11-22-2017 05:05 PM - edited 02-21-2020 06:49 AM
I have a 5508-x running a remote office with servers in a DMZ, a guest network, and site to site VPN back to our headquarters. I'm running into a problem where the DMZ servers cannot access the internet. The servers are operating normally otherwise. Both inside and public traffic can access the DMZ servers as allowed by ACL's. If the DMZ servers try to initiate a connection it seems to go no where. I think a nat rule may be the cause but I'm not sure. Here is my nat config.
nat (inside,outside) source static INS-main INS-main destination static OBJ-ASA OBJ-ASA no-proxy-arp route-lookup //IPSEC nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp //--| nat (inside,DMZ) source static any any destination static DMZ-Host-img DMZ-Host-img-int no-proxy-arp //--|--> inside access to DMZ nat (inside,DMZ) source static any any destination static DMZ-Host-Shops DMZ-Host-Shops-int no-proxy-arp //--| ! object network obj_any nat (any,outside) dynamic interface object network DMZ-Host-Sales-int nat (DMZ,outside) static DMZ-Host-Sales object network DMZ-Host-img-int nat (DMZ,outside) static DMZ-Host-img object network DMZ-subnet nat (DMZ,outside) dynamic interface object network DMZ-Host-Shops-int nat (DMZ,outside) static DMZ-Host-Shops ! nat (DMZ,outside) after-auto source dynamic any interface
I don't think that last nat rule is necessary I would have thought the (any,outside) would have covered the DMZ as well.
Here are my ACL's
access-list CRYPTO-MAP-1 extended permit ip object INS-main object OBJ-ASA access-list inbound extended permit tcp any object DMZ-Host-Sales eq www access-list inbound extended permit tcp any object DMZ-Host-Sales eq https access-list inbound extended permit tcp any object DMZ-Host-Sales-int eq www access-list inbound extended permit tcp any object DMZ-Host-Sales-int eq https access-list inbound extended permit tcp any object DMZ-Host-Sales eq ssh access-list inbound extended permit tcp any object DMZ-Host-Sales-int eq ssh access-list inbound extended permit tcp any object DMZ-Host-img eq www access-list inbound extended permit tcp any object DMZ-Host-img eq https access-list inbound extended permit tcp any object DMZ-Host-img eq ssh access-list inbound extended permit tcp any object DMZ-Host-img-int eq www access-list inbound extended permit tcp any object DMZ-Host-img-int eq https access-list inbound extended permit tcp any object DMZ-Host-img-int eq ssh access-list inbound extended permit tcp any object DMZ-Host-Sales eq ftp access-list inbound extended permit tcp any object DMZ-Host-Sales-int eq ftp access-list inbound extended permit tcp any object DMZ-Host-Shops eq www access-list inbound extended permit tcp any object DMZ-Host-Shops eq https access-list inbound extended permit tcp any object DMZ-Host-Shops eq ssh access-list inbound extended permit tcp any object DMZ-Host-Shops-int eq www access-list inbound extended permit tcp any object DMZ-Host-Shops-int eq https access-list inbound extended permit tcp any object DMZ-Host-Shops-int eq ssh access-list snmp extended permit udp any eq snmptrap any access-list snmp extended permit udp any any eq snmp access-list dmz_access_in extended permit ip any any access-list dmz_access_in extended deny ip any any
I ran a packet-tracer with an input of a dmz server to 8.8.8.8 and it passed but it did land on the inside port which I don't think is correct. Any info would be greatly appreciated.
Thanks,
Jeremy
11-22-2017 05:13 PM
Here is a copy of a packet trace to 8.8.8.8 that passes in the asa but doesn't actually work from that server in the DMZ.
ciscoasa# packet-tracer input DMZ tcp 10.11.2.10 1234 8.8.8.8 www Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp Additional Information: NAT divert to egress interface inside Untranslate 8.8.8.8/80 to 8.8.8.8/80 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group dmz_access_in in interface DMZ access-list dmz_access_in extended permit ip any any Additional Information: Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp Additional Information: Static translate 10.11.2.10/1234 to 123.123.100.100/1234 Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp Additional Information: Phase: 7 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 10 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 16275065, packet dispatched to next module Result: input-interface: DMZ input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
12-14-2017 11:14 AM
Hello Swits,
From the packet tracer that you attached it seems the traffic is being sent to the inside interface and matching the following nat satement
nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp //--|
You should be more specific and careful with the any any statement since it is wide open and the nat rule in place is in the first section it works as a first match, I would suggest to change the any any for the network address that need to reach the dmz-host-sales servers.
If you want to actually confirm that the traffic is being redirected to the inside you can place packet captures like the following:
capture dmz interface dmz trace match tcp host 10.11.2.10 any eq 80
capture in interface inside trace match tcp host 10.11.2.10 any eq 80
Then generate traffic from the 10.11.2.10 server, open a web browser and try to open a web page, after you do that go to the ASA and run the show cap command and show cap dmz and show cap in, you should see the traffic entering the dmz interface and leaving the inside interface.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide