Re: Error code %ASA-6-106015 On ASA5505 Base Licence with DMZ

Tshi M · ‎01-08-2011

Hi,

I am getting the message below when trying to access a DMZ host from the inside network. I am able to ping the host but cannot established TCP sessions from inside to DMZ. I checked with packet tracer and the packet is allowed. However when trying to connect, I get:

Deny TCP (no connection) from 10.64.50.19/1597 to 192.168.50.6/80 flags RST on interface inside.

Below are the info relevant to this setup:

interface Vlan10
no forward interface Vlan50
nameif DMZ
security-level 50
ip address 192.168.50.1 255.255.255.0

interface Vlan50
nameif inside
security-level 100
ip address 10.64.50.15 255.255.255.0

static (inside,DMZ) 10.64.50.0 10.64.50.0 netmask 255.255.255.0

This platform has a Base license.

I am suspecting the problem being because it is an ASA5505 with base license and a DMZ interface with the configuration ( no forward interface Vlan50). But to create a DMZ on this platform I need that command and also ping is working just fine.

Any idea?

Regards,

excerpt of the log:

6|Jan 08 2011|23:26:35|302014|192.168.50.6|80|10.64.50.19|1597|Teardown TCP connection 14048774 for DMZ:192.168.50.6/80 to inside:10.64.50.19/1597 duration 0:00:30 bytes 0 SYN Timeout
6|Jan 08 2011|23:26:05|302013|192.168.50.6|80|10.64.50.19|1597|Built outbound TCP connection 14048774 for DMZ:192.168.50.6/80 (192.168.50.6/80) to inside:10.64.50.19/1597 (10.64.50.19/1597)
6|Jan 08 2011|23:26:05|302014|192.168.50.6|80|10.64.50.19|1597|Teardown TCP connection 14048767 for DMZ:192.168.50.6/80 to inside:10.64.50.19/1597 duration 0:00:05 bytes 0 TCP Reset-I
6|Jan 08 2011|23:25:59|302013|192.168.50.6|80|10.64.50.19|1597|Built outbound TCP connection 14048767 for DMZ:192.168.50.6/80 (192.168.50.6/80) to inside:10.64.50.19/1597 (10.64.50.19/1597)
6|Jan 08 2011|23:25:59|106015|10.64.50.19|1597|192.168.50.6|80|Deny TCP (no connection) from 10.64.50.19/1597 to 192.168.50.6/80 flags RST on interface inside
6|Jan 08 2011|23:25:56|302014|192.168.50.6|80|10.64.50.19|1597|Teardown TCP connection 14048752 for DMZ:192.168.50.6/80 to inside:10.64.50.19/1597 duration 0:00:00 bytes 0 TCP Reset-I
6|Jan 08 2011|23:25:56|302013|192.168.50.6|80|10.64.50.19|1597|Built outbound TCP connection 14048752 for DMZ:192.168.50.6/80 (192.168.50.6/80) to inside:10.64.50.19/1597 (10.64.50.19/1597)

Jennifer Halim · ‎01-09-2011

The inside host should be able to access DMZ host.

With the "no forward interface Vlan50" command on DMZ interface, the DMZ interface can't initiate the connection towards the inside host, however, inside host should be able to access the DMZ host.

If you can ping from inside to DMZ, you should also be able to connect from inside to DMZ on any other protocols, inc. TCP/80.

From the syslog messages, there is "SYN" timeout, that's why it's not working. Can you please check if the DMZ's host default gateway is 192.168.50.1, and there is no personal firewall that might be blocking inbound connection? If packet tracer is allowing the connection, that means the issue is not on the ASA itself.

Kureli Sankar · ‎01-09-2011

Here is the documentation for what Jenn said: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819

If you enable "icmp inspection" pings will fail as well.

I think there is some sort of asymmetry goign on.

Inside is talking to DMZ through the firewall but, DMZ hosts are responding direclty to the inside hosts. That is what it looks like from the syslogs.

See if you can do this dynamic nat instead of static and see if that helps.

remove the static and add these two lines:

conf t

no stati (inside,DMZ) 10.64.50.0 10.64.50.0 net 255.255.255.0

nat (inside) 100 10.64.50.0 255.255.255.0

global (DMZ) 100 interface

-KS

Tshi M · ‎01-09-2011

Hi Sankar,

There is already a nat (inside) 1 10.64.50.0 255.255.255.0

Adding nat (inside) 100 for the same subnet won't be feasible. I tried and got "a duplicate" error. I don't think that there is some kind of asymmetry going on. It is a basic setup.

Inside hosts <---> switch <---> ASA5520

The ASA has three interfaces (inside, outside, and DMZ). The inside hosts use 10.64.50.254 (L3 Switch) as their gateway. The switch has a default route to the inside interface of the ASA. Below is route table of the ASA...

Gateway of last resort is 208.x.x.x to network 0.0.0.0

C    127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C    208.x.x.x 255.255.255.240 is directly connected, outside
C    10.64.50.0 255.255.255.0 is directly connected, inside
S    10.200.0.0 255.255.0.0 [1/0] via 10.64.50.254, inside
S    10.64.148.0 255.255.255.0 [1/0] via 10.64.50.254, inside
C    192.168.50.0 255.255.255.0 is directly connected, DMZ
S*   0.0.0.0 0.0.0.0 [1/0] via 208.x.x.x, outside

Tshi M · ‎01-09-2011

Hi Jennifer,

I agree that inside host should be able to access DMZ hosts. No there is no firewall as I am able to connect to http via the host public address. I assume that if the gateway was incorrect, ping will not work either. But I will check the client.

Regards,

Tshi M · ‎01-09-2011

Hi Jennifer,

The DMZ hosts are using the correct gateway which is the ASA DMZ VLAN interface 192.168.50.1

Ethernet adapter Local Area Connection 3:

       Connection-specific DNS Suffix . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
       Physical Address. . . . . . . . . : 00-07-E9-0F-5A-97
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.50.4
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.50.1

Kureli Sankar · ‎01-09-2011

In that case just add another global to match the exisiting nat (inside)1 that you have.

global (DMZ) 1 interface.

-KS

Tshi M · ‎01-09-2011

The global (dmz)1 is already present. That is what allowing DMZ hosts to be accessible from the Internet.

I strongly believe that the problem is with the license. I am using a base license. I could be wrong and will continue searching. I have similar setup with other type of ASA and it works just fine.

Thanks,

Kureli Sankar · ‎01-09-2011

Can you pls. copy and paste the output of

sh run nat

sh run global

sh run static

global (dmz) 1 - line is NOT taking the dmz hosts to the internet. You should nat (DMZ) 1 line and a matching global (outside) 1 line for the dmz to go out to the internet.

-KS

Tshi M · ‎01-09-2011

Regarding the DMZ hosts accessing the internet, your is what I meant to say. Below are the outputs:

nat (inside) 1 10.64.50.0 255.255.255.0

nat (DMZ) 1 192.168.50.0 255.255.255.0

global (outside) 1 208.x.x.x netmask 255.255.255.240

static (DMZ,outside) 208.x.x.244 192.168.50.4 netmask 255.255.255.255

static (DMZ,outside) 208.x.x.246 192.168.50.6 netmask 255.255.255.255

static (inside,DMZ) 10.64.50.0 10.64.50.0 netmask 255.255.255.0

Kureli Sankar · ‎01-09-2011

Remove this static

conf t

no static (inside,DMZ) 10.64.50.0 10.64.50.0 netmask 255.255.255.0

issue "clear local" (it will clear all connections through this fierwall) and try again.

-KS

Tshi M · ‎01-09-2011

It didn't work. With that command out, I can't even ping from inside to DMZ.

Kureli Sankar · ‎01-09-2011

Oh sorry. I meant to say remove that static and add this line. Pls. add this line and then ping.

global (DMZ) 1 interface.

inside to outside

nat (inside) 1 10.64.50.0 255.255.255.0

global (outside) 1 208.x.x.x netmask 255.255.255.240

dmz to outside:

nat (DMZ) 1 192.168.50.0 255.255.255.0

global (outside) 1 208.x.x.x netmask 255.255.255.240

outside to dmz and dmz to outside

static (DMZ,outside) 208.x.x.244 192.168.50.4 netmask 255.255.255.255
static (DMZ,outside) 208.x.x.246 192.168.50.6 netmask 255.255.255.255

****************

inside to dmz and dmz to inside -------> remove
static (inside,DMZ) 10.64.50.0 10.64.50.0 netmask 255.255.255.0

inside to dmz only -----------> add

nat (inside) 1 10.64.50.0 255.255.255.0 (this line is already there)

global (DMZ) 1 interface --> just add this one.

*****************

-KS

Tshi M · ‎01-09-2011

No dice! I removed, added the suggested command and clear local to no avail. It only works with static (inside, dmz)

nat (inside) 1 10.64.50.0 255.255.255.0
nat (DMZ) 1 192.168.50.0 255.255.255.0
global (outside) 1 208.x.x.254 netmask 255.255.255.240
global (DMZ) 1 interface

Jennifer Halim · ‎01-09-2011

OK, so the inside hosts default gateway is not the ASA inside interface ip address, but the L3 switch vlan ip address. Can you please share the "sh

ip route" from the L3 switch. Apart from default gateway pointing towards the ASA inside interface, is there any static or dynamic route for 192.168.50.0/24 that might be pointing else where? If you change your inside host default gateway to the ASA inside interface ip address, does it make any difference?