cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
4
Replies

ASA inside to dmz access

allenelson
Level 1
Level 1

Hello

Could someone give me a hand with INSIDE access to the DMZ interface? I've set this up in the past, and am unsure of the problem I am running into. I think that when a host access a server on the dmz, instead of a session being setup the outbound response is being nat'd and sent out the outside interface. Attached is the running config, and also below is a trace.

Also through debug icmp trace, i see an echo request when pinging the 172.16.0.1 DMZ interface from a host on the 172.16.72.0 INSIDE interface, but not a reply.


ASA# packet-tracer input inside icmp 172.16.72.7 1 1 172.16.0.1

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.1      255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4     
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 172.16.72.0 172.16.72.0 netmask 255.255.255.0
  match ip inside 172.16.72.0 255.255.255.0 dmz any
    static translation to 172.16.72.0
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 889825065, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity
adjacency Active
next-hop mac address 0000.0000.0000 hits 26434041

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

4 Replies 4

allenelson
Level 1
Level 1

attachment

For ping to work, please configure the following:

policy-map global_policy
class inspection_default

     inspect icmp

Hope it helps.

I don't see nat-control enabled within your config, but it seems like you're still trying to use nat.  I'm guessing you may either need to add nat-control, or get rid of the identity nat statements.  I'm not an "expert" though...  Good luck.

allenelson
Level 1
Level 1

Hey guys

Thanks for the input.. I think the config is working out ok, the customer might have given me the wrong IP address to test with.. I'll post back once confirmed, thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: