04-10-2013 06:29 PM - edited 03-11-2019 06:26 PM
Hi,
I have ASA 5505, in routed mode, basic license.
I run a web server in DMZ. I can reach Internet from DMZ. Also, the trafic from outside can reach the web server. However, if the web site is requested from within the DMZ, the request will fail, and the firewall log contains the following message:
Failed to locate egress interface for TCP from DMZ50: 30.30.30.10/49213 to 170.70.30.114/80
I don't have DNS, so the request must go to Internet, even the web site is hosted on the server in DMZ.
Here is sample of my config file:
---------------------------------------------
interface Vlan1
nameif inside
security-level 100
ip address 162.160.1.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 170.70.30.114 255.255.255.252
!
interface Vlan5
description Interface for myWeb, DMZ level 50
no forward interface Vlan1
nameif MyDMZ
security-level 50
ip address 30.30.30.1 255.255.255.0
!
dns server-group DefaultDNS
domain-name mydomain
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network myWeb
host 30.30.30.10
object-group network DMZ-DEFAULT-PAT-SOURCE
network-object 30.30.30.0 255.255.255.0
access-list OUTSIDE-IN extended permit tcp any object myWeb eq www
arp timeout sometimeout
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network myWeb
nat (MyDMZ,outside) static interface no-proxy-arp service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (MyDMZ,outside) after-auto source dynamic DMZ-DEFAULT-PAT-SOURCE interface
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 170.70.30.113 1
user-identity default-domain LOCAL
http server enable
http 162.160.1.0 255.255.255.0 inside
dhcpd address 162.160.1.7-162.160.1.134 inside
dhcpd enable inside
!
What can be the reason for requests, originated in DMZ, to fail, and how could it be fixed?
Thank you for help.
04-10-2013 09:57 PM
Hi,
Try to use DNS doctoring:
object network myWeb
nat (MyDMZ,outside) static interface dns no-proxy-arp
If both the client and the server are in the same subnet then it would work fine. Else if the traffic has to come to ASA and then go back to the MyDMZ interface then apply:
same-security-traffic permit intra-interface
Hope thsi helps.
-Akshay
08-10-2017 06:12 AM
Hi all,
I have the same problem but i've the following error only when I want to join the interface FW IP on ASA 5506 IOS version 9.5.3
basic configuration : no NAT no DHCP on my configuration and I used the static routes
when I ping the interface FW inteconnexion (10.29.10.6) it works
When I ping from the Fw I can reach all servers
When I try to reach the FW interface IPs I can see packets arriving to the FW but the it doesn't return I 've the following error
Failed to locate egress interface for ICMP from intranet:10.10.30.131/1 to 10.29.10.22/0
Please find below my configuration
interface GigabitEthernet1/1 description TO_Core_Layer_Gi0/3 no nameif no security-level no ip address ! interface GigabitEthernet1/1.300 description Intranet vlan 10 nameif intranet security-level 0 ip address 10.29.10.6 255.255.255.248 ! interface GigabitEthernet1/1.301 description DMZ vlan 11 nameif DMZ security-level 0 ip address 10.29.10.22 255.255.255.248 !
interface Management1/1 management-only nameif mgmt security-level 100 ip address 10.17.26.221 255.255.255.240
route intranet 0.0.0.0 0.0.0.0 10.29.10.1 1 route mgmt 10.2.69.28 255.255.255.255 10.17.26.220 1 route mgmt 10.2.69.29 255.255.255.255 10.17.26.220 1
The core layer configuration
interface GigabitEthernet1/22
description TO FW PORT gi1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,11
switchport mode trunk
end
ip route 10.29.10.16 255.255.255.248 10.29.10.6
interface vlan 10
ip address 10.29.10.3 255.255.255.248
no ip unreachables
no ip mroute-cache
standby 1 ip 10.29.10.1
standby 1 timers 1 3
standby 1 preempt
I've the same configuration on the other equipement except the IP int vlan IP 10.29.10.2
Best regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: