extended permit tcp any host 99.99.99.141 eq 8129
access-list outside extended permit tcp any host 172.30.1.70 eq www
access-list outside extended permit tcp any host 99.99.99.141 eq https
access-list outside extended permit tcp any host 192.168.106.144 eq 8129
access-list outside extended permit tcp any host 192.168.106.144 eq www
access-list outside extended permit tcp any host 192.168.106.144 eq https
access-list outside remark Migration: End of expansion
access-list outside remark Migration, ACE (line 4) expanded: permit tcp any host 99.99.99.133 object-group ExchangeOWA
access-list outside extended permit tcp any host 192.168.1.13 eq smtp
access-list outside extended permit tcp any host 192.168.1.13 eq https
access-list outside extended permit tcp any host 192.168.1.13 eq www
access-list outside extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.1.15 object-group DM_INLINE_TCP_3
access-list outside remark Migration: End of expansion
access-list outside extended permit ip any host 192.168.106.99
access-list outside extended permit tcp any host 192.168.1.10 eq pptp
access-list outside extended permit gre any host 192.168.1.10
access-list outside extended permit tcp any host 192.168.10.2 eq telnet inactive
access-list outside extended permit tcp any host 172.30.1.40 object-group DM_INLINE_TCP_1
access-list outside extended permit ip object-group tms-ip host 172.30.1.50
access-list outside extended permit ip any host 172.10.1.150
access-list outside extended permit icmp any any echo-reply
access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.0 172.31.2.0 255.255.255.0
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap debugging
logging asdm informational
logging facility 19
logging host inside 192.168.1.15 format emblem
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu E-40 1500
mtu management 1500
ip local pool xxxx-pool 192.168.99.1-192.168.99.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-172.30.1.0 obj-172.30.1.0 destination static obj-10.40.86.0 obj-10.40.86.0 no-proxy-arp
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.99.0 obj-192.168.99.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.30.1.0_24 NETWORK_OBJ_172.30.1.0_24 destination static NETWORK_OBJ_172.31.2.0_24 NETWORK_OBJ_172.31.2.0_24 no-proxy-arp route-lookup
!
object network obj-192.168.1.13
nat (inside,outside) static 99.99.99.133 service tcp smtp smtp
object network obj-192.168.1.13-01
nat (inside,outside) static 99.99.99.133 service tcp www www
object network obj-192.168.1.13-02
nat (inside,outside) static 99.99.99.133 service tcp https https
object network obj-172.30.1.70
nat (inside,outside) static 99.99.99.141 service tcp www www
object network obj-192.168.106.144
nat (inside,outside) static 99.99.99.144 service tcp www www
object network obj-192.168.106.144-01
nat (inside,outside) static 99.99.99.144 service tcp https https
object network obj-192.168.106.144-02
nat (inside,outside) static 99.99.99.144 service tcp 8129 8129
object network obj-192.168.10.2
nat (inside,outside) static 99.99.99.132 service tcp telnet telnet
object network obj-172.30.1.50
nat (inside,outside) static 99.99.99.134
object network obj-172.30.1.40
nat (inside,outside) static 99.99.99.139
object network obj-192.168.1.10
nat (inside,outside) static 99.99.99.137
object network obj-192.168.106.99
nat (inside,outside) static 99.99.99.140
object network obj-172.30.1.102
nat (inside,E-40) static 10.40.86.102
object network obj-172.30.1.31
nat (inside,E-40) static 10.40.86.31
object network obj-172.30.1.40-01
nat (inside,E-40) static 10.40.86.40
object network obj-172.30.1.50-01
nat (inside,E-40) static 10.40.86.50
object network obj-172.30.1.101
nat (inside,E-40) static 10.40.86.101
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj_any-03
nat (inside,E-40) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
object network obj_any-06
nat (management,E-40) dynamic obj-0.0.0.0
object network obj-192.168.1.15
nat (inside,outside) static 99.99.99.138 service tcp ftp ftp
object network obj-192.168.1.15-01
nat (inside,outside) static 99.99.99.138 service tcp ftp-data ftp-data
object network obj_any-08
nat (DMZ,outside) dynamic interface
access-group outside in interface outside
access-group inside in interface inside
access-group inside-out-acl out interface inside
access-group DMZ_access_in_1 in interface DMZ control-plane
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group 40_access_in in interface E-40
access-group E-40_access_out out interface E-40
route outside 0.0.0.0 0.0.0.0 99.99.99.129 1
route E-40 10.4.86.0 255.255.255.0 10.40.86.249 1
route E-40 10.70.86.0 255.255.255.0 10.40.86.249 1
route E-40 10.96.86.0 255.255.255.0 10.40.86.249 1
route inside 172.20.20.0 255.255.255.0 192.168.10.2 1
route inside 172.30.1.0 255.255.255.0 192.168.10.2 1
route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
route inside 192.168.2.0 255.255.255.0 192.168.10.2 1
route inside 192.168.3.0 255.255.255.0 192.168.10.2 1
route inside 192.168.6.0 255.255.255.0 192.168.10.2 1
route inside 192.168.99.0 255.255.255.0 192.168.10.2 255
route inside 192.168.101.0 255.255.255.0 192.168.10.2 1
route inside 192.168.102.0 255.255.255.0 192.168.10.2 1
route inside 192.168.103.0 255.255.255.0 192.168.10.2 1
route inside 192.168.106.0 255.255.255.0 192.168.10.2 1
route inside 192.168.201.0 255.255.255.0 192.168.10.2 1
route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 172.10.1.0 255.255.255.0 DMZ
http 192.168.199.0 255.255.255.0 management
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.10.1.0 255.255.255.0 DMZ
telnet 192.168.199.0 255.255.255.0 management
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh 172.10.1.0 255.255.255.0 DMZ
ssh 192.168.199.0 255.255.255.0 management
ssh timeout 10
console timeout 0
management-access inside
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 10
dhcpd address 192.168.199.101-192.168.199.109 management
dhcpd dns 192.168.1.10 192.168.1.11 interface management
dhcpd
xxxxshop.com interface management
dhcpd enable management
!
priority-queue outside
priority-queue inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.1.10 source inside
ntp server 129.6.15.29 source outside prefer
ntp server 129.6.15.28 source outside preferEEEE
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.4.0202-k9.pkg 18
anyconnect image disk0:/anyconnect-macosx-i386-2.4.0196-k9.pkg 20 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-2.4.0202-k9.pkg 21 regex "Linux"
anyconnect enable
cache
disable
group-policy xxxxIPsec internal
group-policy xxxxIPsec attributes
dns-server value 192.168.1.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_ACL
default-domain value xxxxshop.com
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.10 192.168.1.11
vpn-idle-timeout 10
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_ACL
default-domain value xxxxshop.com
webvpn
url-list value xxxxApps
anyconnect ask enable default webvpn
hidden-shares visible
group-policy GroupPolicy_198.103.180.120 internal
group-policy GroupPolicy_198.103.180.120 attributes
vpn-tunnel-protocol ikev1
tunnel-groupppp DefaultRAGroup general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group DefaultRAGroup webvpn-attributes
group-alias DefaultRA enable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWeb enable
tunnel-group xxxxIPsec type remote-access
tunnel-group xxxxIPsec general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
default-group-policy xxxxIPsec
tunnel-group xxxxIPsec webvpn-attributes
group-alias xxxxIPSec enable
group-alias IPSec disable
tunnel-group xxxxIPsec ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group xxxxSSL type remote-access
tunnel-group xxxxSSL general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group xxxxSSL webvpn-attributes
group-alias xxxxSSL enable
group-url
enable
tunnel-group 1.1.1.120 type ipsec-l2l
tunnel-group 1.1.1.120 general-attributes
default-group-policy GroupPolicy_1.1.1.120
tunnel-group 1.1.1.120 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map csc-class
match access-list cscTraffic
class-map throttle_frontline
match access-list throttle_frontline
!
