10-22-2013 12:00 PM - edited 03-11-2019 07:54 PM
I have a situation.
I have a web server on the outside with an ip of 62.61.107.68 , my asa is 62.61.107.78 , my inside is 10.1.15.1-254
I put a DMZ Switch where the server connects and the Firewall connect so I am not using a DMZ port on the ASA. none of my inside pcs can reach the web server. Everyone else in the world can, what am i missing?
Solved! Go to Solution.
10-31-2013 10:56 AM
Please update the ticket as resolved or answered so we can close out followup.
10-22-2013 04:05 PM
OK, can you get me the configuration of the ASA.
Run the next command on the ASA CLI:
packet-tracer input inside tcp 10.1.15.250 1025 62.61.107.68 80 detail
10-22-2013 06:28 PM
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 64.61.107.64 255.255.255.240 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside control-plane
access-list inside extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad180748, priority=12, domain=permit, deny=false
hits=131559, user_data=0xa8b11900, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab920bb0, priority=0, domain=inspect-ip-options, deny=true
hits=208926, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 access-list inside_nat_outbound
match ip inside 10.1.15.0 255.255.255.0 outside host 64.61.107.68
dynamic translation to pool 1 (64.61.107.78 [Interface PAT])
translate_hits = 81, untranslate_hits = 0
Additional Information:
Dynamic translate 10.1.15.250/1025 to 64.61.107.78/43762 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xadfea5a0, priority=2, domain=nat, deny=false
hits=81, user_data=0xaddf0218, cs_id=0x0, flags=0x0, protocol=0
src ip=10.1.15.0, mask=255.255.255.0, port=0
dst ip=64.61.107.68, mask=255.255.255.255, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list inside_nat_outbound
match ip inside 10.1.15.0 255.255.255.0 outside host 64.61.107.68
dynamic translation to pool 1 (64.61.107.78 [Interface PAT])
translate_hits = 81, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaddf15d8, priority=2, domain=host, deny=false
hits=144940, user_data=0xaddf0218, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.15.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xab8d29c8, priority=0, domain=inspect-ip-options, deny=true
hits=201047, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 216034, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
10-23-2013 08:03 AM
Hi,
Are you saying that your have the users and the Web server in the same network and that you are trying to connect to it with some public IP address that is configured on the firewall with Static NAT?
If so then this is not possible without adding some additional NAT configurations.
We would really need to see some firewall configurations and possibly some simple network layout picture as I am not clear what you mean with the switch setup.
- Jouni
10-23-2013 10:13 AM
From the packet tracer it seems that the connection should go through without any problem so I need addionational information.
From your PC please send me the next:
cmd > ipconfig /all
cmd > route print
cmd > nslookup
cmd >arp -a
Please send me the next:
-"show arp" from the ASA CLI.
- Enable logging on the ASA over CLI
enable
config t
logging on
logging buffered debugging
logging buffer-size 1048576
logging asdm debugging
You can view the logs two ways, or through CLI or ASDM:
- To view over CLI
show log | in 62.61.107.68
To view over ASDM:
Pull up ASDM - If you have access to ASDM all you need to do is go to monitor> logging > real time log viewer> filter the IP address that you are tryting to reach "62.61.107.68"
Also, could you please send me a screen shot of when you try to access the site via IP or domain from your PC.
If we don't see anything clear here we will need to setup wireshark on your PC and maybe captures on the ASA but we will go through that route if needed.
10-25-2013 01:39 PM
Do you still need assistance, please let us know.
10-25-2013 07:06 PM
Ive attached the running config above and this is an illustration of the dmz switch. I do not use a dmz port on the asa, only and inside and outside port. I swapped my firewall out with a sonicwall in the meantime while this problem gets resolved. sonicwall worked instantly I can see the server on the dmz switch without having to create any rule. im going to delete my config if needed and start over.
10-26-2013 04:29 AM
Hi,
Looking at the picture seems to suggest that there is no DMZ but that the server is actually attached to the Internet directly without any kind of protection from the firewall?
If you have just connected the switch to the WAN port of the ASA and the server to the switch (and the switch to whatever device provides you with the WAN connection) then the users behind the ASA and the server behind the ASA should be able to connect. The server should see traffic coming from directly connected network as the users are probably using Dynamic PAT to the interface IP address of the ASAs WAN interface.
If you are switching the ASA with the other firewall and they are both using the same public IP address on their WAN port then I would suggest checking the ARP on the actual server so it doesnt still show the old firewalls MAC address in the ARP table.
Your "packet-tracer" already tolds us the Dynamic PAT is happening for the LAN users and the traffic is allowed so it might even be that the ARP on the actual server might be the problem.
You could also use captures on the ASA if you want to confirm if any traffic is coming back from the server to the users. You could also monitor the ASA logs through ASDM while connecting to the server to see what happens to the connection.
You could go as far as checking the MAC address of the Sonicwalls WAN interface. You could then configure that MAC address on the ASA WAN interface just to test if its a simple ARP problem.
interface Ethernet0/0
mac-address aaaa.bbbb.cccc
- Jouni
10-28-2013 07:46 AM
I really dont want to use the Sonicwall, this all happened when I changed my outside IP from 64.61.107.66 to 64.61.107.78
10-28-2013 10:39 AM
I understand your issue but we need you to help us out deducting the source cause of failure, I have sent you steps to follow and requested outputs that need to be taken to help you but you have not reply with what we need.
Help us help you by helping yourself and following our troubleshooting steps if not I guess that it is up to you if you want to route through another direction.
If the problem is that you don’t know how to takeout the outputs then I would suggest opening up a TAC ticket.
10-31-2013 10:56 AM
Please update the ticket as resolved or answered so we can close out followup.
10-31-2013 12:08 PM
Thank you guys. ( I will start a new topic on gettign the VPN to work)
10-31-2013 12:09 PM
While I had my users on the Sonicwall, it afect my Citrix Users, the connections was dropping left and right when I put them back on the ASA the connection never dropped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide