Solved: Cisco ASA DMZ hosts not able to connect to Internet

Paulo Colomes · ‎08-27-2015

Hi everyone,
I have a problem I haven´t been able to solve:

We run an ASA with a DMZ, inside and outside interface (very common scenario) with security levels set by default. I can access from the outside to the webserver running on the DMZ with no problems, but when I try to connect to the Internet from the webserver on the DMZ doesn´t work.

Here´s the diagram:

INTERNET
|
|
   (ASA) -------DMZ 172.16.0.0/24--------- WEBSERVER (172.16.0.63)
    |
|
INSIDE

I own another Cisco router connected directly to the Internet with its own public IP address running on a different site, and when I ping this router from the Webserver it works, but the source IP address is the one from the DMZ (172.16.0.63) instead of the translated IP.

Here`s the config from the ASA:

interface GigabitEthernet0/0

description ****INTERNET****

nameif outside

security-level 0

ip address 200.xxx.xxx.218 255.255.255.248

!

interface GigabitEthernet0/1

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif DMZ

security-level 50

ip address 172.16.0.1 255.255.255.0

!

interface GigabitEthernet0/4

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Port-channel1

port-channel load-balance src-dst-ip-port

nameif inside

security-level 100

ip address 10.199.0.129 255.255.255.248

!

boot system disk0:/asa916-4-smp-k8.bin

ftp mode passive

clock timezone ART -3

dns domain-lookup management

dns domain-lookup DMZ

dns server-group DefaultDNS

domain-name marinadelsol.local

object network DMZ-SUBNET

subnet 172.16.0.0 255.255.255.0

object network WEBSERVER

host 172.16.0.63

object network IP_PUB_MAILSERVER

host 200.xxx.xxx.221

object service TCP-HTTP

service tcp source eq www

object service TCP-SMTP

service tcp source eq smtp

object service TCP-HTTPS

service tcp source eq https

object network IP_PUB_WEBSERVER

host 200.111.169.219

object service TCP_80

service tcp source eq www

object service TCP_443

service tcp source eq https

object service TCP_SSH

service tcp source eq ssh

object service TCP_DNS

service tcp source eq domain

object service UDP_DNS

service udp source eq domain

object service TCP_995

service tcp source eq 995

object service TCP_587

service tcp source eq 587

object service TCP_8080

service tcp source eq 8080

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group service DM_INLINE_TCP_1 tcp

port-object eq domain

port-object eq www

port-object eq https

port-object eq smtp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq ssh

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq ssh

port-object eq https

object-group service DM_INLINE_TCP_6 tcp

port-object eq www

port-object eq https

port-object eq 8080

object-group service DM_INLINE_TCP_7 tcp

port-object eq 3306

port-object eq 81

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq ssh

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp destination eq ssh

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

service-object tcp destination eq ssh

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 host 172.16.0.63 any log

access-list DMZ_access_in extended permit udp host 172.16.0.63 any eq domain log

access-list DMZ_access_in extended permit icmp host 172.16.0.53 any log

access-list DMZ_access_in extended permit icmp host 172.16.0.63 any log

access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.35 eq 1433

access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.42 eq ssh

access-list DMZ_access_in extended permit tcp host 172.16.0.53 host 10.200.5.35 eq 1433

access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.34 object-group DM_INLINE_TCP_7

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.0.63 10.200.7.0 255.255.255.0

access-list DMZ_access_in extended permit tcp host 172.16.0.12 any eq smtp log

access-list DMZ_access_in extended permit tcp host 172.16.0.63 eq www any

access-list DMZ_access_in extended permit tcp host 172.16.0.63 eq https any

access-list DMZ_access_in extended permit tcp host 172.16.0.63 any eq https

access-list DMZ_access_in extended permit tcp host 172.16.0.63 any eq www

access-list OUTSIDE-INBOUND extended permit tcp any interface outside eq www

access-list OUTSIDE-INBOUND extended permit tcp any interface outside eq ssh

access-list OUTSIDE-INBOUND extended permit udp any object WEBSERVER eq domain

access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq domain

access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq https

access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq ssh

access-list OUTSIDE-INBOUND extended permit icmp any any

access-list OUTSIDE-INBOUND extended permit tcp any object MDSS022 eq 995

access-list OUTSIDE-INBOUND extended permit tcp any object MDSS022 eq 587

access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq www

access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq smtp log

access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq www

access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq https

access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq 995

access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq 587

access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.8 eq 8080

access-list OUTSIDE-INBOUND extended permit tcp any object MDSS007 eq 8080

access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER

pager lines 24

logging enable

logging console informational

logging asdm informational

mtu outside 1500

mtu management 1500

mtu inside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-742.bin

no asdm history enable

arp timeout 14400

arp permit-nonconnected

nat (any,any) source static WEBSERVER IP_PUB_WEBSERVER

nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_80 TCP_80

nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_443 TCP_443

nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_SSH TCP_SSH

nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_DNS TCP_DNS

nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service UDP_DNS UDP_DNS

nat (inside,outside) source static MDSS022 IP_PUB_MAILSERVER service TCP-HTTP TCP-HTTP

nat (inside,outside) source static MDSS022 IP_PUB_MAILSERVER service TCP-HTTPS TCP-HTTPS

nat (inside,outside) source static MDSS007 IP_PUB_MDSS007 service TCP_8080 TCP_8080

!

object network DMZ-SUBNET

nat (DMZ,outside) dynamic interface

object network ALL_VLANS

nat (inside,outside) dynamic interface

access-group OUTSIDE-INBOUND in interface outside

access-group DMZ_access_in in interface DMZ

!

route outside 0.0.0.0 0.0.0.0 200.111.169.217 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authorization exec LOCAL

!

class-map inspection_defaul

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp error

inspect icmp

!

service-policy global_policy interface outside

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6e91d23f5a57864e4be311cecb5f0620

: end

FWL#

If I ping from the Webserver to my external router, this is the output from the debug ip icmp command

Router_EXT#debug ip icmp

ICMP packet debugging is on

Router_EXT#

*Aug 27 23:13:28.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63

*Aug 27 23:13:29.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63

*Aug 27 23:13:30.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63

*Aug 27 23:13:31.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63

*Aug 27 23:13:32.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63

*Aug 27 23:13:33.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63

*Aug 27 23:13:34.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63

The destination IP address for the ping packet is actually the local IP of the webserver inside the DMZ (172.16.0.63) and not the public IP address. That it means the packets are being sent from the ASA to the Internet but not translated.

Here´s the output of the show nat

FWL#show nat

Manual NAT Policies (Section 1)

1 (any) to (any) source static WEBSERVER IP_PUB_WEBSERVER

translate_hits = 2643, untranslate_hits = 3293

2 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_80 TCP_80

translate_hits = 1969933, untranslate_hits = 2816124

3 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_443 TCP_443

translate_hits = 2119, untranslate_hits = 2628

4 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_SSH TCP_SSH

translate_hits = 568075, untranslate_hits = 587410

5 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_DNS TCP_DNS

translate_hits = 6023, untranslate_hits = 29786

6 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service UDP_DNS UDP_DNS

translate_hits = 261774, untranslate_hits = 573300

Auto NAT Policies (Section 2)

10 (DMZ) to (outside) source dynamic DMZ-SUBNET interface

translate_hits = 0, untranslate_hits = 0

NOTE: I have hidden some info which is related to the traffic between the inside and outside which is OK.

Thank you very much!

Boris Uskov · ‎08-28-2015

Hello, try to change the following:

no service-policy global_policy interface outside

service-policy global_policy global

View solution in original post

Traian Bratescu · ‎08-28-2015

Hi,

Try this command to see what's blocking the traffic,

packet-tracer input DMZ icmp 10.0.0.1 8 0 8.8.8.8

To see the actual packets you could try a packet capture:

access-list allowICMP extended permit icmp any any

capture temp interface outside access-list allowICMP

Traian

Boris Uskov · ‎08-28-2015

Hello, try to change the following:

no service-policy global_policy interface outside

service-policy global_policy global

Paulo Colomes · ‎08-28-2015

Hi Boris. Thanks for that, it worked perfectly. Could you perhaps explain me why that command worked?

Boris Uskov · ‎08-30-2015

Hello,

As a matter of fact, I was not 100% confident, that my advice would solve the problem so simply :)
That is because all your Access-lists on ASA were configured to permit ICMP traffic. But I know, that the "service-policy global_policy global" is the default configuration for ASAs and "service-policy global_policy outside" was a bit strange for me.
I believe, that if you delete "service-policy global_policy global" from your configuration, ping will still be working, because ICMP is simply permitted in all ACLs.
But if you have "service-policy global_policy" applied only to outside interface, it seems, that ASA is trying to create connections in conn-table and xlate-table only when the reply packets (e.g. ICMP ECHO-REPLYs) came from Internet to outside interface. And it seems, that despite the permitions in ACLs, this situation breaks some of ASAs internal logic in creating fast-pathes.