10-31-2013 09:49 AM - edited 03-11-2019 07:58 PM
Hey Folks
I am trying to setup a DMZ on a 5505 (Security plus license)
Interface DMZ
Security level 50
Vlan 43
I am using the DMZ with public ip x.x.x.x 255.255.255.224
And there is a server configured with a static ip (Public address) x.x.x.x subnet:255.255.255.224 gw: the DMZ interface..
Everything seems to work fine i can ping the gw from the server, i can ping 8.8.8.8 www.google.se etc..
Ping and Dns resolutions seems to work fine.
But that is the only thing working. I can't browse the internet any ideas?
sh run | in DMZ
nameif DMZ
access-list DMZ_nat0_outbound extended permit ip x.x.x.x 255.255.255.224 any
access-list DMZ_nat0_outbound_1 extended permit ip x.x.x.x 255.255.255.224 any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_nat0_outbound_2 extended permit ip x.x.x.x 255.255.255.224 any
access-list DMZ_access_in_1 extended permit ip 1 x.x.x.x 255.255.255.224 any log debugging
mtu DMZ 1500
nat (DMZ) 0 access-list DMZ_nat0_outbound_2
access-group DMZ_access_in_1 in interface DMZ
sh nat
NAT policies on Interface DMZ:
match ip DMZ x.x.x.x 255.255.255.224 outside any
NAT exempt
translate_hits = 13562, untranslate_hits = 0
match ip DMZ x.x.x.x 255.255.255.224 DMZ any
NAT exempt
translate_hits = 0, untranslate_hits = 1
What is the issue? Any ideas?
Appreciate your help
/Shane
10-31-2013 11:09 AM
Ok, what is the gateway of the ASA and does that gateway know how to route the DMZ network that you have configured.
If the gateway of the ASA (ISP) knows how to route for this network then we need to confirm if they can ARP or see packets coming from the server.
Put this IP on your browser:
98.139.183.24
Let me know if you can reach it, is so it could be related to DNS, try to change DNS server setting from the TCP/IP setting on the NIC of the server to 4.2.2.2.
Another way to test this out is opening up an ACL to permit ICMP to the IP address of the server on the outside or interface that is facing the ASA gateway.
After this, it would be checking ASA logs and captures.
logging on
logging buffered 7
logging buffer-size 1048576
show log | in server_ip
access-list capture permit IP host server_ip any
access-list capture permit IP any host server_ip
capture in interface dmz access-list capture
capture out interface outside access-list capture
show cap out
show cap in
You can downlaod the captures through http if you have defined ASDM access:
https://ASA_interface_ip/capture/in/pcap
https://ASA_interface_ip/capture/out/pcap
11-01-2013 05:09 AM
Here is the capture from the host server ip (Out) to http://192.241.216.107..
A bunch of RST packets
Broken TCP, The acknowledge field is nonzero while the ACk flas is not set etc..
And here is ping from the same server:
sh route
Gateway of last resort is x.x.x.1 to network 0.0.0.0
C 172.17.100.0 255.255.255.0 is directly connected, inside
C x.x.x.0 255.255.255.128 is directly connected, outside
C x.x.x.128 255.255.255.224 is directly connected, DMZ
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x.1, outside
/shane
10-31-2013 11:49 AM
I agree with jumora as this does sound like a DNS issue. Though I would do a packet tracer before doing any of the other suggestions he made as it will save you a lot of time.
packet-tracer input DMZ tcp
If the packet tracer completes successfully the traffic is allowed though the firewall and the issue most likely lies elsewhere.
10-31-2013 11:52 AM
Yeah he is right, it would even give us the rpf check well everything we need at the ASA level.
Thanks Marius!!!
11-01-2013 01:47 AM
The packet is allowed..
Packet-tracer input DMZ tcp 188.122.147.113 12345 8.8.8.8 80 detail
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in_1 in interface DMZ
access-list DMZ_access_in_1 extended permit ip x.x.x.x 255.255.255.224 any log debugging
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccf518f8, priority=12, domain=permit, deny=false
hits=40614, user_data=0xc78e4090, cs_id=0x0, flags=0x0, protocol=0
src ip=x.x.x.x, mask=255.255.255.224, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccdecd48, priority=0, domain=permit-ip-option, deny=true
hits=46609, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip DMZ x.x.x.x 255.255.255.224 outside any
NAT exempt
translate_hits = 46685, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9773d98, priority=6, domain=nat-exempt, deny=false
hits=46592, user_data=0xccddd970, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=x.x.x.x, mask=255.255.255.224, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccda3f80, priority=0, domain=host-limit, deny=false
hits=46593, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc96b6558, priority=0, domain=permit-ip-option, deny=true
hits=1524730, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1608324, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
11-02-2013 07:31 PM
Can you please answer the questions that I also posted on the request to run the wireshark on the server that was on the dmz?
Does the gateway of the ASA (ISP) knows how to route for this network that is behind the DMZ?
Can you do a track down of the MAC address that shows on the reply with RST.
I have never seen this newlexengine but did read on it:
http://www.corrupteddatarecovery.com/Port/2075tcp-Port-Type-newlixengine-newlixengine.asp
11-02-2013 07:47 PM
Well i got it to work finally, just needed a static Nat entry, and everything went fine
But i learned alot from this, thank u all for your help!
Cheers
Shane
11-02-2013 07:50 PM
Ok, great to know, please rate the assistance or the knowledge that you experienced from our assistance.
11-04-2013 11:24 AM
Reason why you might have needed to add a static NAT:
•1. You had to run a static NAT mapping with an IP that was routable for your ISP.
•2. The layer 3 device that connects to the ASA had an interface within the same IP scheme thus needed to be able to see an ARP entry and NAT exemption does not ARP.
•3. Identity NAT, mapping the IP address of the server on the DMZ to itself will produce ARP entry.
The ASA is able to ARP for static NAT entries with the sysopt noproxyarp
When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."
Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The adaptive security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the adaptive security appliance interface. The only way traffic can reach the hosts is if the adaptive security appliance uses proxy ARP to claim that the adaptive security appliance MAC address is assigned to destination global addresses.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975
Please rate our answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide