09-20-2019 07:57 AM
Hello,
Am trying to setup a DMZ for a ASA 5506. At the moment we have 3 interfaces active on the ASA which are:
gi1/1 outside
gi1/2 inside
gi1/3 Voice
Voice has an internal ip with a pat on the outside interface with a public ip address from our range.
Now I want to setup the DMZ on gi1/4 also with a pat on the outside interface with a public ip address.
Have setup the interface with a internal ip address and connected a test pc on that interface with an ip address on the same range and as gateway the gi1/4 interface on the ASA. That should at least give me internet access. But that is not the case. Have followed a lot of configuration examples on the internet with google but all have failed to give me even internet access.
Hope you guys can help me out.
Solved! Go to Solution.
10-01-2019 06:14 AM
Ok, let us know if you are able to perform a reload of the ASA. I have seen similar issues where traffic isnt passing, clear conn did nothing, but reload solved the issue.
09-20-2019 08:27 AM
2 example threads help you here :
https://community.cisco.com/t5/firewalls/asa-nat-for-dmz-public-ip/m-p/3875511
https://community.cisco.com/t5/firewalls/cisco-asa-5505-dmz-setup/m-p/2202705
Still you have issue, we would like to see your configuration to asists better.
09-20-2019 09:11 AM
09-20-2019 11:38 AM
09-20-2019 09:18 PM
09-23-2019 12:54 AM - edited 09-23-2019 07:17 AM
Hello bhargavdesia,
Here is the output for you questions:
- DMZ host configuration is:
IP: 192.168.17.1 255.255.255.0
GW: 192.168.17.254 (interface Gi1/4 on the ASA)
DNS: 8.8.8.8
- output from ASA packet tracer:
fw01# packet-tracer input Dmz tcp 192.168.17.10 80 8.8.8.8 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 188.202.95.225 using egress ifc outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-dmz in interface Dmz
access-list ACL-dmz extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac36d7220, priority=13, domain=permit, deny=false
hits=0, user_data=0x2aaabb803580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Dmz,outside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.17.10/80 to 188.202.95.230/80
Forward Flow based lookup yields rule:
in id=0x2aaac36d9e60, priority=6, domain=nat, deny=false
hits=0, user_data=0x2aaac34df320, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1c94360, priority=0, domain=nat-per-session, deny=false
hits=63322227, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac31ba780, priority=0, domain=inspect-ip-options, deny=true
hits=590, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any
Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map global-traffic-shaping-class
description *** Default KPN traffic-shaping policy (90% of the capacity)
match any
policy-map global_policy
class global-traffic-shaping-class
police input 28311500 15728
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac36d3090, priority=70, domain=qos-per-class, deny=false
hits=591, user_data=0x2aaac36d2be0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Dmz,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac33cf0e0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x2aaac18a38d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=outside
Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map global-traffic-shaping-class
description *** Default KPN traffic-shaping policy (90% of the capacity)
match any
policy-map global_policy
class global-traffic-shaping-class
police input 28311500 15728
service-policy global_policy global
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac3413be0, priority=70, domain=qos-per-class, deny=false
hits=52095847, user_data=0x2aaac33d0560, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac1c94360, priority=0, domain=nat-per-session, deny=false
hits=63322229, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac2676330, priority=0, domain=inspect-ip-options, deny=true
hits=40789894, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 43812321, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
- Request from host is not reaching the ASA, link is up and the DMZ host is directly connected to the ASA on interface 1/4, also checked all cables and these are fine.
09-23-2019 07:20 AM
09-23-2019 12:00 PM
Host can not ping ASA and ASA can not ping host. In Arp table no entry for the host. Checked the cabels and host with a connection on a L2 Switch and that is working. Host could ping the Switch and the Switch could ping the host. Arp proxy is enabled on the interface but after setting it to no proxy-arp it still did not show up in the arp table and the host still could not ping the ASA. Am a little stumped at this. Normaly putting a device directly on an interface it shows up in the arp table of the ASA. Routing table on the ASA is showing the interface as a connected route.
09-23-2019 12:45 PM
Are the other interfaces (voice) and (INTERNAL) linked to this same switch?
Can a host on those ^^ networks ping the ASA interface?
Is there a Default-gateway set on the switch?
09-23-2019 01:05 PM
No, the inside is on a L3 switch and has their GW on vlan1 which is 192.168.16.200, that switch has a route to his interface on the ASA which is 192.168.16.254 as default route. The voice network is connected on a unmanaged 1 GB switch and all devices have their GW on the ASA which is 192.168.15.254. On the L3 switch I can ping the interface on the ASA for the inside network. The voice network have only VOIP devices which connect to the cloud Phone solution and they are all working normaly. For the DMZ I was planning to connect the inside switch with a seperate vlan but from that vlan I can not ping the ASA interface which is on 192.168.17.254 so for troubleshooting I put the server straight on the ASA interface and had the server GW point to 192.168.17.254 but that is not working also.
09-23-2019 01:43 PM
OK, Setup a constant ping to the asa from the host,
On the asa run debug icmp trace 7...... See if you see the host listed.
Also check the following:
sho logging asdm
Show conn address (Host IP)
See if any of this can help you pinpoint.
09-23-2019 02:17 PM
Host is not coming up on the debug icmp trace 7. Also on the logging he is not showing up. show conn address 192.168.17.1 gives no repons. Seems like there is no network connection at all.
09-21-2019 06:03 PM
I’m no expert but I do have several ASAs in production and looking at your config it looks to me like your NAT statement is incomplete.
You’re missing
object network DMZ
subnet 192.168.17.0 255.355.255.0
nat (dmz,outside) dynamic interface
or wherever you’re trying to PAT the DMZ traffic to.
Hope that helps.
09-23-2019 07:15 AM
09-23-2019 05:33 AM
I may have overlooked it, but I did not see an access-group for DMZ, can you confirm?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide