04-14-2012 02:22 PM - edited 03-11-2019 03:54 PM
I have an ASA 5510 with sub-interfaces configured for multiple VLANs traversing a trunk on Interface 0/2; these interfaces are all DMZs - they all must reach a fellow DMZ VLAN that contains a domain controller:
interface Ethernet0/2.184
description VLAN-184-DMZdomaincontroller
vlan 184
nameif dmz184
security-level 49
ip address 10.10.184.1 255.255.255.0
The VLAN 190 represents a typical DMZ sub-interface; note that the security level is not the same, so that communication is allowed:
interface Ethernet0/2.190
description VLAN-190
vlan 190
nameif dmz190
security-level 50
ip address 10.10.190.1 255.255.255.0
Since all the DMZ VLANs are connected networks, no explicit routes are necessary; access-lists are currently wide-open for troubleshooting:
access-list dmz184_out extended permit ip any any
access-list dmz190_out extended permit ip any any
access-group dmz184_out in interface dmz184
access-group dmz190_out in interface dmz190
Both DMZs have Internet access:
nat (dmz184) 1 10.10.184.0 255.255.255.0
nat (dmz190) 1 10.10.190.0 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
Both DMZs have a static NAT to each other:
static (dmz184,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0
static (dmz190,dmz184) 10.10.190.0 10.10.190.0 netmask 255.255.255.0
Problem: Packet tracer shows different results for flow sourced from each VLAN and I cannot ping fron a host in VLAN 190 to a host in VLAN 184:
OK - packet-tracer input dmz184 icmp 10.10.184.100 8 8 10.10.190.155
Result:
input-interface: dmz184
input-status: up
input-line-status: up
output-interface: dmz190
output-status: up
output-line-status: up
Action: allow
NOT OK - packet-tracer input dmz190 icmp 10.10.190.155 8 8 10.10.184.100
Result:
input-interface: dmz190
input-status: up
input-line-status: up
output-interface: transit
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency
I don't have access to the VLAN 184 host and can only ping one-way. I'm running version 8.0(5).
Suggestions? Troubleshooting ideas?
Thanks in advance,
Marc
Solved! Go to Solution.
04-14-2012 04:58 PM
Hi,
The following configuration line in the "packet-tracer" output seems abit off
static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0
Whats the purpose of this command? It seems its a nat command for a network that has nothing to do with either of the interfaces in the configuration?
And as you can see the at the very end of the "packet-tracer" output, the output interface is way off. The same as in the configuration above.
It seems like the test traffic incoming from dmz190 interface gets sent throught the transit interface because theres a NAT configuration in place from transit to dmz190 interface.
- Jouni
04-14-2012 05:05 PM
Hello,
As Jouni said.
This is not properly configured, you have some problems with the nat...
Please provide the show run static.
Also do remove this for now:
(transit,dmz190) 10.10.184.0 10.10.184.0
And then do a packet tracer and provide us the output!
04-14-2012 03:19 PM
Hello,
From the ASA are you able to ping both hosts?
Can you provide the full Packet tracer input for the failed one.
Also I would like to see a sh route from the ASA
Regards,
Julio
04-14-2012 04:32 PM
Hi Julio;
Yes, I can ping hosts in both VLANs from the ASA; partial 'sh route' output is:
Gateway of last resort is 64.xx.xx.1 to network 0.0.0.0
C 64.xx.xx.0 255.255.255.0 is directly connected, outside
S 10.10.0.0 255.255.128.0 [1/0] via 10.10.250.12, transit
C 10.10.184.0 255.255.255.0 is directly connected, dmz184
C 10.10.190.0 255.255.255.0 is directly connected, dmz190
S* 0.0.0.0 0.0.0.0 [1/0] via 64.xx.xx.1, outside
ASA1#
Full failed packet-tracer output:
ASA1# packet-tracer input dmz190 icmp 10.10.190.155 8 8 10.10.184.$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0
nat-control
match ip transit 10.10.184.0 255.255.255.0 dmz190 any
static translation to 10.10.184.0
translate_hits = 0, untranslate_hits = 153
Additional Information:
NAT divert to egress interface transit
Untranslate 10.10.184.0/0 to 10.10.184.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz190_out in interface dmz190
access-list dmz190_out extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz190,dmz184) 10.10.190.0 10.10.190.0 netmask 255.255.255.0
nat-control
match ip dmz190 10.10.190.0 255.255.255.0 dmz184 any
static translation to 10.10.190.0
translate_hits = 0, untranslate_hits = 2
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0
nat-control
match ip transit 10.10.184.0 255.255.255.0 dmz190 any
static translation to 10.10.184.0
translate_hits = 0, untranslate_hits = 153
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3374152, packet dispatched to next module
Result:
input-interface: dmz190
input-status: up
input-line-status: up
output-interface: transit
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency
ASA1#
I hope this helps,
Marc
04-14-2012 04:58 PM
Hi,
The following configuration line in the "packet-tracer" output seems abit off
static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0
Whats the purpose of this command? It seems its a nat command for a network that has nothing to do with either of the interfaces in the configuration?
And as you can see the at the very end of the "packet-tracer" output, the output interface is way off. The same as in the configuration above.
It seems like the test traffic incoming from dmz190 interface gets sent throught the transit interface because theres a NAT configuration in place from transit to dmz190 interface.
- Jouni
04-14-2012 05:14 PM
You caught it, Jouni!
I was confident that the issue was simply a typo in my configuration and you caught it...
Once I removed that incorrect command and performed a 'clear xlate' in the ASA, I immediately began moving pings between the DMZ190 and DMZ184 hosts, as well as internal networks to the DMZ184
Thanks to both you and Julio for your time,
Marc
04-14-2012 05:05 PM
Hello,
As Jouni said.
This is not properly configured, you have some problems with the nat...
Please provide the show run static.
Also do remove this for now:
(transit,dmz190) 10.10.184.0 10.10.184.0
And then do a packet tracer and provide us the output!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide