04-06-2021 06:59 PM
For some reason I cannot ping my DMZ IP from outside through static NAT. Packet capture shows the success ping from dmz out but failure on outside in. Packet trace shows that it should be successful. Included is all the relevant running config.
# show cap ICMP
18 packets captured
1: 15:30:52.301299 X.X.X.70 > 8.8.8.8 icmp: echo request
2: 15:30:52.348065 8.8.8.8 > X.X.X.70 icmp: echo reply
3: 15:30:52.349133 X.X.X.70 > 8.8.8.8 icmp: echo request
4: 15:30:52.396006 8.8.8.8 > X.X.X.70 icmp: echo reply
5: 15:30:52.397013 X.X.X.70 > 8.8.8.8 icmp: echo request
6: 15:30:52.444038 8.8.8.8 > X.X.X.70 icmp: echo reply
7: 15:30:52.445014 X.X.X.70 > 8.8.8.8 icmp: echo request
8: 15:30:52.492009 8.8.8.8 > X.X.X.70 icmp: echo reply
9: 15:30:52.492955 X.X.X.70 > 8.8.8.8 icmp: echo request
10: 15:30:52.540026 8.8.8.8 > X.X.X.70 icmp: echo reply
11: 15:33:16.6X481 X.X.X.73 > X.X.X.70 icmp: echo request
12: 15:33:16.673671 X.X.X.70 > X.X.X.73 icmp: host X.X.X.70 unreachable - admin prohibited filter
13: 15:33:21.521625 X.X.X.73 > X.X.X.70 icmp: echo request
14: 15:33:21.522662 X.X.X.70 > X.X.X.73 icmp: host X.X.X.70 unreachable - admin prohibited filter
15: 15:33:26.517490 X.X.X.73 > X.X.X.70 icmp: echo request
16: 15:33:26.518X6 X.X.X.70 > X.X.X.73 icmp: host X.X.X.70 unreachable - admin prohibited filter
17: 15:33:31.515979 X.X.X.73 > X.X.X.70 icmp: echo request
18: 15:33:31.517093 X.X.X.70 > X.X.X.73 icmp: host X.X.X.70 unreachable - admin prohibited filter
18 packets shown
# packet-tracer input OUTSIDE icmp X.X.X.73 0 0 X.X.X.70
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network DMZ
nat (DMZ,OUTSIDE) static X.X.X.70
Additional Information:
NAT divert to egress interface DMZ
Untranslate X.X.X.70/0 to 192.168.244.2/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_access_in in interface OUTSIDE
access-list OUTSIDE_access_in extended permit icmp any4 object DMZ
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map firePOWER-class
description class to send all traffic to the Firepower module
match any
policy-map global_policy
class firePOWER-class
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network DMZ
nat (DMZ,OUTSIDE) static X.X.X.70
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 355283, packet dispatched to next module
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
# show run
object network DMZ
host 192.168.244.2
access-list OUTSIDE_access_in extended permit icmp any4 object DMZ
access-list OUTSIDE_access_in extended deny ip any any
access-group OUTSIDE_access_in in interface OUTSIDE
object network DMZ
nat (DMZ,OUTSIDE) static X.X.X.70
04-07-2021 12:32 AM
you nat rules look good also capture show the data too. I just tune your rule and added the echo command at the end.
object network DMZ host 192.168.244.2 nat (DMZ,OUTSIDE) static X.X.X.70 ! access-list OUTSIDE_access_in extended permit icmp any4 object DMZ eq echo access-list OUTSIDE_access_in extended deny ip any any ! access-group OUTSIDE_access_in in interface OUTSIDE
could you confirm if youu can ping the DMZ server from the ASA?
could you do a packet-tracer and show us the output
packet-tracer input OUTSIDE icmp 8.8.8 8 0 X.X.X.70 detail x.x.x.x.70 this has to be the outside interface ip address.
04-07-2021 05:47 PM
Couple of things to note, interface Gi0/0 is OUTSIDE, interface Gi0/1 is DMZ, interface Gi0/2 is INSIDE. Outside interface is configured for PAT on the X.X.X.145 for the rest of the production network. This is why there's a static NAT for the X.X.X.70 to the OUTSIDE interface as seen in my original post. Both the .70 and .145 are in the same /24 subnet using .1 as the gateway.
For the access-list I've added the permit echo, and echo-reply above the deny any any. This did not resolve the issues, as I still can't ping the box from the outside using its NAT'd external IP.
Pinging from the DMZ IP 192.168.244.1 to the 192.168.244.2 didn't work either. A packet capture from the DMZ interface is showing the failure of the ping. I've also included a show route to show that they're directly connected, and from a layer one perspective I can personally confirm they're directly connected as well, i.e. no switch in-between. The strange thing is, that I can ping from the box at 192.168.244.2 to the 244.1 successfully (shown separately below).
Lastly I've included the output of the packet-tracer as requested with detailed output.
# show int ip bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 XXX.XXX.XXX.145 YES manual up up GigabitEthernet0/1 192.168.244.1 YES CONFIG up up GigabitEthernet0/2 192.168.244.5 YES manual up up access-list OUTSIDE_access_in extended permit icmp any4 object DMZ-CUBE_SIP access-list OUTSIDE_access_in extended permit icmp any4 object DMZ-CUBE_SIP echo access-list OUTSIDE_access_in extended permit icmp any4 object DMZ-CUBE_SIP echo-reply access-list OUTSIDE_access_in extended deny ip any any log # ping DMZ 192.168.244.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.244.2, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) # show cap ICMP_DMZ 10 packets captured 1: 13:11:26.946377 192.168.244.1 > 192.168.244.2 icmp: echo request 2: 13:11:26.946926 192.168.244.2 > 192.168.244.1 icmp: host 192.168.244.2 unreachable - admin prohibited filter 3: 13:11:28.941601 192.168.244.1 > 192.168.244.2 icmp: echo request 4: 13:11:28.942059 192.168.244.2 > 192.168.244.1 icmp: host 192.168.244.2 unreachable - admin prohibited filter 5: 13:11:30.941647 192.168.244.1 > 192.168.244.2 icmp: echo request 6: 13:11:30.942166 192.168.244.2 > 192.168.244.1 icmp: host 192.168.244.2 unreachable - admin prohibited filter 7: 13:11:32.941769 192.168.244.1 > 192.168.244.2 icmp: echo request 8: 13:11:32.942257 192.168.244.2 > 192.168.244.1 icmp: host 192.168.244.2 unreachable - admin prohibited filter 9: 13:11:34.941967 192.168.244.1 > 192.168.244.2 icmp: echo request 10: 13:11:34.942486 192.168.244.2 > 192.168.244.1 icmp: host 192.168.244.2 unreachable - admin prohibited filter 10 packets shown # show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is X.X.X.1 to network 0.0.0.0 C 192.168.244.0 255.255.255.252 is directly connected, DMZ L 192.168.244.1 255.255.255.255 is directly connected, DMZ C 192.168.244.4 255.255.255.252 is directly connected, INSIDE L 192.168.244.5 255.255.255.255 is directly connected, INSIDE # packet-tracer input OUTSIDE icmp 8.8.8.8 0 0 X.X.X.70 detailed Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fee753e5bc0, priority=13, domain=capture, deny=false hits=27679233, user_data=0x7fee68121220, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=OUTSIDE, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7fee6685ccb0, priority=1, domain=permit, deny=false hits=42445934, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=OUTSIDE, output_ifc=any Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: object network DMZ nat (DMZ,OUTSIDE) static X.X.X.70 Additional Information: NAT divert to egress interface DMZ Untranslate X.X.X.70/0 to 192.168.244.2/0 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUTSIDE_access_in in interface OUTSIDE access-list OUTSIDE_access_in extended permit icmp any4 object DMZ Additional Information: Forward Flow based lookup yields rule: in id=0x7fee67e46360, priority=13, domain=permit, deny=false hits=60, user_data=0x7fee5c7f8100, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=192.168.244.2, mask=255.255.255.255, icmp-code=0, tag=any, dscp=0x0 input_ifc=OUTSIDE, output_ifc=any Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fee65b97780, priority=0, domain=nat-per-session, deny=true hits=495150, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fee66864fd0, priority=0, domain=inspect-ip-options, deny=true hits=642181, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=OUTSIDE, output_ifc=any Phase: 7 Type: SFR Subtype: Result: ALLOW Config: class-map firePOWER-class description class to send all traffic to the Firepower module match any policy-map global_policy class firePOWER-class sfr fail-open service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7fee74f78ff0, priority=71, domain=sfr, deny=false hits=167249, user_data=0x7fee6a5c8aa0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=OUTSIDE, output_ifc=any Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7fee74f75cf0, priority=70, domain=inspect-icmp, deny=false hits=3121, user_data=0x7fee74f3cb70, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=OUTSIDE, output_ifc=any Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fee668647e0, priority=66, domain=inspect-icmp-error, deny=false hits=4036, user_data=0x7fee66864490, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=OUTSIDE, output_ifc=any Phase: 10 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fee680e05c0, priority=13, domain=ipsec-tunnel-flow, deny=true hits=41849, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=OUTSIDE, output_ifc=any Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network DMZ nat (DMZ,OUTSIDE) static X.X.X.70 Additional Information: Forward Flow based lookup yields rule: out id=0x7fee669815e0, priority=6, domain=nat-reverse, deny=false hits=206, user_data=0x7fee66980420, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.244.2, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=OUTSIDE, output_ifc=DMZ Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 631055, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_sfr snp_fp_inspect_icmp snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... Result: input-interface: OUTSIDE input-status: up input-line-status: up output-interface: DMZ output-status: up output-line-status: up Action: allow
Config and ping from the NAT'd box @192.168.244.2
#show ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 192.168.244.2 YES NVRAM up up #ping 192.168.244.1 source gi0/0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.244.1, timeout is 2 seconds: Packet sent with a source address of 192.168.244.2 !!!!! #show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 192.168.244.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 192.168.244.1 192.168.244.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.244.0/30 is directly connected, GigabitEthernet0/0/0 L 192.168.244.2/32 is directly connected, GigabitEthernet0/0/0 #show run interface GigabitEthernet0/0/0 ip address 192.168.244.2 255.255.255.252 ip access-group XX in # show access-lists Extended IP access list XX 10 permit ip host X.X.X.X any (74 matches) 20 permit ip host X.X.X.X any 30 permit ip host X.X.X.X any (110407 matches) 40 permit ip host X.X.X.X any 50 permit icmp any any echo-reply (20 matches) 60 deny ip any any log (18468 matches)
04-07-2021 05:57 PM
I just saw it, it was the ACL on the NAT'd box. I needed to permit echo, as soon as I did that, the ping started to work. My apologies for the wasted time @Sheraz.Salim and thank you for the help.
Extended IP access list XX 10 permit ip host X.X.X.X any (74 matches) 20 permit ip host X.X.X.X any 30 permit ip host X.X.X.X any (110407 matches) 40 permit ip host X.X.X.X any 50 permit icmp any any echo-reply (20 matches) 55 permit icmp any any echo 60 deny ip any any log (18520 matches)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: