Solved: Re: [ASK] Inside can't access DMZ on ASA

Charles_Chi4 · ‎06-02-2008

Hi all,

i have some problems which seems too wierd. I have an ASA 5540 in my client's office. The previous plan is using inside and outside scheme only, while dynamic natting all inside network (10.0.0.0/8) to outside. And static nat several IPs too. the problem is when i deploy DMZ on the ASA.

The network in inside can't access DMZ even the first L3 device after DMZ interface. After i remove certain inside network from the dynamic nat, i can access DMZ from that particular inside network.

What is the problem?

Could i make the inside network access both dmz and outside network???

husycisco · ‎06-05-2008

Hi Charles

You dont have to mess up with nat-control command, your issue is pretty easy and stragiht forward. Since you insist on not posting the entire sanitized config, I will go on with assumptions.

A little info about nat-control. If I remember correct, nat-control is built-in with 6.3 IOS and above, and according to my experiences, doesnt appear in the config unless it is explicitly disabled or enabled after disabling. Thats why, concept is NOT! same with a router while nat-control is enabled.

"And i'm so sure that packet can traverse from inside to DMZ without identity NAT or another kind of NAT while the packet can go to outside using dynamic NAT"

I am sorry Charles but you are mis-informed. This is for routers only. And NAT concept of Cisco Firewall devices is usually where I meet R&S (Routing&Switching) professionals who have not been involved in firewalls as they do with routers. What you mention will become real when you explicitly state "no nat-control". This time device will behave more likely as a router.

"without identity NAT or another kind of NAT ".

Firewall is obliged to check every traffic and drop if they dont match a NAT statement with nat-control. Thats fine.

"So it's impossible to allow traffic from inside to dmz without natting?"

And you want specific traffic not to be translated without x NAT, thats fine too. But you must tell it to the device which you obliged to check for NAT matches, not to NAT that x traffic specifically. And this is what exempt NAT is, the first suggestion I made and hit the bulls eye as I see.

Here are my assumptions according to "After i exclude 10.64.0.0/16 from the dynamic nat, 10.64.0.0/16 network can access DMZ network "

You either dont have or have an incorrect exempt NAT statement or identity NAT, since firewall first checks exempt and identity nats, then moves on NAT translation groups

Then you have NAT Translation groups like following

global (outside) 1 xxxxx

global (dmz) 2 yyyyyy

nat (inside) 1 bla bla

nat (inside) 2 bla bla

Traffic originated from inside always goes outs from global 1, and never exits from global 2 since it has the same source. Once you exclude the source traffic, it goes on from global 2 and never goes out from global 1. As stated before, if you have a valid identity NAT or exempt NAT, firewall will first check if traffic hits the exempt or identity NAT, if matches, traffic flows as stated, if doesnt, traffic hits NAT Tr Group 1 and goes out to internet.

Btw I suggest you using 7.2(2), but not because of the reason that you wrote next to you possible bug worry.

Still you couldnt achieve what you want? Want to resolve? Then please do the following exactly.

1)Post your sanitized config

2)Tell your problem as "I cant reach from x ip to y ip"

3)Let me resolve it, apply my suggested CLI commands, see your problem is resolved, then ask me about my suggestions "why you did xx"

Regards

View solution in original post

husycisco · ‎06-02-2008

Hi Charles,

Most probably the exempt NAt statement is missing. Please post the sanitized config.

Regards

Charles_Chi4 · ‎06-02-2008

i'm so sure that the Nat 0 statement is not missing anything. Because the dmz itself actually is the remote site that previously established via asa using vpn L2L which mean there should be nat 0 for bypassing the nat.

the previous config for the nat is

global (outside) 1 A.A.A.A

nat (inside) 0 access-list NO_NAT

nat (inside) 1 10.0.0.0 255.0.0.0

and when i remove particular inside ip from dynamic nat, the particular network can access dmz.

global (outside) 1 A.A.A.A

nat (inside) 0 access-list NO_NAT

nat (inside) 1 access-list PAT

Is there anything else that could cause this kind of problem?

husycisco · ‎06-02-2008

If you lately made a config or device change, "clear arp" and "clear xlate" would help.

