Solved: ASA 5506X with FirePower and SecPlus (Route between two Interfaces)

Droese · ‎07-01-2020

Hello everybody,
I am now at a loss and have spent the past 48 hours trying to find a solution. Unsuccessful.

We exchanged our old Netgear FVS336 firewall for the Cisco ASA because the Netgear is EOL.

Now I have tried to map the existing configuration on the Cisco.

LAN with IP 192.168.5.0 (inside) and a subnet with 10.10.5.0 (dmz), which are connected to different interfaces.

With both networks I can access the Internet, everything is fine so far.

But I want to access the dmz from inside. I not only fail because of it, but despair.

My configuration:

: Saved

: 
: Serial Number: JAD241800FJ
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 23:46:23.154 CEDT Wed Jul 1 2020
!
ASA Version 9.8(2) 
!
hostname HQCFW1ASA
domain-name XXXXXXbox
enable password XXXXXX
names
dns-guard

!
interface GigabitEthernet1/1
 description Port to WAN
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 description Port to LAN
 bridge-group 1
 nameif inside
 security-level 100
!
interface GigabitEthernet1/3
 description Port to DMZ
 bridge-group 2
 nameif dmz
 security-level 50
!
interface GigabitEthernet1/4
 description Not in use
 shutdown
 nameif not_in_use_1
 security-level 0
 no ip address
!
interface GigabitEthernet1/5
 description Not in use
 shutdown
 nameif not_in_use_2
 security-level 0
 no ip address
!
interface GigabitEthernet1/6
 description Not in use
 shutdown
 nameif not_in_use_3
 security-level 0
 no ip address
!
interface GigabitEthernet1/7
 description Not in use
 shutdown
 nameif not_in_use_4
 security-level 0
 no ip address
!
interface GigabitEthernet1/8
 description Port to Unified Communication (UC)
 management-only
 nameif unified_communication
 security-level 75
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/8.90
 description VLAN for Cisco CUE
 vlan 90
 nameif cisco-cue
 security-level 75
 ip address 10.1.10.1 255.255.255.252 
!
interface GigabitEthernet1/8.100
 description VLAN for Cisco Voice
 vlan 100
 nameif cisco-voice
 security-level 75
 ip address 10.1.1.1 255.255.255.0 
!
interface Management1/1
 description Port for Management
 management-only
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface BVI1
 description Bridge Group for LAN
 nameif inside_grp
 security-level 100
 ip address 192.168.5.1 255.255.255.0 
!
interface BVI2
 description Bridge Group for DMZ
 nameif dmz_grp
 security-level 50
 ip address 10.10.5.1 255.255.255.0 
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.178.1 outside
 name-server 8.8.8.8 outside
 domain-name fritz.box
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network WAN-Gateway
 host 192.168.178.1
 description Gateway to WAN
object network DMZ-Gateway
 host 10.10.5.1
 description Gateway to DMZ
object network Management-Gateway
 host 192.168.0.1
 description Gateway to Management Port
object network LAN-Network
 subnet 192.168.5.0 255.255.255.0
 description IP-Range of LAN
object network DMZ-Network
 subnet 10.10.5.0 255.255.255.0
 description IP Range of DMZ-Network
object network PAT-Adress1
 host 10.10.5.254
 description PAT-Adress
object network Netgear-Router
 host 192.168.5.253
object network Route
 subnet 10.10.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object object DMZ-Gateway
 network-object object PAT-Adress1
object-group network Internal-Subnets
 description Interne Subnetzte
 network-object 10.10.5.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object object DMZ-Gateway
 network-object object Netgear-Router
access-list Erlaube-DMZ extended permit ip 192.168.5.0 255.255.255.0 10.10.5.0 255.255.255.0 log 
pager lines 24
logging enable
logging asdm informational
mtu outside 9000
mtu inside 9000
mtu dmz 9000
mtu not_in_use_1 1500
mtu not_in_use_2 1500
mtu not_in_use_3 1500
mtu not_in_use_4 1500
mtu unified_communication 1500
mtu management 1500
mtu cisco-cue 1500
mtu cisco-voice 1500
no failover
no monitor-interface inside_grp
no monitor-interface dmz_grp
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,dmz) source dynamic any interface destination static DMZ-Network DMZ-Gateway
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
route outside 0.0.0.0 255.255.255.255 192.168.178.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
aaa authentication login-history
http server enable
http 192.168.0.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 9216
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint LOCAL-CA-SERVER
 keypair LOCAL-CA-SERVER
 crl configure
crypto ca trustpoint Inv_ASA_Trustpoint
 enrollment self
 email admin@Inv.de
 subject-name CN=HQCFW1ASA
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.1.1,CN=HQCFW1ASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca server 
 keysize 4096
 keysize server 4096
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 513fb9743870b73440418d30930699ff
    30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30 
    0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117 
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 
    13165665 XXXXXXXX 676e2054 72757374 204e6574 776f726b 313a3038 06035504 
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 
    33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30 
    09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f 
    72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275 
    7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c 
    61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230 
    0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca 
    1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b 
    037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203 
    7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c 
    ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee 
    b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a 
    6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26 
    4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a 
    16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100 
    01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006 
    03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e 
    636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630 
    2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474 
    703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60 
    86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f 
    7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230 
    1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906 
    03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350 
    4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a 
    b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3 
    4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649 
    dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722 
    2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16 
    2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd 
    e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382 
    e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d 
    4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de 
    30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41 
    a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
  quit
crypto ca certificate chain LOCAL-CA-SERVER
 certificate ca 01
    3082051a 30820302 a0030201 02020101 300d0609 2a864886 f70d0101 05050030 
    1e311c30 1a060355 04031313 48514346 57314153 412e6672 69747a2e 626f7830 
    1e170d32 30303632 39313730 3035325a 170d3233 30363239 31373030 35325a30 
    1e311c30 1a060355 04031313 48514346 57314153 412e6672 69747a2e 626f7830 
    82022230 0d06092a 864886f7 0d010101 05000382 020f0030 82020a02 82020100 
    b9a9ab9a 49ab29bf 8ebeaec7 61b3d81a 6de15924 6d527167 cbfbf80f a41ed5da 
    cc6dea8c 863d58e9 a8dffc73 ef77309b 75c324dd 676f2eba 19dfea5e 2afb7578 
    5050f964 54506a82 6a5b6908 ccbba795 fb96ff9c 462c706d e6feff9b c35058ba 
    d706512b 0c5365cd ed743e3e c6248016 7ba6c21c 25009beb 98b7bc4d 1e44d048 
    0a9f768b e45135e2 9463d935 52ac08b5 a0c89ad6 4a87ed3c 058081d9 c03ce9ec 
    51442e07 8b944ff6 5e41e3f8 f1530264 092b6e83 91a027f6 12d619e9 a387194c 
    d9f20ad9 18855cbb 17f314ba b238bbb9 353e1cca e18c4516 800be00b 1e8b7ee2 
    ff60d22f 6c0de9f3 bb45d5b3 4df88661 6530c8a9 e381005b 6b43df36 15948f7c 
    971b1221 bcc8d8ad bdc9b974 1669dfe2 af484e17 53782e0f 7d0b9aca 78106f2b 
    e657334a ec8ad261 8fc7d871 06601372 bf131811 19235e71 d337fdca 5c898051 
    18cb4503 31728037 a9991249 229eaa90 6ae8b5a7 ceb955b2 ea7390ba 6f6af2e4 
    bdcb3db2 a89e7ed1 5de5946a 1cde4088 92418488 d3ebc72b fe2fda60 279dbd0b 
    018a2779 029ba393 f4f56ab4 2ad39f09 c10d14eb f6fe3dca c7c28095 2c895b52 
    4905366a b217e09c 5353b3b6 2f551722 d2cb907e d2957f98 5f6e5c93 c8b45de5 
    8ce6bdaf 96837c32 9e6de2ab e41fc155 6f6976eb 8d05011b c4589176 d788281b 
    2044059b a00a29fe 6811088f 1eb6eb14 7d845786 5b666fb9 e738c3e6 5f19e1fd 
    02030100 01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 
    0f0101ff 04040302 0186301f 0603551d 23041830 168014fb eaa53ae7 9572cfe6 
    f80a9335 75ff33d1 df7ff230 1d060355 1d0e0416 0414fbea a53ae795 72cfe6f8 
    0a933575 ff33d1df 7ff2300d 06092a86 4886f70d 01010505 00038202 01006647 
    d828f283 1a821cf5 fa9760e7 1145b850 c25defaa 71a943df f3769c13 31591275 
    3a8dc759 e0431580 b1d2baaf da63bbce 955bedf3 88e6100a 13d919a0 2c3ccf35 
    c2581e19 c8ea7ae7 9ec22ef7 8314ccf6 1ff88f84 fe4aa1ce 149eb1f3 f86e9e22 
    572b4c70 cd215114 84281fe0 2bb9d1e7 9e27455f 4fd7dc86 03ace604 5925d485 
    fd34b2d9 1c2f9767 e7c1fe4e 1571e09b 54749bb3 250e4f17 89f2212d 46e1ebe8 
    a5df1128 f3d082fe 01355987 a6008e39 5d17121f 6812c7d8 338a4174 d1b9b7bc 
    45bb23fb f3ad7912 89552f26 926b8bee ebe62e9c 2d9f1dbc b8c50d06 3296ceb1 
    18cc0106 f9b293ed ceab9121 891b64ff 2521ff12 c3f13a90 a15b14fa 84ae4d82 
    fae2c2e6 c4caf71f 4765d15a f2dbb1f2 f5adf8de 62480451 6730bb54 2c018a23 
    656e1d5b eaf20c95 f951a540 f32a1b7f bdf3f160 a4f482d2 0b68d70b 7baf1278 
    4a37a99a c388d4f3 79df16ae 74dcc0a9 0ea98529 0d7fbd56 26a410d4 59bac927 
    c8c4592c 3a82d6f1 1c9f69ff 786131bb 45aa432e bb182cfe 71ada4fc 8a64ed6b 
    ef3bf499 ddca8a65 4aafd8ae 64ec7295 efe9a41b b8249f83 68828458 42eb9d7d 
    70a1f3fe 19ad815c cef18178 b3334316 5a3e036f 05880cd9 4092f044 e54f0f99 
    32ccd8dc 21832255 494f09aa 915d843e 62a0b261 530bfb85 258c245f 3fab38b8 
    6e5a9a95 e52ab5bf 3cbc5ac1 7101a100 75e33cfb 2bb4631e d812535a 768c
  quit
crypto ca certificate chain Inv_ASA_Trustpoint
 certificate e317fa5e
    30820551 30820339 a0030201 020204e3 17fa5e30 0d06092a 864886f7 0d01010b 
    05003038 31123010 06035504 03130948 51434657 31415341 31223020 06092a86 
    4886f70d 01090216 13485143 46573141 53412e66 7269747a 2e626f78 301e170d 
    32303036 32393137 30393430 5a170d33 30303632 37313730 3934305a 30383112 
    30100603 55040313 09485143 46573141 53413122 30200609 2a864886 f70d0109 
    02161348 51434657 31415341 2e667269 747a2e62 6f783082 0222300d 06092a86 
    4886f70d 01010105 00038202 0f003082 020a0282 020100b6 a098a993 7cbc4a47 
    c5b69150 ef8b23e1 55504170 92f184f8 fc87a1df a3add194 38060a91 25976e90 
    52a85cb5 9316b965 24eea48a 1e2b81a8 e41f3e16 aef472df e0962385 81756550 
    c7bb2931 542c1847 208e7237 a804c2da e6fe2108 d6e5bce1 857e7eed cb661925 
    2c9093bc dad7bf82 7d96022a 60ddc762 f092b004 3c2094ec 6903cfda 74b7356e 
    dc905ca9 aa4fdc0e 957a83a7 f37e2ea9 0d5a895a 90d3d266 97112c3d cb7f494f 
    057cdaa2 bc1b5d3e 54f1f69d 4962abdb 4d9069f9 b9fe4150 de8b118e f31e059f 
    2031d29d 2e8cd39b 4c0a7483 c42fb06c 976888e4 0f66c2db 2529649b 0b688d4d 
    724791a7 4f140a05 47392aba e61e12ba 427e786e b6038695 4112e1c6 1762d5fd 
    50d305f0 392269ae 27a39bc2 859c9ced 00ca89d5 8613c6ba 5b798df1 29d68b94 
    7af9f5ba 8fa5d9c2 831be153 edfe8a5f 2a4251a2 7fd9cff6 d62f072c 1bdded5c 
    932d8c10 570ddb88 8173ce78 cb1b7a57 25926a58 df64673a c57290e6 8de31833 
    73e02986 5588a4a3 840a5a1a 54139ff6 f215d087 f45d125a 22982f83 4e0bdf05 
    b69f614c 2653b766 d8db57b1 779de8c9 7a3771de 6cc5f7b0 3424c1c3 6c4019b6 
    9cb91dab 046101cd 33a671ae 25a4ac0b 81cf1570 0cbe7043 dbd6d8d3 5f105abd 
    d7ddeed1 a7aa7c9d 457d545e d120f8e8 386143f2 ae57096d f7b7a9c6 d4351499 
    da28471f 00cebe7b cc3bdddf 08f78ca9 6d8b2bda 00e25302 03010001 a3633061 
    300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 
    86301f06 03551d23 04183016 801491cc 487f60d1 bd2ae9bb 64f38aae 59d99c9a 
    32f6301d 0603551d 0e041604 1491cc48 7f60d1bd 2ae9bb64 f38aae59 d99c9a32 
    f6300d06 092a8648 86f70d01 010b0500 03820201 004efc3b 14f5eaa7 02df3027 
    159959cf 40b6881b 9c7003e1 93f78710 04bd6743 6b742a91 48e66991 f03f5eca 
    c2d800d7 964d7a2f a764e7d1 d04e3e3f 0b185247 5678720c 65f86620 d42c0542 
    15b938eb f1e8db14 250e688a 4ce75130 fb1ba0df 56e04be0 472fde1e bf64b1f0 
    916383a7 87102818 df63aa92 2863a4fa 49df8e66 9162156b f02a4c80 6822dc8e 
    5001c97e 989270e5 9a1afe04 e6af6323 4d8100d9 9c0305f2 ee677bee 5133a741 
    11d6dcde b48df470 8b2fbcda fa4eb6fb 150845d5 f0723e22 94a77b44 1282b09f 
    2e4b9d7b 918efc5a aa193df1 e189c68a 296598ef 2fd1be3f 0707a6cc c71f708a 
    677c5740 805ea39e c1757412 abe07d01 779799c2 39d099d2 85784e0a 10370a5a 
    3458a6a9 6dadabfa 9abe0bb7 f9b6bc7f 1230100a aa9e6f02 35df422e 1409ea12 
    e51a3d4f e6eeffd9 75fd59be 2c61ab63 fd94f293 3a3c9ef5 61f5aa5c 06394401 
    1e86cefe d5dbd74f a974b4f1 d38ce379 1ce129f2 3f8dba51 fb715dbb dea7eac6 
    e782c7c7 a7c93fec eec3e7d4 d61a3c1d 1c33e2e3 219d95ed 68510641 a6390e7f 
    de26edac 17a84374 0aac2b9a c6df9c07 b9dc5bb0 c002e67b 2c351e00 4ac2262a 
    355e7391 02ec1992 66b590f4 9cb305f0 0ceb5f65 0ba9628e 33c8228e 0a51d0e9 
    aa323dfa 911d6660 80891c1a e02a759b 7f094718 8ea3c2ab 7b7fda21 39285722 
    6ad9564c 3cd18c6d e6b6ac0a b5df651e 77eb7a1d 54
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate e417fa5e
    308202d0 308201b8 a0030201 020204e4 17fa5e30 0d06092a 864886f7 0d01010b 
    0500302a 31123010 06035504 03130948 51434657 31415341 31143012 06035504 
    03130b31 39322e31 36382e31 2e31301e 170d3230 30363239 31373039 35335a17 
    0d333030 36323731 37303935 335a302a 31123010 06035504 03130948 51434657 
    31415341 31143012 06035504 03130b31 39322e31 36382e31 2e313082 0122300d 
    06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a5 688a694f 
    000dc1be f0bc1f21 6e7253d8 1b926e3d 4b4894b3 5760f7b7 b1ea4dd8 e9b0dc5a 
    89503334 bfd66227 61bf304d 0a9c00c3 a2240653 9cd49fc2 6e67780b 2123b042 
    cabbabf7 4a74b532 09e69771 c6fe2e42 78f582de 76a76f39 59838788 12d17942 
    9bb93e13 50a8fef3 60c8124a 8dadbe7c 5c788370 4204419d a8a5a630 e41220c2 
    367d042b b900abc7 c4cdcd0f 3eaa8ffe 2b0cfaa6 091fd159 9dff71dc a9f40701 
    796a8485 4862b089 d4218eff 2ad616c1 73051177 df435d9f adaa26d3 13d4867c 
    10a238b9 0ed48881 8d8fc364 cd9e55f4 1c2fb940 43b1d161 70158416 e0042497 
    271a278a 2f35bb1b 5bb6a292 5c5e3551 d3292342 0b35f6e1 e4f97302 03010001 
    300d0609 2a864886 f70d0101 0b050003 82010100 3a2e2e06 f1a9c008 7575566a 
    6568c10b 301a2aca c2c23a9c 304a2bae d509eefc 44300bde e485c01a 2eca36f2 
    c70e091c 3b291a13 c97e0b27 1b94f7f5 7782137b ec995962 f0bb8d52 2b6343bb 
    a4aa6584 a8c35c6a 518f30c5 81c55be7 19067438 77f94764 1917d3fa 90c002b1 
    1493f89c 5a3d3f9a c1c159be 63ed7536 7f45e7d1 d87423e4 15e8826a bdd4808c 
    d0f1fe27 dc048891 9a9955a0 1e924980 2033fe2e b3d78aa8 010cf831 4fde4be5 
    e2ad31ae 161ca909 10efd6dd 396db2a2 d3eb8fa5 01c1ddc6 76f4f606 7a142a2c 
    1d90c1ae b75cf142 ec61881f 2e5a6cd7 049f7c9c 249bf983 0f109548 b3680ca3 
    af3091db 66603896 21899cb3 d917296d b201d310
  quit
crypto ikev2 remote-access trustpoint Inv_ASA_Trustpoint
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.5.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.255.0 management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access management

dhcpd dns 192.178.168.1 8.8.8.8
dhcpd ping_timeout 1000
dhcpd auto_config outside
dhcpd option 42 ascii de.pool.ntp.org
!
dhcpd address 192.168.5.50-192.168.5.130 inside_grp
dhcpd domain Inv-internal interface inside_grp
dhcpd enable inside_grp
!
dhcpd address 10.10.5.50-10.10.5.130 dmz_grp
dhcpd domain Inv-dmz interface dmz_grp
dhcpd enable dmz_grp
!
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.178.1 source outside
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 high
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group21
ssl trust-point Inv_ASA_Trustpoint outside
ssl trust-point Inv_ASA_Trustpoint not_in_use_1
ssl trust-point Inv_ASA_Trustpoint not_in_use_2
ssl trust-point Inv_ASA_Trustpoint not_in_use_3
ssl trust-point Inv_ASA_Trustpoint not_in_use_4
ssl trust-point Inv_ASA_Trustpoint unified_communication
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/anyconnect-linux64-4.8.03052-webdeploy-k9.pkg 3 regex "Linux"
 anyconnect enable
 cache
  disable
 error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
username admin password $XXXX= pbkdf2 privilege 15
username admin attributes
 service-type nas-prompt
!
!
!
policy-map global_policy
!
prompt hostname context 
!
jumbo-frame reservation
!
service call-home
call-home reporting anonymous
call-home
 contact-email-addr XYZ
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b5ab217532de29a59377d1291c65df5a
: end

Droese · ‎07-02-2020

IT WORKS :-).

I changed the nat statement to:

nat source dynamic LAN-Network interface destination static DMZ-Network DMZ-Network

This is it.

Thanks to all for your time and help

View solution in original post

Francesco Molino · ‎07-01-2020

Hi

Can you try removing first the following Nat:
nat (inside,dmz) source dynamic any interface destination static DMZ-Network DMZ-Gateway

Add the following one:
nat (inside,dmz) source static LAN-Network LAN-Network destination static DMZ-Network DMZ-Gateway

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Droese · ‎07-01-2020

Hello,
I just give it a try. This is the result:

HQCFW1ASA# packet-trace in inside tcp 192.168.5.1 80 10.10.5.140 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static LAN-Network LAN-Network destination static DMZ-Ne twork DMZ-Gateway
Additional Information:
NAT divert to egress interface dmz
Untranslate 10.10.5.140/443 to 10.10.5.1/443

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Marvin Rhoads · ‎07-02-2020

Don't source the packet-tracer traffic from the inside BVI address. That's because traffic originating on an ASA interface is never allowed to egress a different interface - no matter what ACL or NAT is in place.

Instead source the traffic from another address in the subnet.

Droese · ‎07-02-2020

Okay. The packet is allowed.
But there is still no traffic. If I try to open https://10.10.5.150 (NAS) from 192.168.5.53 there is timeout error. Within the dmz network its working fine. Where is my problem?!

Droese · ‎07-02-2020

In the meantime I am able to ping the server, that works without any problems.
I also pulled the network cable out of the NAS to make sure that the ping really gets there. He does.
But I still can't access the web interface. Why?

Droese · ‎07-02-2020

IT WORKS :-).

I changed the nat statement to:

nat source dynamic LAN-Network interface destination static DMZ-Network DMZ-Network

This is it.

Thanks to all for your time and help