Hello Jouni,

checking the realtime log, only nomal Build and TearDown messages, no deny msg.

Yes. in the moment the server in dmz try to access the internet , for example http, or dns all the internet goes down for all the internal networks.

I did a test putting the ASA alone. Also I assingned dmz and inside IP´s to the fisical ports, connected one pc in the inside interface, another pc in the dmz interface.

The pc in the iside interface is able to access internet until I plug the (dmz) cable in the pc. Exactly when the pc try to access the dns servers or I open the http browser.

Im stucked because I need start the dmz for several servers.

Thanks.

Hello,

Please share the show run NAT

Regards,

show run nat:

!

object network PCoIP-host

nat (dmz,isp1) static 190.147.134.61

object network web-mail-host

nat (dmz,isp1) static 190.147.134.48

object network smtp-host

nat (dmz1,isp2) static interface service tcp smtp smtp

object network www-host

nat (dmz1,isp2) static interface service tcp www www

object network pop3s-host

nat (dmz1,isp2) static interface service tcp 995 995

object network dns-tcp-host

nat (dmz1,isp2) static interface service tcp domain domain

object network dns-udp-host

nat (dmz1,isp2) static interface service udp domain domain

object network 172.16.1.x-190.147.134.64-PAT-network

nat (inside,isp1) dynamic interface

object network 172.16.1.x-200.116.11.57-PAT-network

nat (inside,isp2) dynamic interface

object network dvr-udp-host

nat (dmz,isp3) static interface service udp 8080 8080

object network dvr-tcp-host

nat (dmz,isp3) static interface service tcp 8080 8080

object network 10.10.10.x-190.147.134.64-PAT-network

nat (inside,isp1) dynamic interface

object network 10.10.10.x-200.116.11.57-PAT-network

nat (inside,isp2) dynamic interface

object network 172.16.1.48-190.147.134.64-PAT-network

nat (inside,isp1) dynamic interface

object network 172.16.1.48-200.116.11.57-PAT-network

nat (inside,isp1) dynamic interface

object network 192.168.x.x-200.116.11.57-PAT-network

nat (inside,isp2) dynamic interface

object network 192.168.10.x-190.147.134.64-PAT-network

nat (inside,isp1) static interface

object network 192.168.100.x-190.147.134.64-PAT-network

nat (inside,isp1) static interface

object network 192.168.15.x-190.147.134.64-PAT-network

nat (inside,isp1) static interface

object network 192.168.50.x-190.147.134.64-PAT-network

nat (inside,isp1) static interface

#show run object:

object network PCoIP-host

host 192.168.111.61

....

...

Hello Rafael,

do the following:

packet-tracer input inside tcp 172.16.1.100 1025 4.2.2.2 80

Regards,

packet-tracer input inside tcp 172.16.1.100 1025 4.2.2.2 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         isp1

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 172.16.1.x-190.147.134.64-PAT-network
nat (inside,isp1) dynamic interface
Additional Information:
Dynamic translate 172.16.1.100/1025 to 190.147.134.64/1025

Phase: 5
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 61570, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: isp1
output-status: up
output-line-status: up
Action: allow

Hello Rafael,

Okay so the packet-tracer shows the inside network gets Natted to the ISP1 interface. Configuration looks good.

Basically what you are saying is as soon as you have the DMZ servers all of the internal users are unable to go to the internet correct?

I would say the best way to handle this would be creating captures at the time you have the DMZ server on, what do you think?

Regards,

My friends,

I think that is a proxy arp issue. But  I don't have a solution yet.

I need some help with this.

Thank.s

Hello Rafael,

Can you do some captures when the server is in place?

From an inside host, so we can determine if there is a problem with the ASA,

Regards,

Hello Julio, 

I did some changes to test. I just put the e0/0 and e0/1 in the outside vlan (isp).

The e0/2 is in the dmz vlan and the e0/3 is in the inside vlan.

internet in the isp vlan interface (E0/0) works fine alone. When I plug another pc in the E0/1 port, or if I plug a pc in the E0/2, all the traffic goin from the inside to internet (isp) goes down.

Also I just take off the ASA and put back a Cisco RV042 that was working before the ASA, I have the same problem.

the internet on the isp is ok. a Pc connecte alone in the modem works fine.

Hello Rafael,

Okay here is what I want you to do:

put the e0/0 and e0/1 in the outside vlan (isp).

The e0/2 is in the dmz vlan and the e0/3 is in the inside vlan.

Then connect a PC to the inside vlan

capture capin interface inside match icmp any host 4.2.2.2

capture capout interface outside match icmp any host 4.2.2.2

Then try to ping from the inside host to 4.2.2.2 and afterwards provide

show cap capin

show cap capout

Regards

Hi Julio,

After try everything, I decided do a wireshark capture. Everything looks fine, I just was curiously about a "IP checksum offload" message, doing some research with google, I saw the light. All the problems starts when the virtual machines migrated (due to drs) to one of the servers that have Gigabits NIC with TOE (Broadcom NetXtreme II 5709 Dual Port Ethernet PCIe Card with TOE and iSCSI Offload).

I just disabled the tso (tcp segmentation offload) for the affected OS. Now everything is fine.

Regards.

Rafael,

Great to hear that,

Some kudos for you,

Please mark the question as answered,

Regards