Solved: DMZ Setup unable to connect to server

bruno.machado.Mac · ‎09-25-2021

Hi everybody.

I´ve configured this lab and an access-list on the firewall but I can´t access the server from outside. I'm trying to figure this out but I can't seem to get it.

I´ve attached the lab in zip file if someone wants to give it a try.

Any help would be appreciated.

hostname Firewall

domain-name security.com

names

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 2

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 209.165.200.226 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 70

ip address 192.168.2.1 255.255.255.0

!

object network dmz-server

host 192.168.2.3

object network inside-network

subnet 192.168.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

!

access-list OUTSIDE-DMZ extended permit icmp any host 192.168.2.3

access-list OUTSIDE-DMZ extended permit tcp any host 192.168.2.3 eq www

!

access-group OUTSIDE-DMZ in interface outside

object network dmz-server

nat (dmz,outside) static 209.165.200.227

object network inside-network

nat (inside,outside) dynamic interface

!

aaa authentication ssh console LOCAL

!

username bruno password z0GmywQDNOZt29FK encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 172.16.3.3 255.255.255.255 outside

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd dns 209.165.201.2 interface inside

dhcpd enable inside

DMZ SERVER

Deafult gw 192.168.2.1

ip add 192.168.2.3 255.255.255.0

Rob Ingram · ‎09-26-2021

"But when I simulate traffic from PC-Management it stops on ISP02 with the message "The routing table does not have a route to the destination IP address. The device drops the packet."...but it should be nated by the nat rule...or am I missing some configuration?"

....but you ran a ping from PC-Management and it succeeded, how are you simulating this traffic? How about running a packet capture on the ASA inbound to determine whether the traffic even reaches the ASA. If it doesn't that indicates an issue with a device in front of the ASA, which might make sense if traffic stops on ISP02 - so therefore check ISP02.

View solution in original post

Rob Ingram · ‎09-25-2021

@bruno.machado.Mac

Can you ping any IP address on the internet from the firewall itself?

Run a packet capture inbound on the outside interface to confirm the inbound packet even reaches the firewall.

Run packet-tracer to simulate traffic to the DMZ server and provide the output for review.

bruno.machado.Mac · ‎09-26-2021

Hi Rob.

I can ping from firewall to anywhere and from anywhere to the firewall.

Firewall#ping 172.16.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.3.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/13/23 ms

Firewall#ping 192.168.2.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/11 ms

Firewall#ping 192.168.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms

PC Management to Firewall

C:\>ping 209.165.200.226

Pinging 209.165.200.226 with 32 bytes of data:

Reply from 209.165.200.226: bytes=32 time=20ms TTL=252

Reply from 209.165.200.226: bytes=32 time=22ms TTL=252

Reply from 209.165.200.226: bytes=32 time=17ms TTL=252

Reply from 209.165.200.226: bytes=32 time=10ms TTL=252

Ping statistics for 209.165.200.226:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 10ms, Maximum = 22ms, Average = 17ms

DMZ-Server to own gateway

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time<1ms TTL=255

Reply from 192.168.2.1: bytes=32 time=5ms TTL=255

Reply from 192.168.2.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 5ms, Average = 1ms

PC-B to own gateway

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Reply from 192.168.1.1: bytes=32 time=3ms TTL=255

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 3ms, Average = 0ms

But when I simulate traffic from PC-Management it stops on ISP02 with the message "The routing table does not have a route to the destination IP address. The device drops the packet."...but it should be nated by the nat rule...or am I missing some configuration?

Thanks for your help.

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

D 10.1.1.0/30 [90/2681856] via 10.2.2.2, 02:54:16, Serial0/0/1

C 10.2.2.0/30 is directly connected, Serial0/0/1

L 10.2.2.1/32 is directly connected, Serial0/0/1

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.3.0/24 is directly connected, GigabitEthernet0/1

L 172.16.3.1/32 is directly connected, GigabitEthernet0/1

209.165.200.0/29 is subnetted, 1 subnets

D 209.165.200.224/29 [90/2707456] via 10.2.2.2, 01:33:04, Serial0/0/1

SSH into Firewall also works

C:\>ssh -l bruno 209.165.200.226

Password:

Firewall>

ASA CONFIG

hostname Firewall

enable password z0GmywQDNOZt29FK encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 209.165.200.226 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 70

ip address 192.168.2.1 255.255.255.0

!

object network dmz-server

host 192.168.2.3

object network inside-net

subnet 192.168.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

!

object network dmz-server

nat (dmz,outside) static 209.165.200.227

object network inside-net

nat (inside,outside) dynamic interface

!

aaa authentication ssh console LOCAL

!

username bruno password z0GmywQDNOZt29FK encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh 172.16.3.0 255.255.255.0 outside

ssh timeout 5

!

dhcpd address 192.168.1.10-192.168.1.30 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

Rob Ingram · ‎09-26-2021

"But when I simulate traffic from PC-Management it stops on ISP02 with the message "The routing table does not have a route to the destination IP address. The device drops the packet."...but it should be nated by the nat rule...or am I missing some configuration?"

....but you ran a ping from PC-Management and it succeeded, how are you simulating this traffic? How about running a packet capture on the ASA inbound to determine whether the traffic even reaches the ASA. If it doesn't that indicates an issue with a device in front of the ASA, which might make sense if traffic stops on ISP02 - so therefore check ISP02.

bruno.machado.Mac · ‎09-28-2021

Hi Rob,

I figured it out. Very simple in fact.

The ASA 5505 in base license doesn´t allow for more than 3 Vlan´s, so Vlan3 interface cannot forward traffic to the inside Vlan (Vlan1) interface.

Firewall(config-if)# no forward interface vlan 1

Sometimes the answer is in front of our eyes and we don t see it