Hi Jouni,

I reconfigured my test ASA with the following:

: Saved

: Written by enable_15 at 15:04:40.849 UTC Wed Jan 16 2013

!

ASA Version 8.6(1)

!

hostname ciscoasa

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.170 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.0.254.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network DMZ-HTTPS

host 10.0.254.70

object network DMZ-SMTP

host 10.0.254.50

object-group network INSIDE_NETWORKS

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

network-object 10.0.4.0 255.255.255.0

network-object 10.0.5.0 255.255.255.0

object-group network DMZ_NETWORKS

network-object 10.0.254.0 255.255.255.0

object-group network DEFAULT_PAT_SOURCE

group-object INSIDE_NETWORKS

group-object DMZ_NETWORKS

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any any eq smtp

access-list outside_access_in extended permit tcp any any eq www

access-list dmz_inside extended permit tcp host 10.0.254.50 host 10.0.1.50 eq smtp

access-list dmz_inside extended permit tcp host 10.0.254.70 host 10.0.1.70 eq www

access-list dmz_inside extended permit tcp host 10.0.254.70 host 10.0.1.70 eq https

access-list dmz_inside extended permit ip object-group INSIDE_NETWORKS object-group DMZ_NETWORKS

!

icmp permit any outside

icmp permit any inside

icmp permit any dmz

!

object network DMZ-HTTPS

nat (dmz,outside) static interface service tcp www www

object network DMZ-SMTP

nat (dmz,outside) static interface service tcp smtp smtp

!

nat (inside,outside) after-auto source dynamic DEFAULT_PAT_SOURCE interface

nat (dmz,outside) after-auto source dynamic DEFAULT_PAT_SOURCE interface

access-group outside_access_in in interface outside

access-group dmz_inside in interface dmz

route outside 0.0.0.0 0.0.0.0 1.1.1.169 1

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

I changed the https to www for testing. I can access from inside, dmz to outside from outside to dmz from inside to dmz but not from dmz to inside. What is my fault?

Stephan

Hi,

The configuration seems fine to me for the most part.

What I did notice that you have configured your INSIDE networks as the source and DMZ as the destination in your "dmz" ACL. I presume you were meaning to configure it the other way around?

Maybe the traffic is getting blocked by the ACL still?

You can try the following command to confirm what the ASA does to your traffic (even though I can see your configuration but I cant be sure on the source and destination IP address you are using for tests)

packet-tracer input dmz tcp

Use the command with the correct IPs and Ports you want and copy/paste the output from CLI to here

- Jouni

Hi,

I thought i have to add the last line of the dmz_inside acl to allow the reverse traffic from inside ip addresses to dmz addresses.

Here is the output of the packet-tracer:

ciscoasa# packet-tracer input dmz tcp 10.0.254.70 55555 10.0.1.70 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.1.0        255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz_inside in interface dmz

access-list dmz_inside extended permit tcp host 10.0.254.70 host 10.0.1.70 eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1, packet dispatched to next module

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

It seems to be fine but I cannot open a website from 10.0.254.70 on 10.0.1.70.

Stephan

Hi,

Everything seems to be fine regarding the firewall on the basis of that output atleast.

Have you check the firewall logs through ASDM or the CLI when you are attempting the actual HTTP connection between the 2 hosts?

The logging level would need to be atleast "informational"

logging asdm informational

or

logging buffered informational

And you would be looking for log messages starting with "Built outbound/inbound TCP connection" and "Teardown TCP connection"

If the Teardown message reason is SYN Timeout the inside host is not responding to the connection forming attempt.

- Jouni

Hi Jouni,

I'm so sorry. After a long time configuring a firewall and servers...

I had an error in my inside webserver ip address. Everything is working fine.

Thank you very very much.

Sorry again for my mistake.

Hi,

No problem Stephan. Main thing is that its working now

- Jouni