Solved: Allowing ping from outside to DMZ host of ASA

mahesh18 · ‎04-21-2013

Hi Everyone,

For learning purposes i need to allow ping to host in the DMZ from switch which is connected to outside interface of switch.

ASA has direct connection to this switch.

I have tried these ACL but ping to DMZ host does not work.

access-list ACL extended permit icmp any host 192.168.69.4 echo

access-group ACL in interface outside

Thanks

MAhesh

Jouni Forss · ‎04-21-2013

Hi Mahesh,

I guess you are talking about the same ASA5505 as yesterday? Can you share the current configuration?

I think you will probably require either a NAT0 or Static Identity NAT configuration for the DMZ if you want to ping hosts on the DMZ from the OUTSIDE.

Can you mention also what is the IP address of the device from which you try to ping the DMZ host?

What type of switch do you have in front of the ASA?

- Jouni

View solution in original post

Jouni Forss · ‎04-21-2013

Hi,

You will probably need for example NAT0 / NAT Exempt configuration on the DMZ interface for these networks

access-list DMZ-NAT0 permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0

nat (DMZ) 0 access-list DMZ-NAT0

This should make it so that the DMZ network can reach the OUTSIDE network with its original IP addresses. Also OUTSIDE should be able to connect to DMZ also.

- Jouni

View solution in original post

Jouni Forss · ‎04-21-2013

Hi,

You said that the 3550 was running OSPF. So you are using it as a L3 switch.

Does the L3 Switch have a route for the network 192.168.69.0/24 pointing towards the ASA OUTSIDE IP address of 192.168.11.2?

- Jouni

View solution in original post

Jouni Forss · ‎04-21-2013

Hi,

The ACL is part of the NAT0 configuration. By itself it doesnt do anything. Notice that its used in the "nat" configuration line.

So the whole configuration I suggested was this

access-list DMZ-NAT0 permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0

nat (DMZ) 0 access-list DMZ-NAT0

First we configured the NAT0 ACL and then attached it to a NAT0 configuration command.

The ACL basically tells the ASA what traffic it should NOT NAT. When we look at the ACL it defines the source network as 192.168.69.0/24 (DMZ) and the destination network as 192.168.11.0/24 (OUTSIDE). The same operation works OUTSIDE -> DMZ direction which you were actually testing. There are some situations where you might actually need to add a NAT0 configuration on the OUTSIDE interface too but at the moment its not needed.

The "xlate" you listed shouldnt be related to ICMP you were testing at all. This is because we specifically told the ASA that do not NAT traffic between these networks. Furthermore we were testing traffic from OUTSIDE to DMZ and there is no PAT configuration for that direction.

- Jouni

View solution in original post

Jouni Forss · ‎04-21-2013

Hi,

To my understanding ACLs that are used in NAT configuration will never get hitcounts. So that "0" will most likely stay at "0" all the time.

Notice that the NAT rule that you are looking at that has 251 translate_hits is for Dynamic PAT.

It basically refers to this configuration.

global (outside) 1 interface

nat (DMZ) 1 192.168.69.0 255.255.255.0

And yes, this rule is still working.

What you should also notice is that the NAT0 configuration will only apply to traffic between DMZ 192.168.69.0/24 and OUTSIDE 192.168.11.0/24

So when for example DMZ 192.168.69.0/24 contacts some other network behind the OUTSIDE, for example some other network on the 3550 then the traffic will hit the above Dynamic PAT rule.

- Jouni

View solution in original post

Jouni Forss · ‎04-21-2013

Hi Mahesh,

I guess you are talking about the same ASA5505 as yesterday? Can you share the current configuration?

I think you will probably require either a NAT0 or Static Identity NAT configuration for the DMZ if you want to ping hosts on the DMZ from the OUTSIDE.

Can you mention also what is the IP address of the device from which you try to ping the DMZ host?

What type of switch do you have in front of the ASA?

- Jouni

mahesh18 · ‎04-21-2013

Hi Jouni,

Switch is 3550 running OSPF.

Yes ASA is 5505 home LAB.

Switch interface connected to ASA outside interface has IP of 192.168.11.1

ciscoasa# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list facebook; 2 elements; name hash: 0x3b7b2306

access-list facebook line 1 extended deny tcp host 192.168.69.4 any eq www log informational interval 300 (hitcnt=28) 0x8d983222

access-list facebook line 2 extended permit tcp any any eq www log informational interval 300 (hitcnt=1641) 0x667cad07

access-list ACL; 1 elements; name hash: 0xdd71d952

access-list ACL line 1 extended permit icmp any host 192.168.69.4 echo (hitcnt=0) 0xa4ac9e3a

ciscoasa# $

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 11

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 12

!

interface Ethernet0/5

switchport access vlan 12

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.52.1 255.255.255.0

!

interface Vlan11

nameif outside

security-level 0

ip address 192.168.11.2 255.255.255.0

!

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

!

regex facebook "\.facebook\.com"

boot system disk0:/asa825-k8.bin

interface Vlan1

nameif inside

security-level 100

ip address 192.168.52.1 255.255.255.0

!

interface Vlan11

nameif outside

security-level 0

ip address 192.168.11.2 255.255.255.0

!

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

!

regex facebook "\.facebook\.com"

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MST recurring

access-list facebook extended deny tcp host 192.168.69.4 any eq www log

access-list facebook extended permit tcp any any eq www log

access-list ACL extended permit icmp any host 192.168.69.4 echo

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 192.168.69.0 255.255.255.0

access-group ACL in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

access-list ACL extended permit icmp any host 192.168.69.4 echo

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 192.168.69.0 255.255.255.0

access-group ACL in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

http 192.168.0.0 255.255.0.0 DMZ

http 192.168.0.0 255.255.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

http 192.168.0.0 255.255.0.0 DMZ

http 192.168.0.0 255.255.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate cda15b51

308201cf 30820138 a0030201 020204cd a15b5130 0d06092a 864886f7 0d010105

0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

86f70d01 09021608 63697363 6f617361 301e170d 31333034 30333033 33313134

5a170d32 33303430 31303333 3131345a 302c3111 300f0603 55040313 08636973

636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c5 04be4392

051ff956 1786981c 6acbe7ed 880bc95a 1c846bf4 19e381f7 f1e8d0d0 e340f86f

e94ec55b a1714de8 19976ae4 e9196c52 7791873c 794d2eec 4ae90aa5 5b40282c

3aac7fbb 2a2a2e36 77906a25 a3874d98 7f51e370 266068d8 f5adbd97 bd204ce0

61943442 ae73ce78 4f2b0daa 53374044 07f4df39 eed0e80c 2b92af02 03010001

300d0609 2a864886 f70d0101 05050003 8181001e 41c1636b c86357f6 94585bc0

2fe4bf2f b9f0cc4a 108f3cbf 830ebe54 fb6c87e6 04ad11a4 3fec5ced 5f6f9784

9f423788 c7de4b5b b7226d81 262ee3b6 ff0adffe 4e49ed7a 42c74d4b f52f0456

1b8feb3f f19efdc5 adaced62 c4bd7180 107feb06 8658937e 8cb2a154 7486de37

9b00c44c d17f967e 5fbe4584 c71fd389 55d670

quit

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh 192.168.0.0 255.255.0.0 DMZ

ssh timeout 60

ssh version 2

ssh timeout 60

ssh version 2

console timeout 0

dhcpd dns 64.59.144.19

!

dhcpd address 192.168.52.5-192.168.52.15 inside

dhcpd enable inside

!

dhcpd address 192.168.69.3-192.168.69.20 DMZ

dhcpd enable DMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.11.1

webvpn

username mintoo password AILiHuRWFGgkbsI5 encrypted privilege 15

!

class-map facebook

match access-list facebook

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http test

parameters

match request header host regex facebook

reset log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

class facebook

inspect http test

class class-default

set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:2583356a780418d5fb8a4cc9f7053826

: end

Here is full config of ASA.

Thanks

Mahesh

Jouni Forss · ‎04-21-2013

Hi,

You will probably need for example NAT0 / NAT Exempt configuration on the DMZ interface for these networks

access-list DMZ-NAT0 permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0

nat (DMZ) 0 access-list DMZ-NAT0

This should make it so that the DMZ network can reach the OUTSIDE network with its original IP addresses. Also OUTSIDE should be able to connect to DMZ also.

- Jouni

mahesh18 · ‎04-21-2013

Hi Jouni,

I configured ASA with above two commands still unable to ping 192.168.69.4 from switch.

Do i need to do anything else on ASA?

Thanks

Mahesh

Jouni Forss · ‎04-21-2013

Hi,

You said that the 3550 was running OSPF. So you are using it as a L3 switch.

Does the L3 Switch have a route for the network 192.168.69.0/24 pointing towards the ASA OUTSIDE IP address of 192.168.11.2?

- Jouni

mahesh18 · ‎04-21-2013

Hi Jouni,

I added static route on 3550

here is output

3550SMIB(config)#ip route 192.168.69.0 255.255.255.0 192.168.11.2

3550SMIB(config)#end

3550SMIB#ping 192.168.69.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.69.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

It worked now.

Can you please explain me what the ACL did which you told me to configure earlier?

I did sh xlate on ASA it shows

PAT Global 192.168.11.2(59578) Local 192.168.69.4(55245)

PAT Global 192.168.11.2(4161) Local 192.168.69.4(49848)

PAT Global 192.168.11.2(5316) Local 192.168.69.5(54904)

ciscoasa#

Seems ACL you told me to config has changed the PAT Global IPfrom 192.168.69.2 to 192.168.11.2 right?

Thanks

Mahesh

Jouni Forss · ‎04-21-2013

Hi,

The ACL is part of the NAT0 configuration. By itself it doesnt do anything. Notice that its used in the "nat" configuration line.

So the whole configuration I suggested was this

access-list DMZ-NAT0 permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0

nat (DMZ) 0 access-list DMZ-NAT0

First we configured the NAT0 ACL and then attached it to a NAT0 configuration command.

The ACL basically tells the ASA what traffic it should NOT NAT. When we look at the ACL it defines the source network as 192.168.69.0/24 (DMZ) and the destination network as 192.168.11.0/24 (OUTSIDE). The same operation works OUTSIDE -> DMZ direction which you were actually testing. There are some situations where you might actually need to add a NAT0 configuration on the OUTSIDE interface too but at the moment its not needed.

The "xlate" you listed shouldnt be related to ICMP you were testing at all. This is because we specifically told the ASA that do not NAT traffic between these networks. Furthermore we were testing traffic from OUTSIDE to DMZ and there is no PAT configuration for that direction.

- Jouni

mahesh18 · ‎04-21-2013

Hi Jouni,

When i do sh access-list on ASA it shows

access-list ACL; 1 elements; name hash: 0xdd71d952

access-list ACL line 1 extended permit icmp any host 192.168.69.4 echo (hitcnt=37) 0xa4ac9e3a

access-list DMZ-NAT0 line 1 extended permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0 log informational interval 300 (hitcnt=0) 0x6b886366

so when i ping from outside hit count increases thats right.

Do the hit count for ACL DMZ will increase ever or they will remain to zero?

Also when i do sh nat on asa

NAT policies on Interface DMZ:

match ip DMZ 192.168.69.0 255.255.255.0 outside 192.168.11.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ 192.168.69.0 255.255.255.0 DMZ 192.168.11.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ 192.168.69.0 255.255.255.0 outside any

dynamic translation to pool 1 (192.168.11.2 [Interface PAT])

translate_hits = 251, untranslate_hits = 23

match ip DMZ 192.168.69.0 255.255.255.0 DMZ any

dynamic translation to pool 1 (192.168.69.2 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Here we see translate hit counts 251 does it say here that NAT from DMZ to outside is working or not?

Thanks

Mahesh

Jouni Forss · ‎04-21-2013

Hi,

To my understanding ACLs that are used in NAT configuration will never get hitcounts. So that "0" will most likely stay at "0" all the time.

Notice that the NAT rule that you are looking at that has 251 translate_hits is for Dynamic PAT.

It basically refers to this configuration.

global (outside) 1 interface

nat (DMZ) 1 192.168.69.0 255.255.255.0

And yes, this rule is still working.

What you should also notice is that the NAT0 configuration will only apply to traffic between DMZ 192.168.69.0/24 and OUTSIDE 192.168.11.0/24

So when for example DMZ 192.168.69.0/24 contacts some other network behind the OUTSIDE, for example some other network on the 3550 then the traffic will hit the above Dynamic PAT rule.

- Jouni

mahesh18 · ‎04-21-2013

Hi Jouni,

Many thanks again.

Learning slowly slowly about ASA config witj your help.

Best Regards

Mahesh