!
policy-map type inspect sip DefaultSIP
parameters
max-forwards-validation action drop log
policy-map throttle-policy
class throttle_frontline
police input 600000 2000
police output 600000 2000
policy-map global-policy
class global-class
inspect pptp
inspect ftp
inspect ipsec-pass-thru
inspect xdmcp
inspect h323 h225
inspect h323 ras
inspect sip
class csc-class
csc fail-open
policy-map type inspect h323 DefaultH323
parameters
!
service-policy global-policy global
service-policy throttle-policy interface outside
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-645-206.bin
asdm location 192.168.100.0 255.255.255.192 outside
asdm location 192.168.0.0 255.255.0.0 inside
asdm location 192.168.123.0 255.255.255.0 inside
asdm location 192.168.123.0 255.255.255.0 outside
asdm location 192.168.111.0 255.255.255.0 inside
asdm location 192.168.10.0 255.255.255.0 outside
asdm location 192.168.10.254 255.255.255.255 outside
asdm location 99.99.99.133 255.255.255.255 outside
asdm location 192.168.1.16 255.255.255.255 inside
asdm location 172.30.1.0 255.255.255.0 inside
asdm location 172.30.1.50 255.255.255.255 inside
asdm location 192.168.1.13 255.255.255.255 insideEEEE
no asdm history enable
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 05:49 AM
Hi,
Seems the traffic gets forwarded to totally wrong interface.
The destination network for the ICMP reply is directly connected to the ASA.
Still it gets forwarded to INSIDE instead of DMZ
So i guess you have some NAT configuration wrong. It also seems you have alot of strange NAT configurations. (0.0.0.0 objects)
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 05:54 AM
Hi,
Shouldn't this statement work?
object network obj_any-08
nat (DMZ,outside) dynamic interface
I can't seem to pinpoint the problem.
Ken
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 06:00 AM
Hi,
I guess that should handle it.
Another configuration that you seem to have is
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
Though I'm not sure why you have it configured or what its supposed to do?
Have you used the "packet-tracer" command on the ASA to see what happens for example to a TCP/80/http connection taken from DMZ to some random public IP address?
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 06:02 AM
Hi,
I just noticed you have the DMZ network routed towards an IP address on your INSIDE interface? Why is that?
interface Ethernet0/1
description xxxx internal connection from firewall to switch
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
description xxxx DMZ
nameif DMZ
security-level 100
ip address 172.10.1.1 255.255.255.0
route DMZ 172.10.1.0 255.255.255.0 192.168.10.2 1
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 06:05 AM
That route was removed last night., we were trying different things to figure out the problem. Sorry forgot to update the config txt file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 06:07 AM
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
This was auto translated when we upgrade from 8.2 to 8.4. We hadn't touched anything since we started to deploy a DMZ. Should we remove it?
We've also done packet tracer and everything shows ok without problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 06:10 AM
Ah ok,
I dont usually let ASA generate the new 8.4 version configuration so I just write the configurations to my liking.
I just havent done a similiar configuration yet.
Could you post the output of the packet-tracer here when you issue it from the command line interface?
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 06:17 AM
Sure, here it is.
ciscoasa# packet-tracer input DMZ tcp 172.10.1.150 80 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any-09
nat (DMZ,outside) dynamic interface
Additional Information:
Dynamic translate 172.10.1.150/80 to 38.103.153.130/434
Phase: 7
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 73578100, packet dispatched to next module
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 06:20 AM
Also this:
ciscoasa# packet-tracer input outside tcp 172.10.1.150 80 8.8.8.8 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 06:58 AM
Hi,
I don't really know why the ASA is saying the network would be behind the inside interface.
The first packet-tracer shows all working normally. The second one will naturally fail as you have source interface outside and the DMZ host isnt located behind it.
For ICMP to go through in a normal situation without opening the outside access-lsit for the echo-replys you would need the following configuration
policy-map global-policy
class global-class
inspect icmp
Though in this situation it wont help.
I'm not sure what the tunnel default route is as I havent used it ever myself.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 07:02 AM
Thanks Jouni, appreciate your help. Hopefully someone can figure it out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 10:51 AM
Hello,
I can see on the first packet tracer:
packet-tracer input DMZ tcp 172.10.1.150 80 8.8.8.8 80
That everything is good related to the ASA configuration.
I want the following outputs:
-Sh run nat
-Sh run route
Also create the following captures
capture capdmz interface dmz circular-buffer
capture capdmz match ip host 172.10.1.150 host 8.8.8.8
capture capout interface outside circular-buffer
capture capout match ip host 38.103.153.130 host 8.8.8.8
Then generate real traffic ( Not packet tracer) from 172.10.1.150 to 8.8.8.8 ( A ping would do it)
and post the show cap capout and show cap capin
Regards,
Do rate all the helpful posts,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 11:08 AM
Here's sh run nat:
ciscoasa# sh run nat
nat (inside,any) source static obj-172.30.1.0 obj-172.30.1.0 destination static obj-10.40.86.0 obj-10.40.86.0 no-proxy-arp
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.99.0 obj-192.168.99.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.30.1.0_24 NETWORK_OBJ_172.30.1.0_24 destination static NETWORK_OBJ_172.31.2.0_24 NETWORK_OBJ_172.31.2.0_24 no-proxy-arp route-lookup
!
object network obj-192.168.1.13
nat (inside,outside) static 99.99.99.133 service tcp smtp smtp
object network obj-192.168.1.13-01
nat (inside,outside) static 99.99.99.133 service tcp www www
object network obj-192.168.1.13-02
nat (inside,outside) static 99.99.99.133 service tcp https https
object network obj-172.30.1.70
nat (inside,outside) static 99.99.99.141 service tcp www www
object network obj-192.168.106.144
nat (inside,outside) static 99.99.99.144 service tcp www www
object network obj-192.168.106.144-01
nat (inside,outside) static 99.99.99.144 service tcp https https
object network obj-192.168.106.144-02
nat (inside,outside) static 99.99.99.144 service tcp 8129 8129
object network obj-192.168.10.2
nat (inside,outside) static 99.99.99.132 service tcp telnet telnet
object network obj-172.30.1.50
nat (inside,outside) static 99.99.99.134
object network obj-172.30.1.40
nat (inside,outside) static 99.99.99.139
object network obj-192.168.1.10
nat (inside,outside) static 99.99.99.137
object network obj-192.168.106.99
nat (inside,outside) static 99.99.99.140
object network obj-172.30.1.102
nat (inside,E-40) static 10.40.86.102
object network obj-172.30.1.31
nat (inside,E-40) static 10.40.86.31
object network obj-172.30.1.40-01
nat (inside,E-40) static 10.40.86.40
object network obj-172.30.1.50-01
nat (inside,E-40) static 10.40.86.50
object network obj-172.30.1.101
nat (inside,E-40) static 10.40.86.101
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-03
nat (inside,E-40) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
object network obj_any-06
nat (management,E-40) dynamic obj-0.0.0.0
object network obj-192.168.1.15
nat (inside,outside) static 99.99.99.138 service tcp ftp ftp
object network obj-192.168.1.15-01
nat (inside,outside) static 99.99.99.138 service tcp ftp-data ftp-data
object network obj_any-09
nat (DMZ,outside) dynamic obj-0.0.0.0
here's sh run route:
ciscoasa# sh run route
route outside 0.0.0.0 0.0.0.0 38.103.153.129 1
route E-40 10.4.86.0 255.255.255.0 10.40.86.249 1
route E-40 10.70.86.0 255.255.255.0 10.40.86.249 1
route E-40 10.96.86.0 255.255.255.0 10.40.86.249 1
route inside 172.20.20.0 255.255.255.0 192.168.10.2 1
route inside 172.30.1.0 255.255.255.0 192.168.10.2 1
route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
route inside 192.168.2.0 255.255.255.0 192.168.10.2 1
route inside 192.168.3.0 255.255.255.0 192.168.10.2 1
route inside 192.168.6.0 255.255.255.0 192.168.10.2 1
route inside 192.168.99.0 255.255.255.0 192.168.10.2 255
route inside 192.168.101.0 255.255.255.0 192.168.10.2 1
route inside 192.168.102.0 255.255.255.0 192.168.10.2 1
route inside 192.168.103.0 255.255.255.0 192.168.10.2 1
route inside 192.168.106.0 255.255.255.0 192.168.10.2 1
route inside 192.168.201.0 255.255.255.0 192.168.10.2 1
route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled
here's sh cap capout:
1988: 14:11:01.895659 38.103.153.130 > 8.8.8.8: icmp: echo request
1989: 14:11:01.921567 8.8.8.8.53 > 38.103.153.130.23510: udp 183
1990: 14:11:01.922117 38.103.153.130.29404 > 8.8.8.8.53: udp 46
1991: 14:11:01.922971 8.8.8.8.53 > 38.103.153.130.42987: udp 183
1992: 14:11:01.923551 38.103.153.130.4473 > 8.8.8.8.53: udp 46
1993: 14:11:01.932141 8.8.8.8 > 38.103.153.130: icmp: echo reply
1994: 14:11:01.952129 8.8.8.8.53 > 38.103.153.130.29404: udp 157
1995: 14:11:01.963084 38.103.153.130.8335 > 8.8.8.8.53: udp 46
1996: 14:11:01.963634 8.8.8.8.53 > 38.103.153.130.4473: udp 157
1997: 14:11:01.965236 38.103.153.130.58306 > 8.8.8.8.53: udp 46
1998: 14:11:01.966334 38.103.153.130.48999 > 8.8.8.8.53: udp 46
1999: 14:11:01.992578 8.8.8.8.53 > 38.103.153.130.8335: udp 183
2000: 14:11:01.993463 38.103.153.130.64168 > 8.8.8.8.53: udp 46
2001: 14:11:01.995615 8.8.8.8.53 > 38.103.153.130.58306: udp 183
2002: 14:11:01.995981 8.8.8.8.53 > 38.103.153.130.48999: udp 183
2003: 14:11:01.996271 38.103.153.130.26453 > 8.8.8.8.53: udp 46
2004: 14:11:01.996576 38.103.153.130.45822 > 8.8.8.8.53: udp 46
2005: 14:11:02.026777 8.8.8.8.53 > 38.103.153.130.26453: udp 157
2006: 14:11:02.035978 8.8.8.8.53 > 38.103.153.130.64168: udp 157
2007: 14:11:02.044370 8.8.8.8.53 > 38.103.153.130.45822: udp 157
2008: 14:11:02.443595 38.103.153.130.2912 > 8.8.8.8.53: udp 59
2009: 14:11:02.505634 8.8.8.8.53 > 38.103.153.130.2912: udp 123
2010: 14:11:02.517536 38.103.153.130.5549 > 8.8.8.8.53: udp 57
2011: 14:11:02.546923 8.8.8.8.53 > 38.103.153.130.5549: udp 104
2012: 14:11:02.548372 38.103.153.130.23158 > 8.8.8.8.53: udp 65
2013: 14:11:02.612334 8.8.8.8.53 > 38.103.153.130.23158: udp 65
2014: 14:11:02.624143 38.103.153.130.38857 > 8.8.8.8.53: udp 57
2015: 14:11:02.761099 8.8.8.8.53 > 38.103.153.130.38857: udp 110
2016: 14:11:02.762518 38.103.153.130.5218 > 8.8.8.8.53: udp 59
2017: 14:11:02.844911 8.8.8.8.53 > 38.103.153.130.5218: udp 108
2018: 14:11:02.846910 38.103.153.130.16398 > 8.8.8.8.53: udp 80
2019: 14:11:02.899321 8.8.8.8.53 > 38.103.153.130.16398: udp 143
2020: 14:11:03.353405 38.103.153.130.22221 > 8.8.8.8.53: udp 44
2021: 14:11:03.392191 8.8.8.8.53 > 38.103.153.130.22221: udp 77
2022: 14:11:03.393656 38.103.153.130.43410 > 8.8.8.8.53: udp 44
2023: 14:11:03.429985 8.8.8.8.53 > 38.103.153.130.43410: udp 60
2024: 14:11:05.213291 38.103.153.130.16398 > 8.8.8.8.53: udp 79
2025: 14:11:05.257310 8.8.8.8.53 > 38.103.153.130.16398: udp 95
2026: 14:11:06.903212 38.103.153.130 > 8.8.8.8: icmp: echo request
2027: 14:11:06.932126 8.8.8.8 > 38.103.153.130: icmp: echo reply
here's sh cap capdmz:
ciscoasa# sh cap capdmz
8 packets captured
1: 14:06:02.022352 802.3 encap packet
2: 14:06:03.163001 802.3 encap packet
3: 14:06:03.163077 802.3 encap packet
4: 14:06:04.027143 802.3 encap packet
5: 14:06:06.032133 802.3 encap packet
6: 14:06:08.038755 802.3 encap packet
7: 14:06:10.042127 802.3 encap packet
8: 14:06:12.046719 802.3 encap packet
8 packets shown
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2012 10:48 AM
If your still getting the same error msg:
"Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1"
Try the route DMZ xxxx xxxx xxxx 2
as the "2" for metric if routing failed.
Usually you get an error for a route, if you already had a route with a "1" listed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
