Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
3
Replies

Cisco ASA not able to reach public IP on DMZ from outside

network_user
Level 1
Level 1

‎02-14-2012 11:10 AM - edited ‎03-11-2019 03:29 PM

Hello,

I just replaced a PIX firewall with Cisco ASA firewall and for some reason, one part of the access is not working which was working on PIX firewall. Access to dmz8 from outside (internet) is not working for a public IP network on dmz8. I also see that are many drops on the interface outside, but I am not sure what is causing these drops. When i try to reach public ip on dmz8 (changed to 10.10.126.x for security purposes) and do a capture on outside interface, I dont even see packets in the capture on asa. I think ASA is dropping the packets before they get captured in the capture. Can someone help me resolve this issue? I have changed the DMZ8 public network in the below config to 10.10.126.16/28. And I am trying to reach 10.10.126.28 from outside.

Also I can reach 10.10.126.28 from the PIX and the Internet gateway. Relevant configuration is listed below.

I also did a packet-tracer for going from dmz8 to outside and as shown below and it says its an acl-drop. But I am not sure what acl is dropping it. Please see packet tracer output below.


interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.398
vlan 398
nameif outside
security-level 0
ip address 10.10.126.9 255.255.255.240 standby 10.10.126.10
!

interface GigabitEthernet0/2.315
vlan 315
nameif dmz8
security-level 80
ip address 10.10.126.25 255.255.255.240 standby 10.10.126.26
!

access-list out extended permit icmp any any echo-reply
access-list out extended permit icmp any any unreachable
access-list out extended permit icmp any any time-exceeded
access-list out extended permit udp any any eq isakmp
access-list out extended permit esp any any
access-list out extended permit icmp any 10.10.126.16 255.255.255.240

access-list dmz8 extended permit icmp any 10.0.0.0 255.0.0.0
access-list dmz8 extended permit icmp any 10.0.0.0 255.0.0.0 time-exceeded
access-list dmz8 extended permit icmp any 10.0.0.0 255.0.0.0 unreachable
access-list dmz8 extended deny tcp any any eq 135
access-list dmz8 extended deny tcp any any eq 445
access-list dmz8 extended deny tcp any any eq 6667
access-list dmz8 extended permit icmp any any
access-list dmz8 extended permit ip any any

access-list nonat_dmz8 extended permit ip 10.128.0.16 255.255.255.248 10.255.1.0 255.255.255.0

global (outside) 1 10.10.126.11
global (dmz8) 1 10.10.126.24

nat (dmz8) 0 access-list nonat_dmz8
nat (dmz8) 1 10.103.15.0 255.255.255.0
nat (dmz8) 2 10.103.33.0 255.255.255.0
nat (dmz8) 2 10.192.0.0 255.255.254.0
nat (dmz8) 2 10.128.0.0 255.224.0.0
nat (dmz8) 2 10.224.0.0 255.224.0.0

static (dmz8,outside) 10.10.126.16 10.10.126.16 netmask 255.255.255.240


access-group out in interface outside
access-group dmz8 in interface dmz8


class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
  inspect ils
  inspect icmp
  inspect icmp error
!
service-policy global_policy global

Interface GigabitEthernet0/0.398 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        VLAN identifier 398

        MAC address 1cdf.0f2e.e05a, MTU 1500

        IP address 10.10.126.9, subnet mask 255.255.255.240

  Traffic Statistics for "outside":

        982354 packets input, 381201545 bytes

        1258846 packets output, 608512096 bytes

        109542 packets dropped

SPA-ASA# packet-tracer input outside icmp 10.10.126.28 8 0 10.10.126.1

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   63.110.126.0    255.255.255.240 outside

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thank you!

Labels:
0 Helpful
3 Replies 3

rizwanr74
Level 7
Level 7

‎02-14-2012 11:30 AM

Your ACL (i.e. access-list out) missing permit entry to source address must be permited.

So, permit the source address to dmz8 destination, it should work

Thanks

Rizwan Rafeek

0 Helpful

network_user
Level 1
Level 1
In response to rizwanr74

‎02-14-2012 11:42 AM

Hello Rizwan,

I do have an acl entry for source address (10.10.126.16/28) in the out acl permitiing icmp to DMZ8 network from any.

access-list out extended permit icmp any 10.10.126.16 255.255.255.240.

But anyhow I figured what the problem was, I am not sure why its that way but when I moved the "permit icmp any any" acl line in the dmz8 acl to top, it started working. So my final dmz8 acl looks below and it works... which is very STRANGE!!!

access-list dmz8 extended permit icmp any any

access-list dmz8 extended permit icmp any 10.0.0.0 255.0.0.0
access-list dmz8 extended permit icmp any 10.0.0.0 255.0.0.0 time-exceeded
access-list dmz8 extended permit icmp any 10.0.0.0 255.0.0.0 unreachable
access-list dmz8 extended deny tcp any any eq 135
access-list dmz8 extended deny tcp any any eq 445
access-list dmz8 extended deny tcp any any eq 6667
access-list dmz8 extended permit icmp any any
access-list dmz8 extended permit ip any any

0 Helpful

rizwanr74
Level 7
Level 7
In response to network_user

‎02-14-2012 11:55 AM

interface GigabitEthernet0/2.315
vlan 315
nameif dmz8
security-level 80
ip address 10.10.126.25 255.255.255.240 standby 10.10.126.26

If traffic is initiated from outside, how that can be belong to subnet 1 on the below table, and your subnet 1 is in the dmz8 network which is the destination address.

ip address 10.10.126.25 255.255.255.240 standby 10.10.126.26

SubnetNetwork AddressStarting HostEnd HostBroadcastNetmask
010.10.126.010.10.126.110.10.126.1410.10.126.15255.255.255.240
110.10.126.1610.10.126.1710.10.126.3010.10.126.31255.255.255.240
210.10.126.3210.10.126.3310.10.126.4610.10.126.47255.255.255.240
310.10.126.4810.10.126.4910.10.126.6210.10.126.63255.255.255.240
410.10.126.6410.10.126.6510.10.126.7810.10.126.79255.255.255.240
510.10.126.8010.10.126.8110.10.126.9410.10.126.95255.255.255.240
610.10.126.9610.10.126.9710.10.126.11010.10.126.111255.255.255.240
710.10.126.11210.10.126.11310.10.126.12610.10.126.127255.255.255.240
810.10.126.12810.10.126.12910.10.126.14210.10.126.143255.255.255.240
910.10.126.14410.10.126.14510.10.126.15810.10.126.159255.255.255.240
1010.10.126.16010.10.126.16110.10.126.17410.10.126.175255.255.255.240
1110.10.126.17610.10.126.17710.10.126.19010.10.126.191255.255.255.240
1210.10.126.19210.10.126.19310.10.126.20610.10.126.207255.255.255.240
1310.10.126.20810.10.126.20910.10.126.22210.10.126.223255.255.255.240
1410.10.126.22410.10.126.22510.10.126.23810.10.126.239255.255.255.240
1510.10.126.24010.10.126.24110.10.126.25410.10.126.255255.255.255.240

Therefore your ACL (i.e. access-list out) missing permit entry, which source address must be permited.

I hope that make sense.

thanks

Rizwan Rafeek

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card