08-09-2021 06:15 PM
Firewall + DHCP server for DMZ lost power. Config didn't change after but now I can no longer reach the default gateway for from my esxi host nor the VM on it. I cant reach the default gateway from any other switch or device on the network either. Devices connection to the DMZ network can reach the DHCP server but can not get internet access.
The only device I can reach(ping) the default gateway(192.168.1.1) from is the firewall. Attached the ASA config because I assume the problem is there.
I adopted the firewall and am not very familiar with the config and am out of ideas.
08-09-2021 06:33 PM
Hi,
I have few questions to understand your problem.
I) Devices in DMZ cannot access Internet ?
ii) Devices inside your DMZ are expected to reach what services/devices in your Inside Network ?
Also, in your config, I notice one thing strange related to spelling of DMZ Public IP Object you created for NAT rules:
nat (dmz,outside) after-auto source dynamic obj-192.168.0.0 obj-DMZPUBLICP
"obj-DMZPUBLICP" is not defined, insteat you defined obj-DMZPUBLICIP
can you modify above rule to "nat (dmz,outside) after-auto source dynamic obj-192.168.0.0 obj-DMZPUBLICIP " if it was not done intentionally.
08-09-2021 06:44 PM
I) Devices in DMZ cannot connect to the internet
ii)They don't really need to reach anything on the inside necessarily. The only thing they need is to be granted an IP address(currently working by the DHCP server on the DMZ) and then connnect to the internet. There is a wireless controller controlling the access points we have that is doing its job to the best of my knowledge. WiFi devices get IPs correctly atleast. The DMZ gateway seems to be entirely unreachable by any device apart from the firewall itself
iii)obj-DMZPUBLICIP is just a placeholder instead of the actual IP but i just mistyped. All instances of that in the config should be obj-DMZPUBLICIP
Thanks for taking the time to look at it
08-09-2021 07:53 PM
Hi,
DMZ Gateway IP "192.168.1.1" would be reachable only by DMZ subnets and cant be reachable by your devices in your Inside zone.
Your configuration looks fine to me.
From any devices inside DMZ, can you please ping "8.8.8.8" and can check the output at "show xlate" whether you are getting the desired results ?
Also, make some tests using packet-tracer command at the ASA .
08-10-2021 09:11 AM
I don't have any ideas left. It may not be the firewall. In the past I was able to see and connect to my esxi host and the VMs on it from the inside network. Now I can no longer do that or see them at all. Also the devices on the DMZ cannot ping the default gateway(192.168.1.1). Devices on the DMZ can communicate between eachother however. Also I cannot ping the DMZ gateway from any of my switches on the network leading me to believe that there is some other problem with reaching the gateway that I cannot understand.
08-10-2021 03:44 PM
you need to review your Access-list 201 statements which is applied to DMZ interface. There are some Deny statements mentioned which might making some troubles
For Example:
access-list 201 extended deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
it means DMZ network cannot talk to your inside network. you can review and may remove it if this is something you are not looking for.
Also, for ICMP, i can see only ICMP Echo reply is only allowed which also indicates why you cannot ping from DMZ servers to DMZ Gateway and rest of the network
08-11-2021 11:40 AM
I removed the deny line and nothing changed. I am not super worried about the traffic crossing from inside to outside right now but rather the DMZ traffic making it to the internet. Im starting to think there is a routing issue somewhere or perhaps even a rogue device with IP 192.168.1.1 that may be causing problems. If I wanted to change the default gateway(to something like 192.168.1.254) for the DMZ to test would I just have to change it manually on devices and on the DMZ interface on the firewall or would I need to make changes elsewhere.
I really appreciate you trying to help
08-11-2021 04:30 PM
Hi,
Regarding changing the DMZ Gateway IP. You need to change the ASA DMZ Interface IP Address and then change the default gateway for the DMZ servers to the new IP of DMZ Interface. Thats the only chane you need to do.
I dont suspect there is Routing issue as you said that Controllers in DMZ can reach to your access points in the inside Network. Meanwhile you can test by changing your IP, can you list down some internal IP ( can be dummy ) which you are testig reachablity and the traffic flow. I can review your ACL again.
Also, in your ACL i saw you are accepting only echo-reply packets, for testing, can you also add similar statement for echo also ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide