Solved: Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 · ‎09-20-2019

Hello,

Am trying to setup a DMZ for a ASA 5506. At the moment we have 3 interfaces active on the ASA which are:

gi1/1 outside

gi1/2 inside

gi1/3 Voice

Voice has an internal ip with a pat on the outside interface with a public ip address from our range.

Now I want to setup the DMZ on gi1/4 also with a pat on the outside interface with a public ip address.

Have setup the interface with a internal ip address and connected a test pc on that interface with an ip address on the same range and as gateway the gi1/4 interface on the ASA. That should at least give me internet access. But that is not the case. Have followed a lot of configuration examples on the internet with google but all have failed to give me even internet access.

Hope you guys can help me out.

Marius Gunnerud · ‎10-01-2019

Ok, let us know if you are able to perform a reload of the ASA. I have seen similar issues where traffic isnt passing, clear conn did nothing, but reload solved the issue.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

balaji.bandi · ‎09-20-2019

2 example threads help you here :

https://community.cisco.com/t5/firewalls/asa-nat-for-dmz-public-ip/m-p/3875511

https://community.cisco.com/t5/firewalls/cisco-asa-5505-dmz-setup/m-p/2202705

Still you have issue, we would like to see your configuration to asists better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bhargavdesai · ‎09-20-2019

I totally agree with expert BB.
I would like to know few things.
Have you configured interface withe necessary nameif and security level.
Have you configured NAT rule to allow DMZ internet access
Have you configured PAT to allow server access from outside.

HTH

HarrydenOuden7643 · ‎09-20-2019

Thanks for the links BB, I did follow those links but still not working.

I included our config in this post

bhargavdesai · ‎09-20-2019

The configuration looks good to allow internet for DMZ host. Few points.

Please double check your DMZ host configuration like IP, Subnet, Default Gateway, DNS.
Run packet tracer to see if ASA is dropping the packet, and for what reason. (ref: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html)
packet-tracer input Dmz tcp 192.168.17.10 80 8.8.8.8 80 detailed (You can run from ASDM)
If Packet tracer is fine. See your request from DMZ host is reaching the ASA by looking at the logging. (ASDM Monitor Live Logs)
If you see requests are coming in and ASA is allowing the traffic also look for the return traffic hitting the ASA.
Try the NAT rule for DMZ on the OUTSIDE interface rather than particular IP, This is just to test out as sometime ARP can cause issue. (ARP for your DMZ MAPPED IP 188.202.95.227)

Please revert with the output of above. which will be helpful for us to visualise it better.

HTH

HarrydenOuden7643 · ‎09-23-2019

Hello bhargavdesia,

Here is the output for you questions:

- DMZ host configuration is:
IP: 192.168.17.1 255.255.255.0

GW: 192.168.17.254 (interface Gi1/4 on the ASA)

DNS: 8.8.8.8

- output from ASA packet tracer:

fw01# packet-tracer input Dmz tcp 192.168.17.10 80 8.8.8.8 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 188.202.95.225 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-dmz in interface Dmz
access-list ACL-dmz extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac36d7220, priority=13, domain=permit, deny=false
hits=0, user_data=0x2aaabb803580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Dmz,outside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.17.10/80 to 188.202.95.230/80
Forward Flow based lookup yields rule:
in id=0x2aaac36d9e60, priority=6, domain=nat, deny=false
hits=0, user_data=0x2aaac34df320, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1c94360, priority=0, domain=nat-per-session, deny=false
hits=63322227, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac31ba780, priority=0, domain=inspect-ip-options, deny=true
hits=590, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map global-traffic-shaping-class
description *** Default KPN traffic-shaping policy (90% of the capacity)
match any
policy-map global_policy
class global-traffic-shaping-class
police input 28311500 15728
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac36d3090, priority=70, domain=qos-per-class, deny=false
hits=591, user_data=0x2aaac36d2be0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Dmz,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac33cf0e0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x2aaac18a38d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=outside

Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map global-traffic-shaping-class
description *** Default KPN traffic-shaping policy (90% of the capacity)
match any
policy-map global_policy
class global-traffic-shaping-class
police input 28311500 15728
service-policy global_policy global
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac3413be0, priority=70, domain=qos-per-class, deny=false
hits=52095847, user_data=0x2aaac33d0560, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac1c94360, priority=0, domain=nat-per-session, deny=false
hits=63322229, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac2676330, priority=0, domain=inspect-ip-options, deny=true
hits=40789894, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 43812321, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

- Request from host is not reaching the ASA, link is up and the DMZ host is directly connected to the ASA on interface 1/4, also checked all cables and these are fine.

bhargavdesai · ‎09-23-2019

This means that we have issue at layer 1 or 2.
Packet tracer shows packet is allowed. So internet will be available once we solve the issue at below layers.
Can you check that ASA can ping Host and Host can ping ASA.
You can check arp entry as well.
Sometimes arp cache can also be a problem.
See if proxy arp is not creating problem.

I would say you should get the reachability to ASA and then think about issue with ASA NAT and ACL configuration.

Can you look all this and confirm.
HTH

HarrydenOuden7643 · ‎09-23-2019

Host can not ping ASA and ASA can not ping host. In Arp table no entry for the host. Checked the cabels and host with a connection on a L2 Switch and that is working. Host could ping the Switch and the Switch could ping the host. Arp proxy is enabled on the interface but after setting it to no proxy-arp it still did not show up in the arp table and the host still could not ping the ASA. Am a little stumped at this. Normaly putting a device directly on an interface it shows up in the arp table of the ASA. Routing table on the ASA is showing the interface as a connected route.

Network Keith · ‎09-23-2019

Are the other interfaces (voice) and (INTERNAL) linked to this same switch?

Can a host on those ^^ networks ping the ASA interface?

Is there a Default-gateway set on the switch?

HarrydenOuden7643 · ‎09-23-2019

No, the inside is on a L3 switch and has their GW on vlan1 which is 192.168.16.200, that switch has a route to his interface on the ASA which is 192.168.16.254 as default route. The voice network is connected on a unmanaged 1 GB switch and all devices have their GW on the ASA which is 192.168.15.254. On the L3 switch I can ping the interface on the ASA for the inside network. The voice network have only VOIP devices which connect to the cloud Phone solution and they are all working normaly. For the DMZ I was planning to connect the inside switch with a seperate vlan but from that vlan I can not ping the ASA interface which is on 192.168.17.254 so for troubleshooting I put the server straight on the ASA interface and had the server GW point to 192.168.17.254 but that is not working also.

Network Keith · ‎09-23-2019

OK, Setup a constant ping to the asa from the host,

On the asa run debug icmp trace 7...... See if you see the host listed.

Also check the following:

sho logging asdm

Show conn address (Host IP)

See if any of this can help you pinpoint.

HarrydenOuden7643 · ‎09-23-2019

Host is not coming up on the debug icmp trace 7. Also on the logging he is not showing up. show conn address 192.168.17.1 gives no repons. Seems like there is no network connection at all.

Chris Mickle · ‎09-21-2019

I’m no expert but I do have several ASAs in production and looking at your config it looks to me like your NAT statement is incomplete.

You’re missing

object network DMZ

subnet 192.168.17.0 255.355.255.0

nat (dmz,outside) dynamic interface

or wherever you’re trying to PAT the DMZ traffic to.

Hope that helps.

HarrydenOuden7643 · ‎09-23-2019

Cleaned the config a bit up and have made some changes.

Network Keith · ‎09-23-2019

I may have overlooked it, but I did not see an access-group for DMZ, can you confirm?