Solved: Re: Cisco ASA 5505 Routing between internal networks

antti.alila · ‎02-19-2013

Hi,

I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.

1. Outside

2. DMZ

3. ServerNet1

4. Inside

ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.

Here is the running conf:

interface Ethernet0/0
switchport access vlan 20
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
switchport access vlan 19
!
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
!
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Jouni Forss · ‎02-20-2013

Hi,

As I said before with the inside -> DMZ NAT the traffic will seem for the DMZ host as coming from a directly connected network and therefore doesnt need any default route to reach the NATed inside host.

Same goes naturally for the host thats on the same DMZ network and initiating the connection.

Is there a possibility that the DMZ host/device is forwarding the traffic to wrong place?

Or is there something blocking the connection from a remote network on the actual DMZ device?

Firewall wise its hard to troubleshoot this when we dont know the whole network setup. Personally its hard for me as I have no knowledge of the hardware/software used behind the ASA in this case.

- Jouni

View solution in original post

jocamare · ‎02-19-2013

Try to replace:

nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp

with this:

nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp

or just remove it, you don't need it anyway.

You seem to have the proper configuration to allow communications from ServerNet1 to DMZ, have you tried to run packet-tracers?

Here is how you do it [in case you don't know]:

packet-tracer in [tcp/udp/icmp]

i.e

packet tracer in inside tcp 192.168.2.11 1234 192.168.3.11 80

packet tracer in ServerNet1 tcp 192.168.4.11 1234 192.168.3.11 80

antti.alila · ‎02-19-2013

Hi,

Removed the NAT, still no access from inside to DMZ or from ServerNet1 to DMZ.

Packet-Tracer says everything is working, or so I understand from this. Still routing doesnt work:

ciscoasa(config)# packet-tracer in inside tcp 192.168.2.11 1234 192.168.3.11 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 DMZ

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 101996, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)# packet-tracer in ServerNet1 tcp 192.168.4.11 1234 192.168.3.11 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 DMZ

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ServerNet1_access_in in interface ServerNet1
access-list ServerNet1_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 102003, packet dispatched to next module

Result:
input-interface: ServerNet1
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Jouni Forss · ‎02-19-2013

Hi,

One question would be how the rest of the network looks like.

For example you have several trunk configurations which all have the same Vlan IDs. Also the "outside" Vlan goes to several ports.

Trunk ports also have access vlan configurations.

Is the devices behind the ASA purely acting as L2 switches or is there some routing going on there that might mess things up.

- Jouni

Jouni Forss · ‎02-19-2013

Hi,

Finnish I guess judging by the username Will still answer in english for others sake.

Judging by the current NAT setup the main need at the moment regarding NAT would be use the "outside" interface IP address as PAT address

I would personally first remove ALL the current NAT configurations and configure a default PAT translation in the following way

object-group network DEFAULT-PAT-SOURCE

description Default PAT source networks

network-object 192.168.2.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

network-object 192.168.4.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

The above should handle PAT translation for outbound connections from all the local networks of the ASA.

For traffic between the local interfaces/networks I would suggest not configuring any NAT at all UNLESS you specifically want to translate something to a different IP address.

A good way to test the firewall functionality and if something is wrong with your configurations is the "packet-tracer" command which is also available on the ASDM side. The CLI output is easier to copy/paste here on the forums for troubleshooting purposes.

You can use the following format of the command to see what the ASA would do to the traffic

packet-tracer input inside tcp 192.168.2.100 1234 192.168.3.100 3389

The objective is just to simulate some connection and see what rules the ASA applies to it.

There is some bugs related to NAT in the newest software of ASA at the moment. I am not quite sure though would they apply in your case.

- Jouni

antti.alila · ‎02-19-2013

Hi Jouni,

Yep, Finnish would be good also =)

In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)

If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)

Here is the conf now, still doesnt work:

interface Ethernet0/0
switchport access vlan 20
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
switchport access vlan 19
!
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
!
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
object-group network DEFAULT-PAT-SOURCE
description Default PAT source networks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Jouni Forss · ‎02-19-2013

Hi,

The ASA Vlan interface configuration is fine and also the NAT configuration should be fine with the Default PAT configuration I mentioned previously.

Rest of the problem most probably have a cause somewhere else than the firewall.

Sadly I know nothing about Hyper-V or virtual machines so I can't help there.

If I hadnt heard anything else than the fact that PAT from inside to DMZ makes connections work would lead me to believe that the DMZ can only communicate with hosts on the directly connected network and therefore the problem is the lack of correct default gateway.

I'm not really sure where to go with this. ASA configuration (excluding the physical port configurations) seems fine to me.

- Jouni

jocamare · ‎02-19-2013

Config looks fine, let's take a look at the traffic and see if it is traversing the ASA, that way we can at least forget or focus on it when trying to solve the problem.

We do that using packet captures, let's focus on the inside users for now.

access-list test permit ip host <ip of an internal host> host <ip of a DMZ host>

access-list test permit ip host <ip of a DMZ host> host <ip of an internal host>

cap test access-list test in inside

cap test1 access-list in DMZ

Review the captures with the "show capture " command, it should show exactly the same packets.

Try to run the "show local details" command once you know traffic is being sent to the DMZ device.

It can be any type of traffic.

Share the outputs if you think it will be necessary.

antti.alila · ‎02-19-2013

Hi,

Here is the output:

ciscoasa(config)# access-list test permit ip host 192.168.2.37 host 192.168.3.4

ciscoasa(config)# access-list test permit ip host 192.168.3.4 host 192.168.2.37

ciscoasa(config)# cap test access-list test in inside

ciscoasa(config)# cap test1 access-list test in dmz

ciscoasa(config)# show capture test

20 packets captured

   1: 07:33:52.712777       802.1Q vlan#10 P0 192.168.2.37.50407 > 192.168.3.4.443: S 3090835039:3090835039(0) win 65535
   2: 07:33:52.718438       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
   3: 07:33:52.719460       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
   4: 07:33:53.702356       802.1Q vlan#10 P0 192.168.2.37.50407 > 192.168.3.4.443: S 3090835039:3090835039(0) win 65535
   5: 07:33:53.718071       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
   6: 07:33:53.718255       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
   7: 07:33:54.732460       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
   8: 07:33:54.733024       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
   9: 07:33:55.715035       802.1Q vlan#10 P0 192.168.2.37.50407 > 192.168.3.4.443: S 3090835039:3090835039(0) win 65535
10: 07:33:57.737648       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
11: 07:33:57.738990       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
12: 07:36:42.829165       802.1Q vlan#10 P0 192.168.2.37.50611 > 192.168.3.4.443: S 2119788698:2119788698(0) win 65535
13: 07:36:42.841371       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
14: 07:36:42.845293       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
15: 07:36:43.823108       802.1Q vlan#10 P0 192.168.2.37.50611 > 192.168.3.4.443: S 2119788698:2119788698(0) win 65535
16: 07:36:43.885879       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
17: 07:36:43.886428       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
18: 07:36:44.947079       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
19: 07:36:44.947643       802.1Q vlan#10 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
20: 07:36:45.835543       802.1Q vlan#10 P0 192.168.2.37.50611 > 192.168.3.4.443: S 2119788698:2119788698(0) win 65535
20 packets shown
ciscoasa(config)# show capture test1

22 packets captured

   1: 07:33:52.713052       802.1Q vlan#19 P0 192.168.2.37.50407 > 192.168.3.4.443: S 3874243330:3874243330(0) win 65535
   2: 07:33:52.718636       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
   3: 07:33:52.719475       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
   4: 07:33:53.702386       802.1Q vlan#19 P0 192.168.2.37.50407 > 192.168.3.4.443: S 3874243330:3874243330(0) win 65535
   5: 07:33:53.718087       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
   6: 07:33:53.718285       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
   7: 07:33:54.732490       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
   8: 07:33:54.733040       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
   9: 07:33:55.715066       802.1Q vlan#19 P0 192.168.2.37.50407 > 192.168.3.4.443: S 3874243330:3874243330(0) win 65535
10: 07:33:57.737678       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
11: 07:33:57.739021       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
12: 07:36:42.829470       802.1Q vlan#19 P0 192.168.2.37.50611 > 192.168.3.4.443: S 2996390519:2996390519(0) win 65535
13: 07:36:42.841570       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
14: 07:36:42.845323       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
15: 07:36:43.823138       802.1Q vlan#19 P0 192.168.2.37.50611 > 192.168.3.4.443: S 2996390519:2996390519(0) win 65535
16: 07:36:43.885894       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
17: 07:36:43.886444       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
18: 07:36:44.947109       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
19: 07:36:44.947659       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
20: 07:36:45.835589       802.1Q vlan#19 P0 192.168.2.37.50611 > 192.168.3.4.443: S 2996390519:2996390519(0) win 65535
21: 07:36:48.020049       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 412
22: 07:36:48.020598       802.1Q vlan#19 P0 192.168.2.37.500 > 192.168.3.4.500: udp 384
22 packets shown

So trying from on the inside network with my laptop 192.168.2.37 to the WLAN AP at DMZ using https 192.168.3.4

Thanks,

Antti

jocamare · ‎02-20-2013

If we exclude the UDP/500 traffic [IPSec] we can see HTTPS packets reaching the inside interface and see the exact same packets going out the DMZ interface.

You can see traffic going both ways, but HTTPS goes only in one direction and the packets are all SYN packets, the first packet of the 3-way handshake.

The server never replies and the connection is never established. The problem is not your asa, we just confirmed that it's forwarding the traffic to the server, it just doesn't reply.

Have you talked about this problem with the server's manager? You can have him/her get a packet capture from the server itself now that we know that the traffic is passing through.

antti.alila · ‎02-20-2013

Hi,

Yes I agree but if I try to access the same address 192.168.3.4 using tcp:443 from computer on the same subnet (192.168.3.0) the portal works great and I get reply, Both computers are connected to asa and are on the same VLAN.

Thats why I am suspecting the ASA and routing since in the previous scenario the traffic is not routed.

I have checked the gateway settings on these machines and they all point to their own subnet .1 address that is the gateway in asa. Also traffic from all networks work if going outside.

Another thing is that if I create Dynamic PAT between inside and DMZ using DMZ gateway as the source address after that the 192.168.3.4 using tcp:443 also responds to the inside.

Question is that how do I troubleshoot this scenario if the asa is not passing packets back to the original address?

One bad option would be to downgrade the ASA and try using older firmware.

Thanks,

Antti

Jouni Forss · ‎02-20-2013

Hi,

As I said before with the inside -> DMZ NAT the traffic will seem for the DMZ host as coming from a directly connected network and therefore doesnt need any default route to reach the NATed inside host.

Same goes naturally for the host thats on the same DMZ network and initiating the connection.

Is there a possibility that the DMZ host/device is forwarding the traffic to wrong place?

Or is there something blocking the connection from a remote network on the actual DMZ device?

Firewall wise its hard to troubleshoot this when we dont know the whole network setup. Personally its hard for me as I have no knowledge of the hardware/software used behind the ASA in this case.

- Jouni

jocamare · ‎02-20-2013

I would check what the server is doing with the traffic that comes from the inside. [packet capture]

antti.alila · ‎02-20-2013

Guys,

I really feel ashame to admit but the host on DMZ had local FW blocking the traffic from other networks than the local subnet so that was the reason and you were right, ASA is working as it should

Thanks a million for your help.

Antti