Solved: ASA - Cannot Communicate from Inside to DMZ

Josh Edwards · ‎08-08-2012

Hello - I have an existing ASA Firewall that is configured with an inside interface and an outside interface - communications is working fine in this configuration.

I am trying to add a DMZ interface that will be connected to a 3560x switch - the new ASA and Switch configuration are below.

ASA Configuration:

!

interface Ethernet0/3

description DMZ physical interface

nameif DMZ_PHYSICAL

security-level 50

no ip address

!

interface Ethernet0/3.510

vlan 510

nameif DMZ_TEST

security-level 50

ip address 10.50.10.254 255.255.255.0

!

access-list DMZ_TEST_access_in extended permit ip any any ! I've added this ACL line for testing purposes only

!

route FW_TRANSIT 10.10.10.0 255.255.255.0 10.100.0.254 1

!

DMZ Switch Configuration

!

interface GigabitEthernet0/3

description DMZ TRUNK - TOWER-FW-01 E0/3

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,510,540

switchport mode trunk

spanning-tree portfast trunk

!

interface Vlan510

ip address 10.50.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

ip route 10.10.10.0 255.255.255.0 10.50.10.254

!

I cannot ping from a computer on the LAN (10.10.10.3) to the IP address of the DMZ Switch on VLAN 510 (10.50.10.1).

I can, however, ping from the DMZ Switch (10.50.10.1) to the workstation on the LAN (10.10.10.3)

Any suggestions?

Jennifer Halim · ‎08-08-2012

You would need to configure NAT exemption for that network as follows:

ASA version 8.2 or lower:

static (FW_TRANSIT,DMZ_TEST) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

ASA version 8.3 or higher:

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

object network obj-10.50.10.0

subnet 10.50.10.0 255.255.255.0

nat (FW_TRANSIT,DMZ_TEST) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-10.50.10.0 obj-10.50.10.0

Then "clear xlate" after the above configuration.

View solution in original post

Jennifer Halim · ‎08-08-2012

Can you also share the configuration of the interface on the ASA where the host 10.10.10.3 is connected? I assume it's FW_TRANSIT as you have route configured on it? If it's FW_TRANSIT, pls kindly share the interface configuration on the ASA.

What is the DMZ switch default gateway?

Josh Edwards · ‎08-08-2012

Here is the interface configuration for the FW_TRANSIT interface - the 10.10.10.0/24 subnet is connected via a L3 switch on a separate VLAN

!

interface Ethernet0/1

description Internal Tower Networks

nameif FW_TRANSIT

security-level 100

ip address 10.100.0.1 255.255.255.0

!

The DMZ Switch has a static route for the 10.10.10.0/24 subnet via the ASA IP Address (10.50.10.254)

!

ip route 10.10.10.0 255.255.255.0 10.50.10.254

!

Jennifer Halim · ‎08-08-2012

You would need to configure NAT exemption for that network as follows:

ASA version 8.2 or lower:

static (FW_TRANSIT,DMZ_TEST) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

ASA version 8.3 or higher:

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

object network obj-10.50.10.0

subnet 10.50.10.0 255.255.255.0

nat (FW_TRANSIT,DMZ_TEST) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-10.50.10.0 obj-10.50.10.0

Then "clear xlate" after the above configuration.

Josh Edwards · ‎08-08-2012

i've added the following configuration, however I am still not able to initiate the connection...

!

object network NET-TOWER-CORP-DATA_SERVER-10.10.10.0-24

subnet 10.10.10.0 255.255.255.0

!

object network NET-DMZ-Test-10.50.10.0-24

subnet 10.50.10.0 255.255.255.0

!

nat (FW_TRANSIT,DMZ_TEST) source static NET-TOWER-CORP-DATA_SERVER-10.10.10.0-24 NET-TOWER-CORP-DATA_SERVER-10.10.10.0-24 destination static NET-DMZ-Test-10.50.10.0-24 NET-DMZ-Test-10.50.10.0-24

!

clear xlate

Jennifer Halim · ‎08-08-2012

Your 10.10.10.0/24 network has route for the DMZ subnet towards the FW_TRANSIT interface of the ASA, right?

ALso, there is no access-list on FW_TRANSIT interface that might block the traffic, right?

Can you pls share your full config?

Josh Edwards · ‎08-08-2012

yes, the 10.10.10.0/24 network has the appropriate routing configured towards the FW_TRANSIT interface of the ASA - infact, i am able to ping from the VLAN interface of the DMZ switch to 10.10.10.3 successfully - the return traffic routes as expected.

No, there is no ACL on the FW_TRANSIT interface...

i'd rather not post the full config here.

Jennifer Halim · ‎08-08-2012

there is also no "out" acl on DMZ_TEST interface?

Do you have "inspect icmp" configured?

Josh Edwards · ‎08-08-2012

there is no "out" ACL on DMZ_TEST

i believe "inspect icmp" is configured correctly:

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

inspect http

inspect icmp

Jennifer Halim · ‎08-08-2012

Can't think of anything else on the ASA that might be blocking it.

What does packet tracer say?

If packet tracer passes the traffic OK, then issue is not on the ASA.

Josh Edwards · ‎08-08-2012

The Packet Tracer looks like it completes successfully - however, the Input and Output interfaces are both FW_TRANSIT...

Josh Edwards · ‎08-14-2012

The issue is resolved - I had to update all of the nat statements...

Update "nat (FW_TRANSIT,any)" removing the "any" and adding the specific destination interface - also adding no-proxy-arp route-lookup to the end of each statement