ASA NAT Issue: Cannot ping Server in DMZ - Static Nat not working.

nwekechampion · ‎01-13-2020

Hi all,

I cannot seem to ping server in dmz from "OUTSIDE" (Static Nat). However, I can ping Outside from inside (PAT).

Could anyone point me to the right direction please?

object network INSIDE-OUTSIDE
nat (inside,outside) dynamic interface
object network DMZ2-OUTSIDE
nat (dmz2,outside) dynamic interface
object network DMZ1-OUTSIDE
nat (dmz1,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
ASAlab2(config)#
ASAlab2(config)#
ASAlab2(config)# sh run
: Saved

:
: Serial Number: 9AMKNK263EE
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2095 MHz
:
ASA Version 9.9(2)
!
hostname ASAlab2
enable password $sha512$5000$+Kpz/EysDD1un1b5YiX/MQ==$k3TtQlPYooJmTbkU/HIykA== pbkdf2
names

!
interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
description LAN
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ1
nameif dmz1
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
description DMZ2
nameif dmz2
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
no ip address
!
ftp mode passive
object network INSIDE-OUTSIDE
subnet 192.168.0.0 255.255.255.0
object network DMZ1-SERVER
host 192.168.1.10
object network OUTSIDE-DMZ1
host 10.1.1.10
object network DMZ2-OUTSIDE
subnet 192.168.2.0 255.255.255.0
object network DMZ1-OUTSIDE
subnet 192.168.1.0 255.255.255.0
access-list OUTISDE-DMZ extended permit ip any host 192.168.1.10
pager lines 23
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network INSIDE-OUTSIDE
nat (inside,outside) dynamic interface
object network DMZ2-OUTSIDE
nat (dmz2,outside) dynamic interface
object network DMZ1-OUTSIDE
nat (dmz1,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
access-group OUTISDE-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA

quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
console serial
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:1d55c3acd48ddf7aa7f83d370abfc6ba
: end

Thanks

GudduPrasad83044 · ‎01-13-2020

Hi,

I do see access list configured to allow all kind of traffic from outside to dmz server but I do not see any static nat associated with dmz server.Please configure static nat to allow ping from outside to DMZ.

Example:

If you have any free IP address in range of outside subnet then use it for static static Nat with DMZ.

lets say :10.1.1.3 is free IP address in outside subnet.(10.1.1.0/24)

object network obj-10.1.1.3

host 10.1.1.3

object network obj-192.168.1.10

host 192.168.1.10

Nat (DMZ1,OUTSIDE) source static obj-192.168.1.10 obj-10.1.1.3.

The above Nat is applicable only when you have free IP address in outside subnet, but in your case you are are using /30 subset where you have only two useable IP address,one is for the firewall and other one is for the Gateway(according to the pasted configuration).

For UDP/TCP we can use the interface IP address of the firewall for port forwarding but for ICMP we can not use port forwarding since ICMP doesn't work on port (different protocol).

Note :

We can use the outside interface IP address for one to one static Nat with DMZ server ,however it will break the other Nat.

Nat (DMZ1,Oustide) source static obj-192.168.1.10 interface.

Please let me know if you have any query and do rate if it is help.

Thanks

Guddu

nwekechampion · ‎01-15-2020

thanks @GudduPrasad83044 .

I have adjusted that to a slash 24 subnet. Still not working.

So if I am to understand you correctly, I cannot have PAT and static NAT on the same interface (zone)?

Muhammad Awais Khan · ‎01-15-2020

You cannot have it. You can configure port forwarding in that case if you want to utilize same IP for PAT and NAT ( for incoming traffic to server)

nwekechampion · ‎01-15-2020

But I cannot do a port forward for ICMP traffic as ICMP does not have a udp/tcp port.
So is there a workarround to this please?

Sheraz.Salim · ‎01-15-2020

For icmp you can configure access list. here is the example.

access-list outside-in exten permit icmp any host 192.168.10.1 eq echo.

access-list outside-in in outside

please do not forget to rate.

nwekechampion · ‎01-19-2020

Hi Sheraz,

Access-list is fine.

I am just trying to test connectivity to my webserver using static nat.
I just need diagnostic test using icmp.
However it does not work.
So, does it mean I cannot have PAT and static on the same interface/zone?

Regards

Muhammad Awais Khan · ‎01-13-2020

Hi

It is not going to ping with your NAT configuration. You have already done NAT of many to one from Inside Subnet to Outside which will allow your Inside to reach outside. What kind of service running on your DMZ? Option for you is either to arrange unique Public IP or configure port forwarding on the Outside Interface.

For Example, your server in DMZ is Web server running on port 443 and you want to access the webpage from outside then confige would look like:

object network DMZ1-OUTSIDE
nat (dmz1,outside) static interface service tcp 443 443

Further, you need to allow traffic on tcp port 443 in above example

Sheraz.Salim · ‎01-15-2020

just to add what @Muhammad Awais Khan mentioned.

object network DMZ1-OUTSIDE
nat (dmz1,outside) static interface service tcp 443 443

access-list OUTSIDE_IN extended permit tcp any object DMZ1-OUTSIDE eq 443

access-group OUTSIDE_IN in interface outside.

please do not forget to rate.

nwekechampion · ‎01-15-2020

Hi Muhammad,

I was just trying to configure PAt and and static NAt in the same zone.
So I want to be able to ping the internet from DMZ -server, while allowing connections (ICMP traffic) to the DMZ-Server from the internet.

nwekechampion · ‎01-19-2020

Hi Muhammad,

So If I am to understand you correctly, I can only have either PAT or static on ASA zone/interface, I cannot have both simultaneously?

Regards

Muhammad Awais Khan · ‎01-19-2020

For this scenario, as per my understanding it will not work as you are doing static NAT of outside Interface IP. If you have any additional IP available other than interface IP then you can use PAT and static NAT for your server together.

I tested some scenarios with PAT and port forwarding on the ASA's outside for internal servers which worked fine for me.