I dont understand what you mean by

"when i remove particular inside ip from dynamic nat, the particular network can access dmz"

What you mean by dynamic nat?

Your sanitized config and the unability from which exact ip to which exact ip statement will greatly help.

Charles_Chi4 · ‎06-04-2008

well, what i mean by dynamic nat is with this config below :

global (outside) 1 A.A.A.A

nat (inside) 1 access-list PAT

Previously :

global (outside) 1 A.A.A.A

nat (inside) 1 10.0.0.0 255.0.0.0

In the PAT access list, i exclude 10.64.0.0/16 that would connect to DMZ

Previously, the network 10.64.0.0/16 connect to remote site using VPN L2L and to bypass nat, i use exempt NAT

nat (inside) 0 access-list NO_NAT

the example is below :

access-list NO_NAT extended permit ip 10.64.1.0 255.255.255.0 10.5.0.0 255.255.224.0

10.5.0.0/19 is the remote site network.

And then i migrate this VPN L2L connection into lease line which terminate into DMZ interface in ASA.

i erase the VPN tunnel and add route to DMZ interface but no traffic can go to DMZ from inside network.

here is the config for the route :

route DMZ 10.5.0.0 255.255.224.0 10.64.15.3 1

After i exclude 10.64.0.0/16 from the dynamic nat, 10.64.0.0/16 network can access DMZ network (10.5.0.0/19) but can't access access internet anymore because of not participating into dynamic nat.

Could my explanation make u understand the problem, sorry for my bad english hehehe

Fernando_Meza · ‎06-04-2008

Hi,

I suggest you using static identity NAT for that new network so that you traffic can be initiated in any direction.

static (inside,dmz) 10.64.1.0 10.64.1.0 netmask 255.255.255.0

you need to allow access to that dmz network by modifying the access list applied to the inside interface i.e

access-list inside-dmz permit ip 10.64.1.0 255.255.255.0 10.5.0.0 255.255.224.0

access-group inside-dmz in interface inside

also access to the dmz access-list

access-list dmz-inside permit ip 10.5.0.0 255.255.224.0 10.64.1.0 255.255.255.0

access-group dmz-inside in interface dmz

Access to the internet should not be affected as you are using another interface to send traffic out. In any case you PAT for outbound Internet access should look like this

global (outside) 1 PUBLIC-IP-ADDRESS

nat (inside) 1 10.0.0.0 255.0.0.0

You should type clear xlate after the changes.

I hope it helps .. please rate helfull posts !!!

Charles_Chi4 · ‎06-04-2008

So it's impossible to allow traffic from inside to dmz without natting? I don't use nat control in asa.

so u mean all connection from 1 interface to another ones in ASA should use NAT? Even though i don't use nat control to force nat into any connection that through ASA.

I'm really confuse about the concept of cisco firewall.

Fernando_Meza · ‎06-04-2008

Hi,

please take time to read the below link. This will help you understanding those concepts.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1065667

Charles_Chi4 · ‎06-05-2008

Hi, i've already read that article. Can you show me the relation of my problem?

What i know is nat control requires packet traverse from one interface to another ones in ASA should match NAT rule.

But what if i don't use nat control? And i can make sure there's no nat control in my ASA.

And i'm so sure that packet can traverse from inside to DMZ without identity NAT or another kind of NAT while the packet can go to outside using dynamic NAT. But no luck. Is there any bug in ASA 7.1(2)? the image is asa712-k8.bin

I think the concept is the same as the router with 3 interface while i put ip nat inside in inside interface and ip nat outside in outside interface and another interface call DMZ. While the packet goes from inside to outside, it will be natted and i can go to DMZ without being natted. Is the concept the same?

Could anybody confirm that if i don't use nat control, the packet can traverse from inside to DMZ without NAT?

And i also use acl for inbound traffic for all inside, outside and DMZ interfaces.

husycisco · ‎06-05-2008

Hi Charles

You dont have to mess up with nat-control command, your issue is pretty easy and stragiht forward. Since you insist on not posting the entire sanitized config, I will go on with assumptions.

A little info about nat-control. If I remember correct, nat-control is built-in with 6.3 IOS and above, and according to my experiences, doesnt appear in the config unless it is explicitly disabled or enabled after disabling. Thats why, concept is NOT! same with a router while nat-control is enabled.

"And i'm so sure that packet can traverse from inside to DMZ without identity NAT or another kind of NAT while the packet can go to outside using dynamic NAT"

I am sorry Charles but you are mis-informed. This is for routers only. And NAT concept of Cisco Firewall devices is usually where I meet R&S (Routing&Switching) professionals who have not been involved in firewalls as they do with routers. What you mention will become real when you explicitly state "no nat-control". This time device will behave more likely as a router.

"without identity NAT or another kind of NAT ".

Firewall is obliged to check every traffic and drop if they dont match a NAT statement with nat-control. Thats fine.

"So it's impossible to allow traffic from inside to dmz without natting?"

And you want specific traffic not to be translated without x NAT, thats fine too. But you must tell it to the device which you obliged to check for NAT matches, not to NAT that x traffic specifically. And this is what exempt NAT is, the first suggestion I made and hit the bulls eye as I see.

Here are my assumptions according to "After i exclude 10.64.0.0/16 from the dynamic nat, 10.64.0.0/16 network can access DMZ network "

You either dont have or have an incorrect exempt NAT statement or identity NAT, since firewall first checks exempt and identity nats, then moves on NAT translation groups

Then you have NAT Translation groups like following

global (outside) 1 xxxxx

global (dmz) 2 yyyyyy

nat (inside) 1 bla bla

nat (inside) 2 bla bla

Traffic originated from inside always goes outs from global 1, and never exits from global 2 since it has the same source. Once you exclude the source traffic, it goes on from global 2 and never goes out from global 1. As stated before, if you have a valid identity NAT or exempt NAT, firewall will first check if traffic hits the exempt or identity NAT, if matches, traffic flows as stated, if doesnt, traffic hits NAT Tr Group 1 and goes out to internet.

Btw I suggest you using 7.2(2), but not because of the reason that you wrote next to you possible bug worry.

Still you couldnt achieve what you want? Want to resolve? Then please do the following exactly.

1)Post your sanitized config

2)Tell your problem as "I cant reach from x ip to y ip"

3)Let me resolve it, apply my suggested CLI commands, see your problem is resolved, then ask me about my suggestions "why you did xx"

Regards

Charles_Chi4 · ‎06-05-2008

Hi bro, thanks for your info. I'm so satisfied with your answer. Your words inspired me much ^.^

Actually my client is already satisfied with the current issue. That the specific network can't access internet and just can go to DMZ. I heard also from my pal that ASA always got problems and have to reload if the config doesn't apply correctly but i can't do that.

But i just want to confirm about what i'm thinking is wrong or right because i can't do it.

My client is one of the biggest telco companies in my country and it's all about internal politics and i can't do what i want even i as an engineer want to solve but they don't want to and leave it as it is.

And If i propose to reload the ASA. It will impact the revenue because there're some production links traverse this ASA. And for them, it's not about ASA can or can't but what they want or don't want.

And for confidentiality reason, i can't give you the sanitized config also.

anyway thanx for your great help. I'm really2 sorry for being so rude because of my bad english.

husycisco · ‎06-06-2008

Hi Charles,

You are welcome m8 :)

Now I understand your issue. It looks like they run only 1 firewall and dont have an active/passive failover. This is what they have to do if they really cant afford a scheduled 5 minutes downtime.

Thats correct, reloading ASA does hardly-ever resolve issues. But not have seen it resolved this kind of translation issues. The trigger that makes translations work is clear xlate or waiting for clear xlate interval.

When I am back to home, I will paste you a sanitized config for you to check and see how my suggestions work.

Regards

jerryroy777 · ‎04-04-2020