03-25-2010 08:34 AM - last edited on 03-25-2019 05:44 PM by ciscomoderator
Hello
Could someone give me a hand with INSIDE access to the DMZ interface? I've set this up in the past, and am unsure of the problem I am running into. I think that when a host access a server on the dmz, instead of a session being setup the outbound response is being nat'd and sent out the outside interface. Attached is the running config, and also below is a trace.
Also through debug icmp trace, i see an echo request when pinging the 172.16.0.1 DMZ interface from a host on the 172.16.72.0 INSIDE interface, but not a reply.
ASA# packet-tracer input inside icmp 172.16.72.7 1 1 172.16.0.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.1 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 172.16.72.0 172.16.72.0 netmask 255.255.255.0
match ip inside 172.16.72.0 255.255.255.0 dmz any
static translation to 172.16.72.0
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 889825065, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity
adjacency Active
next-hop mac address 0000.0000.0000 hits 26434041
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
03-25-2010 08:35 AM
03-25-2010 02:57 PM
For ping to work, please configure the following:
policy-map global_policy
class inspection_default
inspect icmp
Hope it helps.
03-25-2010 06:03 PM
I don't see nat-control enabled within your config, but it seems like you're still trying to use nat. I'm guessing you may either need to add nat-control, or get rid of the identity nat statements. I'm not an "expert" though... Good luck.
03-26-2010 06:05 AM
Hey guys
Thanks for the input.. I think the config is working out ok, the customer might have given me the wrong IP address to test with.. I'll post back once confirmed, thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: