Re: Inbound and outbound traffic at the same interface

elecorbalan · ‎11-24-2008

Hello,

I pass default traffic from inside to outside interface. Also I have to pass inside traffic back to inside interface to get some servers. I have configured default route to outside and a route to this servers subnet to inside.

route outside 0.0.0.0 0.0.0.0 --.74.49 1

route inside --.89.192 255.255.255.192 10.0.0.1 1

I have also configured

same-security-traffic permit intra-interface

clear xlate

But traffic icmp does not pass through and I can ping the server from the firewall.

Do I forget any command?

Farrukh Haroon · ‎11-24-2008

Can you give more details about the problem/topology...your question is not clear (atleast to me).

Regards

Farrukh

elecorbalan · ‎11-24-2008

Yes, of course.

I have as default gateway for LAN PCs the inside ASA interface 10.0.0.22

But this PCs need access to server on a DMZ not configured in the ASA. The address to this DMZ is --.89.192 255.255.255.192

This DMZ is reached through the ASA inside interface.

To ping an DMZ server from a PC 10.0.0.114, the packet must arrive to ASA inside interface check a static route, and then get out from the same inside interface.

I can ping from ASA to a DMZ server, but I cannot ping from a PC to a server.

The config I have is:

interface Ethernet0/0

nameif outside

security-level 0

ip address --.74.50 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.0.22 255.255.255.0

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any --.74.48 255.255.255.252 echo-reply

access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_1 any eq domain

access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit icmp any any echo

access-list inside_access_in extended permit icmp any any echo-reply

access-list inside_access_in extended deny ip any any

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit any echo inside

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 --.74.49 1

route inside --.89.192 255.255.255.192 10.0.0.1 1

priority-queue outside

tx-ring-limit 256

priority-queue inside

tx-ring-limit 256

class-map TunelVPNmap

match tunnel-group TunelVPN

policy-map TunelVPNpol

class TunelVPNmap

priority

service-policy TunelVPNpol interface outside

service-policy TunelVPNpol interface inside

srue · ‎11-24-2008

how is there a dmz reachable on the inside interface of your ASA?

is there an internal router/L3 switch on your LAN?

Farrukh Haroon · ‎11-25-2008

Exclude this inside >> dmz traffic from NAT using nat exemption or add the following:

global (inside) 101 interface

NAT exemption:

nat (inside) 0 access-list NONAT

access-list NONAT permit ip

Regards

Farrukh

elecorbalan · ‎11-25-2008

I still have the problem after doing clear xlate for modifying NAT.

Y have oppened nonat for:

access-list inside_nat0_outbound_2 extended permit ip 10.0.0.0 255.255.255.0 --.89.192 255.255.255.192

access-list inside_nat0_outbound_4 extended permit ip 10.0.0.0 255.255.255.0 --.89.192 255.255.255.192

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_2

nat (inside) 0 access-list inside_nat0_outbound_4 outside

nat (inside) 101 0.0.0.0 0.0.0.0

But when I send a telnet to a server --89.203

In ASDM logs I see the message:

%ASA-3-305005: No translation group found for protocol src interface_name:10.0.0.114/1710 dst interface_name: --.89.203/23

Farrukh Haroon · ‎11-25-2008

Remove this line and it should be OK

nat (inside) 0 access-list inside_nat0_outbound_4 outside

If it does not work...post the logs...and please don't change the 'interface_name' in the log. post the correct one.

Regards

Farrukh

elecorbalan · ‎11-25-2008

It doesn't work. And I have passed the command

The logs are

3|Nov 25 2008|12:12:08|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

3|Nov 25 2008|12:12:02|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

3|Nov 25 2008|12:11:59|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

4|Nov 25 2008|12:11:59|106100|10.0.0.114|1876|62.97.89.203|23|access-list inside_access_in permitted tcp inside/10.0.0.114(1876) -> inside/--.89.203(23) hit-cnt 1 first hit [0xd26734b7, 0x0]

Farrukh Haroon · ‎11-25-2008

Make sure the source/destination IPs in your NONAT acl are correct.

Secondly please clear connections and xlates on the firewall:

clear local-host

clear xlate

Regards

Farrukh

elecorbalan · ‎11-25-2008

It is correct and I have don clear xlate and clear local-host ans no nat-control

But sill doesn't works

Farrukh Haroon · ‎11-25-2008

Ok then paste the output of the following command:

packet-tracer input inside tcp 10.0.0.114 1876 62.97.89.203 23 detailed

Regards

Farrukh

elecorbalan · ‎11-25-2008

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd5a654e0, priority=12, domain=capture, deny=false

hits=1080441, user_data=0xd4516260, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd566de58, priority=1, domain=permit, deny=false

hits=522895, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 62.97.89.192 255.255.255.192 inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 62.97.89.192 255.255.255.192 log warnings

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd58b39d0, priority=12, domain=permit, deny=false

hits=45, user_data=0xd5c89428, cs_id=0x0, flags=0x0, protocol=0

src ip=10.0.0.0, mask=255.255.255.0, port=0

dst ip=62.97.89.192, mask=255.255.255.192, port=0, dscp=0x0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd5670928, priority=0, domain=permit-ip-option, deny=true

hits=10549, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

elecorbalan · ‎11-25-2008

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside 10.0.0.0 255.255.255.0 inside 62.97.89.192 255.255.255.192

NAT exempt

translate_hits = 57, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd56ac6c8, priority=6, domain=nat-exempt, deny=false

hits=56, user_data=0xd5a93390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=10.0.0.0, mask=255.255.255.0, port=0

dst ip=62.97.89.192, mask=255.255.255.192, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd45d1b80, priority=1, domain=nat, deny=false

hits=257, user_data=0xd45d1ae0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 101 (62.97.74.50 [Interface PAT])

translate_hits = 853, untranslate_hits = 38

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd45d17c8, priority=1, domain=host, deny=false

hits=16941, user_data=0xd55170d0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd56ab510, priority=1, domain=nat-reverse, deny=false

hits=117, user_data=0xd45d1ae0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Farrukh Haroon · ‎11-25-2008

Please add the global command I mentioned above.

global (inside) 101 interface

Regards

Farrukh

Alan Huseyin Kayahan · ‎12-10-2008

RPF check drops because you have the following line

nat (inside) 101 0.0.0.0 0.0.0.0

Since you mention ANY!, the return traffic gets involved in nat statement. Change it as

no nat (inside) 101 0.0.0.0 0.0.0.0

nat (inside) 101 10.0.0.0 255.255.255.0