Hello Francisco,

That is what I am asking you. is that the IP address of the server?

Can you apply the

Global (inside) 101 interface

Also please provide the output of

packet-tracer input dmz tcp xx.x.x.x.x (ipaddressDMZ host) 1025 xx.x.x.x.x ( Ip address inside host) 80

Regards,

Julio

This is the address of the server:

192.168.1.2

this statement applies is the output of tracer packet:

asa (config) # packet-tracer input dmz tcp 192.168.1.2 1025 192.168.5.1 3306

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

config:

Additional Information:

Found no matching flow, Creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

config:

Additional Information:

in inside 192.168.1.0 255.255.255.0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

config:

access-group DMZ in interface DMZ_IN

DMZ_IN extended access-list permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

config:

Additional Information:

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

config:

static (DMZ, outside) Webserver_Public SerWeb netmask 255.255.255.255

nat-control

   match ip outside SerWeb Any DMZ host

     static translation to Webserver_Public

     translate_hits = 473, untranslate_hits = 1587

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

config:

static (inside, DMZ) 192.168.1.2 192.168.5.252 netmask 255.255.255.255

nat-control

   match ip inside host 192.168.1.2 DMZ and Stock

     static translation to 192.168.5.252

     translate_hits = 0, untranslate_hits = 6

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

This applied both for port 80 to port 3306

Hello  Francisco,

We are not on the same page!

I need you to provide all the information I request in order to help...

So the issue is you cannot access a inside server (192.168.1.2) from a dmz network (192.168.5.0/24)

The packet-tracer you did its wrong.....

It should be

asa (config) # packet-tracer input dmz tcp 192.168.5.15 1025 192.168.5.252 3306

On the packet tracer we are going to see all the rules that the ASA will use to inspect a packet from a dmz host 192.168.5.15 to the 192.168.5.252 witch is the inside server natted to the DMZ..

Did you already apply the global (inside) 101 interface

Please provide sh run nat , sh run global, sh run static and the packet-tracer output!!

Regards,

Julio

asa# packet-tracer input dmz tcp 192.168.5.15 1025 192.168.5.252 3306

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

nat-control

  match ip inside host 192.168.1.2 DMZ any

    static translation to 192.168.5.252

    translate_hits = 0, untranslate_hits = 7

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.5.252/0 to 192.168.1.2/0 using netmask 255.255.255.255

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ_IN in interface DMZ

access-list DMZ_IN extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (DMZ) 0 0.0.0.0 0.0.0.0

nat-control

  match ip DMZ any outside any

    no translation group, implicit deny

    policy_hits = 1080

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

nat-control

  match ip inside host 192.168.1.2 DMZ any

    static translation to 192.168.5.252

    translate_hits = 0, untranslate_hits = 7

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

nat-control

  match ip inside host 192.168.1.2 DMZ any

    static translation to 192.168.5.252

    translate_hits = 0, untranslate_hits = 7

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 153554, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.1.2 using egress ifc inside

adjacency Active

next-hop mac address 0021.5e67.c506 hits 10

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

asa# sh run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 192.168.1.0 255.255.255.0

nat (inside) 101 0.0.0.0 0.0.0.0

asa# sh run global

global (outside) 101 interface

global (inside) 101 interface

global (DMZ) 101 interface

asa# sh run static

static (DMZ,outside) Webserver_Public SerWeb netmask 255.255.255.255

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

Hello Francisco,

So now seems to be hitting the right rules, can you test it but first create the following captures and then try the connection

access-list capin permit tcp host 192.168.1.2 host xxx.xxx.xx.xx (inside interface ip address)

access-list capin permit tcp host xxx.xxx.xx.xx (inside interface ip address) host 192.168.1.2

access-list capdmz permit tcp host 192.168.5.252 host 192.168.5.15

access-list capdmz permit tcp host 192.168.5.15 host 192.168.5.252

capture capin access-list capin interface inside

capture capdmz access-list capdmz interface dmz

Can you provide the show cap capin and show cap capdmz

Regards,

Julio

hello

I have concerns with your response:

1. "Inside interface ip address" refers to the IP address that has the ASA on the internal network.

2. These ACLs are applicable or not.

thanks

Hello Francisco

1- Yes the ip address of the inside interface of the asa

2- they are not going to restrict any traffic, do not worry is just for a packet capture.

Can you add the command nat (dmz) 101 0 0

Then generate the traffic and  Please provide the show cap capin and show cap capdmz.

These are the results, trying to make a mysql query

Result of the command: "show cap Capin"

0 Packet Capture

0 packet Shown

Result of the command: "show cap capdmz"

0 Packet Capture

0 packet Shown

This is the configuration that I introduced

access-list permit tcp host 192.168.1.2 Capin host 192.168.1.254

access-list permit tcp host 192.168.1.254 Capin host 192.168.1.2

access-list permit tcp host 192.168.5.252 capdmz host 192.168.5.15

access-list permit tcp host 192.168.5.15 capdmz host 192.168.5.252

nat (DMZ) 101 0.0.0.0 0.0.0.0

capture Capin Capin interface access-list inside

capdmz capture interface access-list dmz capdmz

Hello Francisco

Check your last message, did you mean to say the following:

access-list capin permit tcp host 192.168.1.2 host 192.168.1.254

access-list capin permit tcp host 192.168.1.254  host 192.168.1.2

access-list capdmz permit tcp host 192.168.5.252  host 192.168.5.15

access-list capdmz  permit tcp host 192.168.5.15  host 192.168.5.252

capture Capin access-list capin interface inside

capture capdmz access-list capdmz  interface dmz

You should have it like that...

If you do not get the packets to the DMZ interface then there is a problem into your DMZ host, as the packets are not reaching the DMZ interface.

DMZ host should go to 192.168.5.252, and the ASA should see the packets.

Regards,

Julio

Hello Francisco,

Yeah, that seems to be the problem.

What if the final question ( Si prefieres hacerla en espa;ol no hay problema)

Regards,

Julio

hola:

Mi ultima pregunta es sobre que puertos estan habilitados con esta configuracion, porque ya hice una prueba con los puertos de SQLServer y MySQL y estan abiertos.

Quisiera evitar que la gente que tenga acceso al DMZ pueda entrar a la red segura.

Saludos.

Francisco.