cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
393
Views
0
Helpful
2
Replies

Access server within the DMZ using it's public IP/hostname

rodito
Level 1
Level 1

Hello,

I have implemented ASA 5516-x with inside, dmz, outside network.

Inside can connect to dmz (both local hostname and public IP/hostname)

outisde can connect to dmz (public IP/hostname)

Any dmz server tries to connect to the Public Server (Public IP) timesout.

Form example.:

We have a SharePoint server and a OWA server in the DMZ

I try to connect to the https://owa.publichost.ca from the Sharepoint server it timesout

I try to connect to SharePoint https://sharepoint.publichost.ca from within the server timesout

This what shows on the packet-tracer. Maybe i'm just missing a simple NAT entry here.

acdfw01/pri/act# packet-tracer input dmz tcp 172.16.1.59 https 204.x.x.59 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 204.x.x.59 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in_2 in interface DMZ
access-list DMZ_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any any
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp destination eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad8a9b910, priority=13, domain=permit, deny=false
hits=6333303, user_data=0x2aaacdb91b40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=DMZ, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 172.16.1.59
nat (DMZ,outside) static 204.x.x.59
Additional Information:
Static translate 172.16.1.59/443 to 204.x.x.59/443
Forward Flow based lookup yields rule:
in id=0x2aaada9c3c50, priority=6, domain=nat, deny=false
hits=66691, user_data=0x2aaad94fa9f0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.1.59, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=DMZ, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad743f9a0, priority=0, domain=nat-per-session, deny=false
hits=27614153, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad7fe9290, priority=0, domain=inspect-ip-options, deny=true
hits=15977519, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=DMZ, output_ifc=any

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr-class
match any
policy-map global_policy
class sfr-class
sfr fail-open
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad8cdb490, priority=71, domain=sfr, deny=false
hits=12165863, user_data=0x2aaad8cd8af0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=DMZ, output_ifc=any

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad8217180, priority=20, domain=lu, deny=false
hits=7703373, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=DMZ, output_ifc=any

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

acdfw01/pri/act#

Thanks

2 Replies 2

MANI .P
Level 1
Level 1

Hi ,

can you share 

#cap test type asp-drop all

That capture tons of traffic wow.. here's just a snipplet of where I tried to connect to the OWA from within itself in the DMZ.

Note: 172.16.1.59.443 > 204.x.x.59.443

106: 23:34:55.505619 172.16.1.59.443 > 204.x.x.59.443: S 174851317:174851317(0) win 8192

82: 23:34:53.615217 001e.c992.c718 0180.c200.000e 0x88cc Length: 60

0207 0400 1ec9 92c6 ed04 0405 6734 3306
0200 7800 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 Drop-reason: (l2_acl) FP L2 rule drop
83: 23:34:53.671535 802.1Q vlan#20 P0 172.21.1.238.137 > 172.21.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
84: 23:34:53.720498 802.1Q vlan#20 P0 172.21.1.59.137 > 172.21.1.255.137: udp 50
85: 23:34:53.847383 802.1Q vlan#10 P7 802.3 encap packet
86: 23:34:53.919462 802.1Q vlan#40 P0 192.168.11.36.137 > 192.168.11.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
87: 23:34:54.027540 802.1Q vlan#40 P0 192.168.11.36.138 > 192.168.11.255.138: udp 233 Drop-reason: (sp-security-failed) Slowpath security checks failed
88: 23:34:54.218021 802.1Q vlan#20 P0 172.21.1.35.137 > 172.21.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
89: 23:34:54.242129 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
90: 23:34:54.294876 802.1Q vlan#20 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
91: 23:34:54.352398 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
92: 23:34:54.421959 802.1Q vlan#20 P0 172.21.1.238.54449 > 224.0.0.252.5355: udp 33 Drop-reason: (acl-drop) Flow is denied by configured rule
93: 23:34:54.454337 10.10.135.116.51705 > 255.255.255.255.1947: udp 40 Drop-reason: (acl-drop) Flow is denied by configured rule
94: 23:34:54.504078 802.1Q vlan#40 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
95: 23:34:54.555848 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
96: 23:34:54.863282 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
97: 23:34:54.864075 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
98: 23:34:55.039808 10.10.210.170.54982 > 178.172.218.2.53: udp 35 Drop-reason: (acl-drop) Flow is denied by configured rule
99: 23:34:55.186574 10.10.135.30.137 > 10.10.135.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
100: 23:34:55.274003 172.16.1.195.80 > 54.241.32.68.51792: . 3781897620:3781898988(1368) ack 1229956461 win 256 <nop,nop,timestamp 87242999 213157405>
101: 23:34:55.274064 172.16.1.195.80 > 54.241.32.68.51792: . 3781898988:3781900356(1368) ack 1229956461 win 256 <nop,nop,timestamp 87242999 213157405> Drop-reason: (tcp-not-syn) First TCP packet not SYN
102: 23:34:55.274094 172.16.1.195.80 > 54.241.32.68.51792: . 3781900356:3781901724(1368) ack 1229956461 win 256 <nop,nop,timestamp 87242999 213157405> Drop-reason: (tcp-not-syn) First TCP packet not SYN
103: 23:34:55.274125 172.16.1.195.80 > 54.241.32.68.51792: . 3781901724:3781903092(1368) ack 1229956461 win 256 <nop,nop,timestamp 87242999 213157405> Drop-reason: (tcp-not-syn) First TCP packet not SYN
104: 23:34:55.308654 802.1Q vlan#30 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
105: 23:34:55.356457 802.1Q vlan#20 P0 172.21.1.61.60269 > 172.21.1.1.53: udp 43 Drop-reason: (acl-drop) Flow is denied by configured rule
106: 23:34:55.505619 172.16.1.59.443 > 204.x.x.59.443: S 174851317:174851317(0) win 8192
107: 23:34:55.846880 802.1Q vlan#10 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
108: 23:34:55.936169 10.10.135.30.137 > 10.10.135.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
109: 23:34:56.039655 10.10.210.170.54982 > 178.172.218.1.53: udp 35 Drop-reason: (acl-drop) Flow is denied by configured rule
110: 23:34:56.194890 58.35.198.47.52220 > 204.x.x.41.13000: FP 1386110995:1386111185(190) ack 3201601570 win 32768 Drop-reason: (tcp-not-syn) First TCP packet not SYN
111: 23:34:56.219593 10.10.210.170.54847 > 40.122.162.208.443: S 2195485422:2195485422(0) win 8192 <mss 1327,nop,wscale 8,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is denied by configured rule
112: 23:34:56.245089 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
113: 23:34:56.304030 802.1Q vlan#20 P7 802.3 encap packet
114: 23:34:56.355068 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
115: 23:34:56.504063 802.1Q vlan#40 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
116: 23:34:56.555223 802.3 encap packet
117: 23:34:56.686274 10.10.135.30.137 > 10.10.135.255.137: udp 50
118: 23:34:56.740714 802.1Q vlan#20 P0 172.21.1.60.137 > 172.21.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
119: 23:34:56.749259 802.1Q vlan#20 P0 172.21.1.60.138 > 172.21.1.255.138: udp 174 Drop-reason: (sp-security-failed) Slowpath security checks failed
120: 23:34:56.749762 802.1Q vlan#20 P0 172.21.1.60.137 > 172.21.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
121: 23:34:56.750678 802.1Q vlan#20 P0 172.21.1.9.137 > 172.21.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
122: 23:34:56.887161 802.1Q vlan#20 P0 172.21.1.107.137 > 172.21.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
123: 23:34:57.039869 10.10.210.170.54982 > 8.8.8.8.53: udp 35 Drop-reason: (acl-drop) Flow is denied by configured rule
124: 23:34:57.308196 802.1Q vlan#30 P7 802.3 encap packet
125: 23:34:57.498951 802.1Q vlan#20 P0 172.21.1.60.137 > 172.21.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
126: 23:34:57.650204 802.1Q vlan#20 P0 172.21.1.107.137 > 172.21.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
127: 23:34:57.849763 802.1Q vlan#10 P7 802.3 encap packet
128: 23:34:58.082500 10.10.210.170.54848 > 162.220.223.28.5938: S 504477158:504477158(0) win 8192 <mss 1327,nop,wscale 8,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is denied by configured rule
129: 23:34:58.103662 62.194.78.119.58145 > 204.x.x.6.4500: udp 1
130: 23:34:58.244585 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

Review Cisco Networking for a $25 gift card