Solved: ASA nat between interfaces

tholmes · ‎09-09-2009

Hello,

Can someone please help me solve this weird problem?

when I ping from a device on DMZ2 192.168.100.1 to a device on DMZ1 192.168.12.112

the ASA thinks the reply is coming from the inside network and so doesn't translate the response!

I've had to sub-interface g0/2 as I'd run out of interfaces.

interface GigabitEthernet0/2

no nameif

security-level 50

no ip address

!

interface GigabitEthernet0/2.1

vlan 3

nameif dmz1

security-level 50

ip address 192.168.12.1 255.255.255.0

!

interface GigabitEthernet0/2.2

vlan 2

nameif dmz2

security-level 40

ip address 192.168.100.254 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz1 extended permit icmp any any

access-list dmz2 extended permit ip any any

access-list dmz1_dmz2 extended permit ip 192.168.12.0 255.255.255.0 192.168.100.0 255.255.252.0

access-list dmz2_dmz1 extended permit ip 192.168.100.0 255.255.252.0 192.168.12.0 255.255.255.0

nat (dmz1) 0 access-list dmz1_dmz2

nat (dmz2) 0 access-list dmz2_dmz1

access-group dmz1 in interface dmz1

access-group dmz2 in interface dmz2

static (dmz,outside) XX.YYY.XXX.112 192.168.12.112 netmask 255.255.255.255

Stange though, if I ping the Public IP address is works, but I need to use the real IP address

Syslog = 305006 192.168.100.1 regular translation creation failed for icmp src inside:192.168.12.112 dst dmz2:192.168.100.1 (type 0, code 0)

This is a cutdown version, everything else works fine, devices on the Inside and both DMZs can get to the Internet ok

Any help or advice would be much appreciated

Regards Tony

acomiskey · ‎09-09-2009

no access-list dmz1_dmz2 extended permit ip 192.168.12.0 255.255.255.0 192.168.100.0 255.255.252.0

no access-list dmz2_dmz1 extended permit ip 192.168.100.0 255.255.252.0 192.168.12.0 255.255.255.0

no nat (dmz1) 0 access-list dmz1_dmz2

no nat (dmz2) 0 access-list dmz2_dmz1

static (dmz1,dmz2) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

View solution in original post

acomiskey · ‎09-09-2009

no access-list dmz1_dmz2 extended permit ip 192.168.12.0 255.255.255.0 192.168.100.0 255.255.252.0

no access-list dmz2_dmz1 extended permit ip 192.168.100.0 255.255.252.0 192.168.12.0 255.255.255.0

no nat (dmz1) 0 access-list dmz1_dmz2

no nat (dmz2) 0 access-list dmz2_dmz1

static (dmz1,dmz2) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

tholmes · ‎09-10-2009

Hello, there Acomiskey

Thanks for the reply, I'll give it a go and let you know

Cheers Tony

tholmes · ‎09-10-2009

Hi,

I made those changes but no difference, the ASA still thinks the return packet is coming from the Inside and not the DMZ so it drops it.

Thanks anyhow

Cheers Tony

acomiskey · ‎09-10-2009

What does the rest of your interface

config look like?

tholmes · ‎09-10-2009

Hi,

Its pretty standard, I've used sub interfaces on another firewall recently, same code too, without problems

interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 0

ip address XXX.YYY.ZZZ.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.253 255.255.255.0

!

interface GigabitEthernet0/2

no nameif

security-level 50

no ip address

!

interface GigabitEthernet0/2.1

description *** Link for SQL Server VLAN 3 ***

vlan 3

nameif dmz1

security-level 50

ip address 192.168.12.1 255.255.255.0

!

interface GigabitEthernet0/2.2

description *** Link for VIP DMZ ***

vlan 2

nameif dmz2

security-level 50

ip address 192.168.100.254 255.255.255.0

!

I added a line to the inside ACL to allow 192.168.12.0 through to 192.168.100.0 just to see what happens, the FW then rejected the reply with the following syslog message.

305006 192.168.100.1 regular translation creation failed for icmp src inside:192.168.12.112 dst dmz2:192.168.100.1 (type 0, code 0)

Makes no sense

Cheers Tony

tholmes · ‎09-14-2009

It makes sense now.

The end user has 2 NICs in his DMZ servers, 1 into the DMZ and the other into the Inside (not very secure!)

This means return traffic was coming in via the d/g which was pointing to the Inside interface.

Many thanks for your help and taking the time to make some suggestions

Much apprecaited

Tony