OK. I will provide these outputs now

fw-001# packet-tracer input DMZ tcp 69.162.90.50 12345 4.2.2.2 80 detail

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x415d038, priority=11, domain=permit, deny=true
        hits=1671, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: dmz-VPS
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Thanks for the output.

First thing here is that you have only two fully functional Vlans. To enable the third vlan which would be able to initiate only in one direction.

"With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. You limit the third VLAN using the no forward interface command".

This means if you want to have communication between DMZ and Outside then you need to configure 'no forward interface <inside-vlan>'.  Please configure this and test.

Also provide the access-list you have configure and placed on DMZ interface and Outside Interface

Also provide the output of 'show run policy-map'.

Regards,

Akshay Rastogi

Hi,

Thanks for the response.

The no forward interface command needs to be run on vlan2 yes?

Hi,

If you want to have communication of DMZ host to only Outside host (not Inside) then 'no forward interface <inside-interface vlan>.

Regards,

Akshay Rastogi

fw-001# conf t
fw-001(config)# no forward interface vlan11
                    ^
ERROR: % Invalid input detected at '^' marker.

It seems that command does not work

Hi,

I am sorry. I forgot to mention that it is an interface based command.

You need to configure this command under the DMZ vlan interface.

For clear understanding, use the link below:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.html#wp1051819

Regards,

Akshay Rastogi

hi,

If it is already configured then remove access-group from DMZ vlan interface(bydefault it allows all the traffic from High Security level to low).

It is the access-list issue then(it has not given any license error in packet-tracer).

Regards,

Akshay Rastogi

Hi,

I do not know what you mean by "remove access-group from DMZ vlan interface"

I have attached our ACL via ADSM and the network object in the DMZ ( VPS-Customers ) has a public ip of the VPS Machine.

I believe we do not need to setup anything in inside or outside interfaces so why is traffic trying to go out the outside interface?

Yes it seems to be an ACL issue but where??

Hi,

I think there is a misunderstanding. I had asked in the starting what is the communication flow(from where it is initiating and to what destination(behind which interface of ASA) it is going.

From the snapshot, i could see that you have configured destination as VPC-customer. So where is this VPC-customer subnet?

Packet-tracer is a way to create a dumy packet and sent through ASA. The example was for host coming from the subnet of DMZ to 4.2.2.2(it is a google server ip) which lies behind Outside Interface.

Please explain in detail what is the communication flow.

Regards,

Akshay Rastogi

The traffic flow should be from the internet to the DMZ interface which has an IP of 69.162.90.49. The VPS-Customer object in the DMZ has a public IP of 69.162.90.50.

The DMZ subnet VPS customer is a VM on an ESXi host that I want to be able to bypass the access rules on the ASA  and manage the VPS-customer VM firewall via iptables.

To explain further:-

I have an ESXi Host

An ASA Firewall

There are three VMs on the ESXi Host

Two VMs are setup with NAT and are working fine on the inside interface

The third VM has a public IP address and is also on the ESXi Host but this VM needs to use the DMZ ( VPS-customer) and not use the firewall rules of the other VMs. I want to allow 'Any"  on the DMZ and also come in and out via the DMZ. Is this how it works or does it still need to go out via the outside interface?

I have made a quick net diagram.

Hi,

Thanks for the detailed explanation.

We need to understand that traffic is by default allowed from High security zone interface to low(return traffic is allowed). Vice versa is not allowed(initiated from lower security zone until there is an access-list configured on the lower interface to allow the traffic).

- Now in your case traffic is initiated form Outside (which is a lower security zone) then you need to allow traffic with access-list source from outside host(any) to your server IP for TCP or IP traffic(whatever is your profile) and apply it on Outside interface(you have already configured access-list on Outside, you can just add one more entry to allow the traffic as mentioned above).

- Also your access-list on DMZ is wrong as VPC-customer is already behind DMZ so this network object should be source not destination(you have configured) and destination should be any(configure specific destination IP on Internet if you are aware of).

Please let me know if you have any query.

Regards,

Akshay Rastogi

I have made those changes and ran the packet tracer....Traffic still gets blocked by the implicit rule....I am pulling my hair out