Result of the command: "packet-tracer input inside icmp 10.40.96.250  8 0 10.40.97.254"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.40.97.0      255.255.255.0   DMZ

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log disable
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
  inspect icmp
service-policy global-policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,DMZ) SQL-Server_Innside SQL-Server_Innside netmask 255.255.255.255
  match ip inside host SQL-Server_Innside DMZ any
    static translation to SQL-Server_Innside
    translate_hits = 5, untranslate_hits = 59
Additional Information:
Static translate SQL-Server_Innside/0 to SQL-Server_Innside/0 using netmask 255.255.255.255

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp Utside-Ekte-IP-243 2077 SQL-Server_Innside 2077 netmask 255.255.255.255
  match tcp inside host SQL-Server_Innside eq 2077 outside any
    static translation to Utside-Ekte-IP-243/2077
    translate_hits = 4, untranslate_hits = 168
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 2 10.40.97.0 255.255.255.0
  match ip DMZ 10.40.97.0 255.255.255.0 outside any
    dynamic translation to pool 2 (Utside-Ekte-IP-246)
    translate_hits = 279, untranslate_hits = 14
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1238768, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Result of the command: "packet-tracer input dmz icmp 10.40.97.254  8 0 10.40.96.250"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,DMZ) SQL-Server_Innside SQL-Server_Innside netmask 255.255.255.255
  match ip inside host SQL-Server_Innside DMZ any
    static translation to SQL-Server_Innside
    translate_hits = 5, untranslate_hits = 60
Additional Information:
NAT divert to egress interface inside
Untranslate SQL-Server_Innside/0 to SQL-Server_Innside/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_to_in in interface DMZ
access-list dmz_to_in extended permit ip any any log debugging
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
  inspect icmp
service-policy global-policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 2 10.40.97.0 255.255.255.0
  match ip DMZ 10.40.97.0 255.255.255.0 outside any
    dynamic translation to pool 2 (Utside-Ekte-IP-246)
    translate_hits = 279, untranslate_hits = 14
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,DMZ) SQL-Server_Innside SQL-Server_Innside netmask 255.255.255.255
  match ip inside host SQL-Server_Innside DMZ any
    static translation to SQL-Server_Innside
    translate_hits = 5, untranslate_hits = 60
Additional Information:

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp Utside-Ekte-IP-243 2077 SQL-Server_Innside 2077 netmask 255.255.255.255
  match tcp inside host SQL-Server_Innside eq 2077 outside any
    static translation to Utside-Ekte-IP-243/2077
    translate_hits = 4, untranslate_hits = 168
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1249622, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Hello Thomas,

Ok so lets focus on this,

You need to be able to access the DMZ server 10.40.97.254 from all the inside users.

For that all you will need is

nat (inside) 1

Global (dmz) 1 interface

Please remove the following statement

no static (dmz, inside) 10.40.97.254 10.40.97.254

Now can you give it a try please?

After this changes please post the running-config.

Regards,

Julio

Most important i believe is that the zspider program on the webserver in dmz can communicate with the sql server on the inside :-)

Gone remove the VPN before next post...

Result of the command: "show config"

: Saved
: Written by hm-kontor at 03:08:40.846 UTC Fri Dec 23 2011
!
ASA Version 8.2(1)
!
hostname cisco
domain-name xxx.local
enable password xxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxx
names
name 10.40.96.250 SQL-Server_Innside
name xxxxxxxxxxx.242 Utside-Ekte-IP-242
name xxxxxxxxxxx.243 Utside-Ekte-IP-243
name xxxxxxxxxxx.244 Utside-Ekte-IP-244
name xxxxxxxxxxx.245 Utside-Ekte-IP-245
name xxxxxxxxxxx.246 Utside-Ekte-IP-246
name 10.40.97.249 Inside-Webserver
!
interface Vlan1
nameif inside
security-level 100
ip address 10.40.96.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Utside-Ekte-IP-242 255.255.255.248
!
interface Vlan12
nameif DMZ
security-level 50
ip address 10.40.97.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Giant-Leap tcp
port-object eq 2077
port-object eq 2020
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq https log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq 2040 log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-244 eq www log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 object-group Giant-Leap log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq www log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-244 eq https log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-246 eq www log disable
access-list dmz_to_in extended permit ip any any log debugging
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm alerts
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool IP-VPN-Pool 10.40.96.150-10.40.96.175 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (inside) 3 10.40.96.2 netmask 255.0.0.0
global (outside) 1 interface
global (outside) 2 Utside-Ekte-IP-246 netmask 255.0.0.0
global (DMZ) 4 10.40.97.2 netmask 255.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 10.40.97.0 255.255.255.0
static (inside,outside) tcp Utside-Ekte-IP-243 2040 10.40.96.27 2040 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 https 10.40.96.252 https netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2077 SQL-Server_Innside 2077 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2020 SQL-Server_Innside 2020 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 www SQL-Server_Innside www netmask 255.255.255.255
static (inside,DMZ) SQL-Server_Innside SQL-Server_Innside netmask 255.255.255.255
static (DMZ,inside) Inside-Webserver Inside-Webserver netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_to_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 Router-IP
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-nds protocol radius
aaa-server VPN-nds (inside) host 10.40.96.254
timeout 5
key xxxxxxxxxx

http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_nds internal
group-policy VPN_nds attributes
dns-server value 10.40.96.254
default-domain value nds.local
address-pools value IP-VPN-Pool
username hmk password xxxxxxxxxxxxxxxencrypted privilege 15
tunnel-group VPN_nds type remote-access
tunnel-group VPN_nds general-attributes
address-pool (outside) IP-VPN-Pool
authentication-server-group VPN-nds LOCAL
authentication-server-group (outside) VPN-nds LOCAL
default-group-policy VPN_Friends
tunnel-group VPN_nds ipsec-attributes
pre-shared-key *
tunnel-group VPN_nds ppp-attributes
authentication ms-chap-v2
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global-policy
class global-class
  inspect icmp
!
service-policy global-policy global

Any idea what might be the reason why it wont work ???

Hello Thomas,

1-What is not working now, the communication from all the inside users to the DMZ server?

2-The DMZ server can comunicate with the SQL server,right?

3-What do we need to be able to do now, can you explain it again?

Regards,

Julio

1 i have a Zspider webshop client that shall run on the webserver and communicate with the sql server. Thoose 2 does not "connect" on the given ports even thou all ports "IP" is allowed.

2 yes, i can ping from both sides and connect from webserver -> sql server and from sqlserver -> webserver.

3 well... i need to figure out why the Zspider does not connect with the SQL server.

I moved the webserver to the inside lan and changed ip and then the zpider connects to the sql server, so the setup of the sql is correct and working, just that the Zspider doesnt connect thru the firewall...

Hello Thomas,

So the communication is now working, seems to be an application issue. Lest do the following.

Lets do a capture on the ports that they will communicateand then lets download it via pcap and see on wireshark whats going on

So I need the following information:

-Ports that each of the servers will use in the communication:

Zspider port : ?

SQL port : ?

-Just to make sure we are on the same page:

The inside SQL server is 10.40.96.250 right and it gets natted to the DMZ to 10.40.96.250?

The Zpider server is 10.40.97.254 and gets natted to the inside to 10.40.97.254?

Julio

Webserver is on DMZ running 10.40.97.249  (changed due to i moved it into the inside lan for a test)

SQLserver in Inside running 10.40.96.250

the Zspider i'm told will run on any of the following ports 6792 7568 8166 9854 14066 17798 18445 20535 36331 41538 (tcp iwas told) SQL server as far as i know will answere on any of thees ports (communication between Zspider and SQL was tested when i moved the webserver to the Inside Vlan for test)

SQL server is natted to DMZ using

static (inside,dmz) 10.40.96.250 10.40.96.250

You wanted me to remove the other NAT

no static (dmz, inside) 10.40.97.2490.40.97.249

Hello Thomas,

That is correct,

Now lets create the capture;

access-list test permit ip host 10.40.96.250 host 10.40.97.249

access-list test permit ip  host 10.40.97.249 host 10.40.96.250

capture capin access-list test interface inside

capture capdmz access-list test interface dmz

Then innitiate the traffic and go to on any browser :

https://10.40.96.1/capture/capin/pcap

https://10.40.96.1/capture/capin/pcap

Please upload both files to this discussion.

Regards,

Julio

both thoose goes to same file :-)

But here's file 1

Message was edited by: Thomas Madsen just discovered where the files was....

Hello Thomas,

Do you have wireshark install on any computer there so you can take a look at the captures you just send me.

All I am seeing is NetBios name service traffic comming from the webserver to the inside SQL and then the SQL replyes with a ICMP Destination unreachable ( Port unreachable)

So the ASA is not affecting the communication, seems like its an application issue the one you are facing here.

Do please rate helpful posts.

Julio

Yeah i have wireshak and but didnt fully understand what i was looking at :-)

But i did notice the netbios and the reply with icmp destination unreachable

So due to it use netbios traffic i wont be able to run it by the firewall, that can explain why it workes on the samt vlan :-)

So there is no "fix" for this unless i get the program not to use netbios, correct ?

Gone have to get hold of the developer then i guess, the guy installing the "Zspider" claims it runs on other firewall's

Thnks for all help.

Hello Thomas,

Lets confirm if the ASA is dropping the packets.

capture asp type asp-drop all

Then innitiate the connection and provide me the following output:

show capture asp | include 10.40.96.250

show capture asp | include 10.40.97.249

Can you add the following commands and give it a try as well.

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)# class inspection_default

ciscoasa(config-pmap-c)# inspect netbios

Do please rate helpful posts

Julio