Solved: Need help with defining DMZ traffic to Inside

Stevan44 · ‎01-16-2022

I need some help I'm trying to allow traffic from the inside access DMZ server using several ports. I believe NAT is a issue. I can ping the DMZ server from the inside. Here are the key items that defined:

Inside

144.244.244.0/24

DMZ1

192.168.44.0/24

DMZ1_Server

192.168.44.44

Manual NAT Policies (Section 1)
1 (dmz1) to (outside) source static MarksPlex interface service 32400_in 32400_out
translate_hits = 11917, untranslate_hits = 23286
Source - Origin: 192.168.44.195/32, Translated: x.x.x.x/22
Service - Origin: tcp source eq 32400 , Translated: tcp source eq 32400
2 (outside) to (inside) source static any any destination static DukeDVR DukeDVR service 37777 37777 description For Outside access to DVR
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 144.244.244.100/32, Translated: 144.244.244.100/32
Service - Origin: tcp source eq 37777 destination eq 37777 , Translated: tcp source eq 37777 destination eq 37777
3 (inside) to (outside) source dynamic DukeLAN interface description Allow Inside Access to the Outside
translate_hits = 7244752, untranslate_hits = 626414
Source - Origin: 144.244.244.0/24, Translated: X.X.X.X/22
4 (inside) to (outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Duke2019 interface service tcp 440 440
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.244.244.6/32, Translated: x.x.x.x/22
Service - Protocol: tcp Real: 440 Mapped: 440
2 (inside) to (outside) source dynamic DukeLAN interface dns
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.244.244.0/24, Translated: x.x.x.x/22
3 (inside) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: x.x.x.x/22

Marius Gunnerud · ‎01-21-2022

There should be a button you can select on the post you want to mark as the answer.

Glad you managed to sort it out.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎01-18-2022

You haven't really given much information about your setup, like what software version you are running, what port you are trying to reach on the server, and any access list configuration that you have applied to allow the traffic.

I suggest you run a packet-tracer with source inside and destination dmz. this should give you an indication of what the issue is. I doubt it is NAT, unless you are running really old software.

packet-tracer input inside tcp 144.244.244.10 12345 192.168.44.44 443 !<-- remember to change the destination port to the relevant port and do not use the ASA inside interface IP when doing a packet-tracer as this will fail.

--
Please remember to select a correct answer and rate helpful posts

Stevan44 · ‎01-18-2022

Hi Marius,

Its fixed it was an access list issue. The ports are made up TCP/UDP which were defined by using a service group. I kept playing around with the command until I got it work using these commands. How do you mark a issue solved when you figured it out yourself?

access-list DMZ1_UAG standard permit host 192.168.44.44

access-list Dmz1_Access_In_2 extended permit object-group UAG_Inside_Access object DMZ1-Network interface inside log

access-group Dmz1_Access_In_2 in interface DMZ1

Marius Gunnerud · ‎01-21-2022

There should be a button you can select on the post you want to mark as the answer.

Glad you managed to sort it out.

--
Please remember to select a correct answer and rate helpful posts