Can't talk to DMZ

Bob Greer · ‎10-15-2013

Hi there,

Thanks for reading. I'm sure this is elementary (but so am I - heh).

I'm trying to allow connectivity from the private network to a server in my ASA5520 DMZ. I've tried a couple different iterations but no success. Basically, right now, I've got this configured (the 172.31 address is the same on each line):

access-list DMZ-INET extended permint tcp host 172.31.x.x 10.0.0.0 255.0.0.0

access-list DMZ-INET extended permint object-group Dell-DP host 172.31.x.x host 10.0.0.19

access-list DMZ-INET extended permint object-group Dell-DP interface inside host 172.31.x.x

Here's the object group:

object-group service DELL_DP

service-object tcp eq 8443

service-object tcp eq 8888

service-object tcp eq 9000

service-object tcp eq 8081

service-object tcp eq 8000

service-object tcp eq 1099

service-object tcp eq 9011

service-object tcp eq 3389

service-object icmp

My desktop is 10.0.0.19. I just want to test with a ping and telnet over the object ports listed. My hit counts are all zeros so I'm out in the weeds somewhere.

Thanks again for reading!

Bob

Jouni Forss · ‎10-15-2013

Hi,

If your connection attempts are coming towards the DMZ network then the DMZ interface ACL wont be the one controlling this traffic (at least in a typical setup). It will be the ACL that controls traffic coming from the interface where your desktop is.

It would be easier to check if we could see more configurations

You can naturally use the "packet-tracer" command to test the ASA configurations

packet-tracer input tcp 10.0.0.19 12345

Just replace the above unfilled sections and issue the command and it lists which rules/configurations on the ASA are applied to the packet.

Naturally it might stop at an very early phase if there is a problem with an interface ACL

- Jouni

Bob Greer · ‎10-15-2013

Hi Jouni,

Thanks for your help!

Here's results of a packet-tracer.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.31.211.0 255.255.255.0 DMZ-INET

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.224.0 inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ-INET) 10 172.31.211.0 255.255.255.0
match ip DMZ-INET 172.31.211.0 255.255.255.0 outside any
dynamic translation to pool 10 (63.149.103.2 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 313103908, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ-INET
output-status: up
output-line-status: up
Action: allow

Jouni Forss · ‎10-15-2013

Hi,

Test seems to go through.

Can you ping the server from the firewall directly?

ping 172.31.x.x

Can you see the server with ARP?

show arp

- Jouni

Bob Greer · ‎10-15-2013

It doesn't ping and it doesn't appear in the arp table. I'll check with the server admin and see what's up with that server: on or off and see what I've got at that point.

Bob Greer · ‎10-15-2013

Hi Jouni,

The device is powered up but not accessible by the firewall via PING or in the ARP table. What relevant sections of the config would you like to see?

Jouni Forss · ‎10-15-2013

Hi,

Since I have not seen the actual configuration I am wondering is the DMZ network configured directly to some ASA interface? If it is then you should see the ARP of the server after a ping even if it didnt reply to the ping. If the network is directly connected and you can see the ARP it means there is a problem somewhere between the ASA and the server.

You can naturally ask the server admin to try to ping the DMZ interface IP address and try to confirm connectivity.

I guess we might need to see some configurations to confirm everything on the ASA side but according to the "packet-tracer" the rules would seem to be fine.

- Jouni

rizwanr74 · ‎10-15-2013

Hi Bob,

Please try the swapping the host address and network address in the acl: DMZ-INET.

I assume acl DMZ-INET is being applied on dmz interface in bound.

access-list DMZ-INET extended permint tcp 10.0.0.0 255.0.0.0 host 172.31.x.x

access-list DMZ-INET extended permint object-group Dell-DP host 10.0.0.19 host 172.31.x.x

Please let me know, if this helps.

Thanks

Rizwan Rafeek.

Bob Greer · ‎10-21-2013

Hi guys,

Thanks for your comments and guidance. It's much appreciated!

Here's some missing info (which I just sourced from a teammate): my target IP address in the DMZ is actually a VIRTUAL machine. That Sys Admin thought the VM was participating the DMZ simply because he gave it a DMZ address. I think I need to NAT an IP to extend the VMs presence into the DMZ.

I think I should be good after that.