08-27-2015 04:27 PM - edited 03-11-2019 11:30 PM
Hi everyone,
I have a problem I haven´t been able to solve:
We run an ASA with a DMZ, inside and outside interface (very common scenario) with security levels set by default. I can access from the outside to the webserver running on the DMZ with no problems, but when I try to connect to the Internet from the webserver on the DMZ doesn´t work.
Here´s the diagram:
INTERNET
|
|
(ASA) -------DMZ 172.16.0.0/24--------- WEBSERVER (172.16.0.63)
|
|
INSIDE
I own another Cisco router connected directly to the Internet with its own public IP address running on a different site, and when I ping this router from the Webserver it works, but the source IP address is the one from the DMZ (172.16.0.63) instead of the translated IP.
Here`s the config from the ASA:
interface GigabitEthernet0/0
description ****INTERNET****
nameif outside
security-level 0
ip address 200.xxx.xxx.218 255.255.255.248
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel1
port-channel load-balance src-dst-ip-port
nameif inside
security-level 100
ip address 10.199.0.129 255.255.255.248
!
boot system disk0:/asa916-4-smp-k8.bin
ftp mode passive
clock timezone ART -3
dns domain-lookup management
dns domain-lookup DMZ
dns server-group DefaultDNS
domain-name marinadelsol.local
object network DMZ-SUBNET
subnet 172.16.0.0 255.255.255.0
object network WEBSERVER
host 172.16.0.63
object network IP_PUB_MAILSERVER
host 200.xxx.xxx.221
object service TCP-HTTP
service tcp source eq www
object service TCP-SMTP
service tcp source eq smtp
object service TCP-HTTPS
service tcp source eq https
object network IP_PUB_WEBSERVER
host 200.111.169.219
object service TCP_80
service tcp source eq www
object service TCP_443
service tcp source eq https
object service TCP_SSH
service tcp source eq ssh
object service TCP_DNS
service tcp source eq domain
object service UDP_DNS
service udp source eq domain
object service TCP_995
service tcp source eq 995
object service TCP_587
service tcp source eq 587
object service TCP_8080
service tcp source eq 8080
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_TCP_1 tcp
port-object eq domain
port-object eq www
port-object eq https
port-object eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq ssh
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
port-object eq 8080
object-group service DM_INLINE_TCP_7 tcp
port-object eq 3306
port-object eq 81
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq ssh
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
service-object tcp destination eq ssh
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 host 172.16.0.63 any log
access-list DMZ_access_in extended permit udp host 172.16.0.63 any eq domain log
access-list DMZ_access_in extended permit icmp host 172.16.0.53 any log
access-list DMZ_access_in extended permit icmp host 172.16.0.63 any log
access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.35 eq 1433
access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.42 eq ssh
access-list DMZ_access_in extended permit tcp host 172.16.0.53 host 10.200.5.35 eq 1433
access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.34 object-group DM_INLINE_TCP_7
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.0.63 10.200.7.0 255.255.255.0
access-list DMZ_access_in extended permit tcp host 172.16.0.12 any eq smtp log
access-list DMZ_access_in extended permit tcp host 172.16.0.63 eq www any
access-list DMZ_access_in extended permit tcp host 172.16.0.63 eq https any
access-list DMZ_access_in extended permit tcp host 172.16.0.63 any eq https
access-list DMZ_access_in extended permit tcp host 172.16.0.63 any eq www
access-list OUTSIDE-INBOUND extended permit tcp any interface outside eq www
access-list OUTSIDE-INBOUND extended permit tcp any interface outside eq ssh
access-list OUTSIDE-INBOUND extended permit udp any object WEBSERVER eq domain
access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq domain
access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq https
access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq ssh
access-list OUTSIDE-INBOUND extended permit icmp any any
access-list OUTSIDE-INBOUND extended permit tcp any object MDSS022 eq 995
access-list OUTSIDE-INBOUND extended permit tcp any object MDSS022 eq 587
access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq www
access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq smtp log
access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq www
access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq https
access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq 995
access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq 587
access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.8 eq 8080
access-list OUTSIDE-INBOUND extended permit tcp any object MDSS007 eq 8080
access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu outside 1500
mtu management 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (any,any) source static WEBSERVER IP_PUB_WEBSERVER
nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_80 TCP_80
nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_443 TCP_443
nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_SSH TCP_SSH
nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_DNS TCP_DNS
nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service UDP_DNS UDP_DNS
nat (inside,outside) source static MDSS022 IP_PUB_MAILSERVER service TCP-HTTP TCP-HTTP
nat (inside,outside) source static MDSS022 IP_PUB_MAILSERVER service TCP-HTTPS TCP-HTTPS
nat (inside,outside) source static MDSS007 IP_PUB_MDSS007 service TCP_8080 TCP_8080
!
object network DMZ-SUBNET
nat (DMZ,outside) dynamic interface
object network ALL_VLANS
nat (inside,outside) dynamic interface
access-group OUTSIDE-INBOUND in interface outside
access-group DMZ_access_in in interface DMZ
!
route outside 0.0.0.0 0.0.0.0 200.111.169.217 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
!
class-map inspection_defaul
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp error
inspect icmp
!
service-policy global_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6e91d23f5a57864e4be311cecb5f0620
: end
FWL#
If I ping from the Webserver to my external router, this is the output from the debug ip icmp command
Router_EXT#debug ip icmp
ICMP packet debugging is on
Router_EXT#
*Aug 27 23:13:28.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63
*Aug 27 23:13:29.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63
*Aug 27 23:13:30.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63
*Aug 27 23:13:31.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63
*Aug 27 23:13:32.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63
*Aug 27 23:13:33.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63
*Aug 27 23:13:34.326: ICMP: echo reply sent, src 179.57.200.252, dst 172.16.0.63
The destination IP address for the ping packet is actually the local IP of the webserver inside the DMZ (172.16.0.63) and not the public IP address. That it means the packets are being sent from the ASA to the Internet but not translated.
Here´s the output of the show nat
FWL#show nat
Manual NAT Policies (Section 1)
1 (any) to (any) source static WEBSERVER IP_PUB_WEBSERVER
translate_hits = 2643, untranslate_hits = 3293
2 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_80 TCP_80
translate_hits = 1969933, untranslate_hits = 2816124
3 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_443 TCP_443
translate_hits = 2119, untranslate_hits = 2628
4 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_SSH TCP_SSH
translate_hits = 568075, untranslate_hits = 587410
5 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_DNS TCP_DNS
translate_hits = 6023, untranslate_hits = 29786
6 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER service UDP_DNS UDP_DNS
translate_hits = 261774, untranslate_hits = 573300
Auto NAT Policies (Section 2)
10 (DMZ) to (outside) source dynamic DMZ-SUBNET interface
translate_hits = 0, untranslate_hits = 0
NOTE: I have hidden some info which is related to the traffic between the inside and outside which is OK.
Thank you very much!
Solved! Go to Solution.
08-28-2015 12:21 AM
Hello, try to change the following:
no service-policy global_policy interface outside
service-policy global_policy global
08-28-2015 12:03 AM
Hi,
Try this command to see what's blocking the traffic,
packet-tracer input DMZ icmp 10.0.0.1 8 0 8.8.8.8
To see the actual packets you could try a packet capture:
access-list allowICMP extended permit icmp any any
capture temp interface outside access-list allowICMP
Traian
08-28-2015 12:21 AM
Hello, try to change the following:
no service-policy global_policy interface outside
service-policy global_policy global
08-28-2015 02:37 PM
Hi Boris. Thanks for that, it worked perfectly. Could you perhaps explain me why that command worked?
08-30-2015 12:23 PM
Hello,
As a matter of fact, I was not 100% confident, that my advice would solve the problem so simply :)
That is because all your Access-lists on ASA were configured to permit ICMP traffic. But I know, that the "service-policy global_policy global" is the default configuration for ASAs and "service-policy global_policy outside" was a bit strange for me.
I believe, that if you delete "service-policy global_policy global" from your configuration, ping will still be working, because ICMP is simply permitted in all ACLs.
But if you have "service-policy global_policy" applied only to outside interface, it seems, that ASA is trying to create connections in conn-table and xlate-table only when the reply packets (e.g. ICMP ECHO-REPLYs) came from Internet to outside interface. And it seems, that despite the permitions in ACLs, this situation breaks some of ASAs internal logic in creating fast-pathes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide