Solved: ASA unable to ping internet from DMZ - Page 2

mahesh18 · ‎04-06-2013

Hi Everyone,

I have setup 5505 ASA for Testing purposes.

It has static route to layer 3 switch on outside interface that goes to the internet.

ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.11.1 to network 0.0.0.0

C 192.168.11.0 255.255.255.0 is directly connected, outside

C 192.168.52.0 255.255.255.0 is directly connected, inside

C 192.168.69.0 255.255.255.0 is directly connected, DMZ

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.11.1, outside

It has inside interface and users can access the internet from the inside interface no issues.

ITs also doing NAT fro inside users.

Now i want to setup the DMZ on this ASA.

HEre is what i have done

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

So with no forward int vlan 1 --------------the users in DMZ are unable to ping the inside interface right?

Now int eth0/1 on ASA goes to another layer 3 switch.

interface Ethernet0/1

switchport access vlan 12

!

Now this layer 3 switch has int fa0/1 that connects directly to ASA on eth0/1

sh run int fa0/1

Building configuration...

Current configuration : 95 bytes

!

interface FastEthernet0/1

switchport access vlan 12

switchport mode dynamic desirable

end

Switch#ping 192.168.69.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.69.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Switch#

My question is what default gateway should i config on this switch so that it can access the internet through ASA ?

Also users behind this switch should ping the internet sites.

also what NAT config i need to do on ASA so that users from DMZ has access to internet.

Config of ASA

sh run

ciscoasa# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 11

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.52.1 255.255.255.0

!

interface Vlan11

nameif outside

security-level 0

ip address 192.168.11.2 255.255.255.0

!

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

!

boot system disk0:/asa825-k8.bin

ftp mode passive

pager lines 24

logging enable

logging timestamp

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate cda15b51

308201cf 30820138 a0030201 020204cd a15b5130 0d06092a 864886f7 0d010105

0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

86f70d01 09021608 63697363 6f617361 301e170d 31333034 30333033 33313134

5a170d32 33303430 31303333 3131345a 302c3111 300f0603 55040313 08636973

636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c5 04be4392

051ff956 1786981c 6acbe7ed 880bc95a 1c846bf4 19e381f7 f1e8d0d0 e340f86f

e94ec55b a1714de8 19976ae4 e9196c52 7791873c 794d2eec 4ae90aa5 5b40282c

3aac7fbb 2a2a2e36 77906a25 a3874d98 7f51e370 266068d8 f5adbd97 bd204ce0

61943442 ae73ce78 4f2b0daa 53374044 07f4df39 eed0e80c 2b92af02 03010001

300d0609 2a864886 f70d0101 05050003 8181001e 41c1636b c86357f6 94585bc0

2fe4bf2f b9f0cc4a 108f3cbf 830ebe54 fb6c87e6 04ad11a4 3fec5ced 5f6f9784

9f423788 c7de4b5b b7226d81 262ee3b6 ff0adffe 4e49ed7a 42c74d4b f52f0456

1b8feb3f f19efdc5 adaced62 c4bd7180 107feb06 8658937e 8cb2a154 7486de37

9b00c44c d17f967e 5fbe4584 c71fd389 55d670

quit

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh timeout 60

ssh version 2

console timeout 0

dhcpd dns 64.59.144.19

!

dhcpd address 192.168.52.5-192.168.52.15 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username mp password AILiHuRWFGgkbsI5 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

class class-default

set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d9c334f272663925bc56c7e3b7fd0aa5

: end

Switch connected to DMZ port config

Switch#sh running-config

Building configuration...

Current configuration : 2668 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

aaa new-model

!

aaa authentication login MP none

!

aaa session-id common

ip subnet-zero

ip dhcp excluded-address 192.168.69.1

!

ip dhcp pool MAHESH

import all

network 192.168.69.0 255.255.255.0

default-router 192.168.69.1

dns-server 64.59.144.19

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport access vlan 12

switchport mode dynamic desirable

!

interface FastEthernet0/2

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/3

switchport mode dynamic desirable

!

interface FastEthernet0/4

switchport mode dynamic desirable

!

interface FastEthernet0/5

switchport mode dynamic desirable

!

interface FastEthernet0/6

switchport mode dynamic desirable

!

interface FastEthernet0/7

switchport mode dynamic desirable

!

interface FastEthernet0/8

switchport mode dynamic desirable

!

interface FastEthernet0/9

switchport mode dynamic desirable

!

interface FastEthernet0/10

switchport mode dynamic desirable

!

interface FastEthernet0/11

switchport mode dynamic desirable

!

interface FastEthernet0/12

switchport mode dynamic desirable

!

interface FastEthernet0/13

switchport mode dynamic desirable

!

interface FastEthernet0/14

switchport mode dynamic desirable

!

interface FastEthernet0/15

switchport mode dynamic desirable

!

interface FastEthernet0/16

switchport mode dynamic desirable

!

interface FastEthernet0/17

switchport mode dynamic desirable

!

interface FastEthernet0/18

switchport mode dynamic desirable

!

interface FastEthernet0/19

switchport mode dynamic desirable

!

interface FastEthernet0/20

switchport mode dynamic desirable

!

interface FastEthernet0/21

switchport mode dynamic desirable

!

interface FastEthernet0/22

switchport mode dynamic desirable

!

interface FastEthernet0/23

switchport mode dynamic desirable

!

interface FastEthernet0/24

switchport mode dynamic desirable

!

interface GigabitEthernet0/1

switchport mode dynamic desirable

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

no ip address

shutdown

!

interface Vlan12

ip address 192.168.69.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.69.2

ip http server

ip http secure-server

!

control-plane

!

line con 0

privilege level 15

login authentication MP

line vty 0 4

privilege level 15

login authentication MP

line vty 5 15

privilege level 15

login authentication MP

!

end

Thanks

Mahesh

Message was edited by: mahesh parmar

Jouni Forss · ‎04-06-2013

Hi,

The parameter "outside" is meant for situations where the interface used in the "nat" command is of lower "security-level" than the interface in the matching "global" configuration line

As we can see in this situation that is not the case as DMZ is 50 and outside is 0

To be honest I have not yet had to use this before so I can only assume if using the parameter in a situation where it doesnt match the above logic, it simply wont match the traffic.

But your NAT configuration should be ok now.

Here is the ASA 8.2 command reference section for the "nat" command.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533

And heres the section telling about the "outside" parameter

outside

(Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.

Glad to hear everything is working now

- Jouni

mahesh18 · ‎04-06-2013

Hi Jouni,

One last question here

Curious to know how icmp is working from PC in DMZ to outside .

Is this due to that i have config

inspect icmp under globale policy?

Regards

MAhesh

Jouni Forss · ‎04-06-2013

Hi,

Yes the "inspect icmp" applys globally to ICMP traffic.

When its configured it will automatically allow the ICMP Echo-reply messages from the remote host back to the host behind the ASA that is sending the ICMP Echo messages.

If you didnt have the "inspect icmp" configured then you would have to separately allow ICMP echo replys on the "outside" interface ACL.

I find using the "inspect icmp" a better choice then doing it with the ACL.

- Jouni

mahesh18 · ‎04-06-2013

Hi Jouni,

Many thanks for answering all my questions today.

I have to support ASA in my job and also i am planning to do some certifications on ASA.

So these days i go through some ASA training videos and put questions here to know things better.

People like you must be very busy with your work but you still answer all my questions.

Best regards

Mahesh

Jouni Forss · ‎04-06-2013

Always glad to help

I usually spend time here mostly when I am at home. It seems that most question are posted here when I get off work. Must be because of the time difference between Finland and the other countries from where most of the people post from. I also answer during work hours if there is a situation where I dont have anything work related going on at that moment.

I have worked several years with the different Cisco firewalls but many times run into something new here on the forums and something that I want to test out for myself too just to learn something new and understand the devices and software operation better.

I am also planning on starting with the Cisco certifications as I have to this day not done any of them. For me personally the plan is to do CCNA (Routing&Switching) -> CCNA (Security) -> CCPN (Security) and perhaps after that could consider going for CCNP (Routing&Switching)

Good luck with the certifications if you decide to go for them

- Jouni

mahesh18 · ‎04-06-2013

Hi Jouni,

I am in Canada in MST zone.On my current job here we have lot of ASA so thats why i have to learn them in order to support them plus i have to support Routing and switching.

I also learnt a lot from this forum.This Cisco Forum is best place to learn.

Currently i have only TShoot Exam left to achieve CCNP in routing and switching.After this i will start for CCNP Security.

Thats plan for now.

Best regards

MAhesh