Solved: Unable to ping from DMZ to host inside interface of ASA

mahesh18 · ‎04-20-2013

Hi Everyone,

PC is connected to inside of ASA.

From DMZ PC i am trying to ping the inside host IP no luck.

From inside host i can ping the DMZ host once i config the command

global(DMZ) 1 interface.

Do i need to config the command

global(inside) 1 interface so that i can ping from DMZ host to Inside host?

Thanks

MAhesh

Jouni Forss · ‎04-20-2013

Hi Mahesh,

I would generally advice againt configuring Dynamic PAT between your local interfaces. This means between different "inside" and "dmz" interfaces. You will be effectively hiding local networks from eachother while generally I dont see any problems them seeing eachother directly with the original IP addresses.

Ofcourse to help your situation I would have to see some configurations on the ASA and we might possibly have to do some ICMP captures.

If indeed originally you werent able to ICMP from DMZ to INSIDE or INSIDE to DMZ, it would seem to me that you have somekind of routing problem perhaps.

After you configure the Dynamic PAT from INSIDE to DMZ and the ICMP starts going through this would seem even more likely since the DMZ hosts will now see the traffic coming from their own network address (ASA DMZ interface IP) and therefore they know where to send the ICMP Echo reply.

So I would advice against Dynamic PAT between local interfaces.

I would either have to see some configurations or "packet-tracer" output from the situation where you HAVE NOT configured any of the Dynamic PAT configurations ("global" command)

For example something like this

packet-tracer input inside icmp 0 8

packet-tracer input DMZ icmp 0 8

- Jouni

View solution in original post

Jouni Forss · ‎04-20-2013

Hi,

Seems you have an ASA5505 with Base License (can be confirmed with "show version" command)

You have DMZ configured in the following way

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

Notice that the configuration line "no forward interface Vlan1" means that the hosts behind DMZ will not be able to form connections to Vlan1 = inside in ANY SITUATION.

However, the host behind "inside" can form connections to the hosts on the "DMZ" since the "no forward interface Vlan1" doesnt apply in the direction INSIDE -> DMZ. Only in the direction DMZ -> INSIDE.

I have the same type and licensed ASA at home so I face the same problem Every now and then I forget it and while creating a lab config and bang my head against the the wall wondering why doesnt this work

- Jouni

View solution in original post

Jouni Forss · ‎04-20-2013

Hi,

To be able to ICMP from the DMZ to INSIDE you will need the Security Plus license.

Check out this Cisco document

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html

Additional Recommended Options
Cisco ASA 5505 Security Plus license (provides stateless Active/Standby high availability, dual ISP support, DMZ support, VLAN trunking support, and increased session and IPSec VPN peer capacities)	ASA5505-SEC-PL

This should give you support for 20 Vlan interfaces and also Trunking among other things

Though I still wonder why originally your ICMP from the INSIDE to DMZ didnt work

Maybe you can try changing the above configuration in this way

no global (inside) 1 interface

no global (DMZ) 1 interface

static (inside,DMZ) 192.168.52.0 192.168.52.0 netmask 255.255.255.0

I dont see anything on the ASA that should after this change stop the ICMP from working from INSIDE to DMZ

If it doesnt work I would double check the DMZ hosts network settings and that it doesnt have any secondary network connection (wireless for example) active that could cause problems with this situation.

- Jouni

View solution in original post

Jouni Forss · ‎04-20-2013

Hi,

I would have to see the output of the failed "packet-tracer" to say more.

The configuration "static (inside,DMZ) 192.168.52.0 192.168.52.0 netmask 255.255.255.0" is basicly a Identity NAT. It translated the source address to itself. Or in a sense doesnt do NAT at all.

It both enables the INSIDE hosts to connect to the DMZ with their original IP address and also enabled the DMZ hosts to connect to the INSIDE hosts with their original IP address. But as we already noticed, your current license limits DMZ to INSIDE traffic at the moment. Therefore connections from DMZ to INSIDE cant be initiated at the moment.

You could also achieve the same with a NAT0 / NAT Exempt configuration INSTEAD of the Identity NAT

I guess you actually changed the "static" command that I suggested

no static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

access-list INSIDE-NAT0 permit ip 192.168.52.0 255.255.255.0 192.168.69.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

- Jouni

View solution in original post

Jouni Forss · ‎04-20-2013

Hi,

You were using the ICMP Type 6 and Code 6

You could try adding the following

class inspection_default

inspect dns preset_dns_map

inspect icmp error

And then trying it again and it might go through with the DROP.

I imagine it might go through also if you used the "packet-tracer" with the following command

packet-tracer input inside icmp 192.168.52.11 0 8

- Jouni

View solution in original post

Jouni Forss · ‎04-20-2013

Hmm,

I might have gotten the numbers wrong in the "packet-tracer" command

Try the following command

packet-tracer input inside icmp 192.168.52.11 8 0 192.168.69.4

- Jouni

View solution in original post

Jouni Forss · ‎04-20-2013

Hi,

Its supposed to be Type 8 and Code 0

I originally had it Type 0 Code 8

The "packet-tracer" command first expects the ICMP Type and then the ICMP Code

For example from my ASA

ICMP Type

ASA(config)# packet-tracer input LAN icmp 10.0.0.10 ?

exec mode commands/options:

<0-255> Enter the icmp type

ICMP Code

ASA(config)# packet-tracer input LAN icmp 10.0.0.10 8 ?

exec mode commands/options:

<0-255> Enter the icmp code

Here is more information about the Type and Codes of ICMP

http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml

- Jouni

View solution in original post

Jouni Forss · ‎04-20-2013

Hi Mahesh,

I would generally advice againt configuring Dynamic PAT between your local interfaces. This means between different "inside" and "dmz" interfaces. You will be effectively hiding local networks from eachother while generally I dont see any problems them seeing eachother directly with the original IP addresses.

Ofcourse to help your situation I would have to see some configurations on the ASA and we might possibly have to do some ICMP captures.

If indeed originally you werent able to ICMP from DMZ to INSIDE or INSIDE to DMZ, it would seem to me that you have somekind of routing problem perhaps.

After you configure the Dynamic PAT from INSIDE to DMZ and the ICMP starts going through this would seem even more likely since the DMZ hosts will now see the traffic coming from their own network address (ASA DMZ interface IP) and therefore they know where to send the ICMP Echo reply.

So I would advice against Dynamic PAT between local interfaces.

I would either have to see some configurations or "packet-tracer" output from the situation where you HAVE NOT configured any of the Dynamic PAT configurations ("global" command)

For example something like this

packet-tracer input inside icmp 0 8

packet-tracer input DMZ icmp 0 8

- Jouni

mahesh18 · ‎04-20-2013

Hi jouni,

this is home ASA so here is the config for you

ciscoasa# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 11

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 12

!

interface Ethernet0/5

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.52.1 255.255.255.0

!

interface Vlan11

nameif outside

security-level 0

ip address 192.168.11.2 255.255.255.0

!

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MST recurring

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 192.168.69.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

http 192.168.0.0 255.255.0.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate cda15b51

308201cf 30820138 a0030201 020204cd a15b5130 0d06092a 864886f7 0d010105

0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

86f70d01 09021608 63697363 6f617361 301e170d 31333034 30333033 33313134

5a170d32 33303430 31303333 3131345a 302c3111 300f0603 55040313 08636973

636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c5 04be4392

051ff956 1786981c 6acbe7ed 880bc95a 1c846bf4 19e381f7 f1e8d0d0 e340f86f

e94ec55b a1714de8 19976ae4 e9196c52 7791873c 794d2eec 4ae90aa5 5b40282c

3aac7fbb 2a2a2e36 77906a25 a3874d98 7f51e370 266068d8 f5adbd97 bd204ce0

61943442 ae73ce78 4f2b0daa 53374044 07f4df39 eed0e80c 2b92af02 03010001

300d0609 2a864886 f70d0101 05050003 8181001e 41c1636b c86357f6 94585bc0

2fe4bf2f b9f0cc4a 108f3cbf 830ebe54 fb6c87e6 04ad11a4 3fec5ced 5f6f9784

9f423788 c7de4b5b b7226d81 262ee3b6 ff0adffe 4e49ed7a 42c74d4b f52f0456

1b8feb3f f19efdc5 adaced62 c4bd7180 107feb06 8658937e 8cb2a154 7486de37

9b00c44c d17f967e 5fbe4584 c71fd389 55d670

quit

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh timeout 60

ssh version 2

console timeout 0

dhcpd dns 64.59.144.19

!

dhcpd address 192.168.52.5-192.168.52.15 inside

dhcpd enable inside

!

dhcpd address 192.168.69.3-192.168.69.20 DMZ

dhcpd enable DMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.11.1

webvpn

username mintoo password AILiHuRWFGgkbsI5 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

class class-default

set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3bec029cfeb3691ada5937e25e12f0f0

: end.

So between inside and DMZ interfaces should i use static NAT then?

Whats ur advice?

Thanks

MAhesh

Jouni Forss · ‎04-20-2013

Hi,

Seems you have an ASA5505 with Base License (can be confirmed with "show version" command)

You have DMZ configured in the following way

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

Notice that the configuration line "no forward interface Vlan1" means that the hosts behind DMZ will not be able to form connections to Vlan1 = inside in ANY SITUATION.

However, the host behind "inside" can form connections to the hosts on the "DMZ" since the "no forward interface Vlan1" doesnt apply in the direction INSIDE -> DMZ. Only in the direction DMZ -> INSIDE.

I have the same type and licensed ASA at home so I face the same problem Every now and then I forget it and while creating a lab config and bang my head against the the wall wondering why doesnt this work

- Jouni

mahesh18 · ‎04-20-2013

Hi jouni,

Yes you are right.May be i will uprade to security plus sometime in near future to dig deeper into ASA.

So if i had security plus license with my current config ping from DMZ to host should work ?

i also forgot i have base license.

OR do i need to use global(inside) 1 interface to make ping from DMZ to inside host work?

Regards

MAhesh

Jouni Forss · ‎04-20-2013

Hi,

To be able to ICMP from the DMZ to INSIDE you will need the Security Plus license.

Check out this Cisco document

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html

Additional Recommended Options
Cisco ASA 5505 Security Plus license (provides stateless Active/Standby high availability, dual ISP support, DMZ support, VLAN trunking support, and increased session and IPSec VPN peer capacities)	ASA5505-SEC-PL

This should give you support for 20 Vlan interfaces and also Trunking among other things

Though I still wonder why originally your ICMP from the INSIDE to DMZ didnt work

Maybe you can try changing the above configuration in this way

no global (inside) 1 interface

no global (DMZ) 1 interface

static (inside,DMZ) 192.168.52.0 192.168.52.0 netmask 255.255.255.0

I dont see anything on the ASA that should after this change stop the ICMP from working from INSIDE to DMZ

If it doesnt work I would double check the DMZ hosts network settings and that it doesnt have any secondary network connection (wireless for example) active that could cause problems with this situation.

- Jouni

mahesh18 · ‎04-20-2013

Hi Jouni,

when i used PAT between inside and DMZ interface and did ping test

then even though ping worked fine from inside to DMZ host but packet tracer stops at phase 6 which was NAT

and it says result is drop due to config acl rule.

Can you please tell why packet tracer showed result as drop?

Second thing

I removed global (DMZ) 1 interface and used

static command which u stated above.

That has raised one more question now i can ping from inside to DMZ it was just for testing purposes

Why under global IP and mapped IP we used the same subnet address of inside host?

here is packet tracer also

Action: allow

ciscoasa# packet-tracer input inside icmp 192.168.52.11 0 8 192.168.69.4

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.69.0 255.255.255.0 DMZ

Phase: 2

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection decrement-ttl

service-policy global_policy global

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

match ip inside 192.168.0.0 255.255.0.0 DMZ any

static translation to 192.168.0.0

translate_hits = 882, untranslate_hits = 1

Additional Information:

Static translate 192.168.0.0/0 to 192.168.0.0/0 using netmask 255.255.0.0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

match ip inside 192.168.0.0 255.255.0.0 DMZ any

static translation to 192.168.0.0

translate_hits = 882, untranslate_hits = 1

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 23210, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

Now i see packet tracer runs to 8 steps instead of 6 earlier

Regards

MAhesh

Jouni Forss · ‎04-20-2013

Hi,

I would have to see the output of the failed "packet-tracer" to say more.

The configuration "static (inside,DMZ) 192.168.52.0 192.168.52.0 netmask 255.255.255.0" is basicly a Identity NAT. It translated the source address to itself. Or in a sense doesnt do NAT at all.

It both enables the INSIDE hosts to connect to the DMZ with their original IP address and also enabled the DMZ hosts to connect to the INSIDE hosts with their original IP address. But as we already noticed, your current license limits DMZ to INSIDE traffic at the moment. Therefore connections from DMZ to INSIDE cant be initiated at the moment.

You could also achieve the same with a NAT0 / NAT Exempt configuration INSTEAD of the Identity NAT

I guess you actually changed the "static" command that I suggested

no static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

access-list INSIDE-NAT0 permit ip 192.168.52.0 255.255.255.0 192.168.69.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

- Jouni

mahesh18 · ‎04-20-2013

Hi Jouni,

Thanks again for going that far to explain about NAT between DMZ and inside.

Here is output of packet tracer with no static nat but with global nat

Pinging from inside to DMZ host

ciscoasa(config)# packet-tracer input inside icmp 192.168.52.11 6 6 192.168.69$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.69.0 255.255.255.0 DMZ

Phase: 2

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection decrement-ttl

service-policy global_policy global

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any DMZ any

dynamic translation to pool 1 (192.168.69.2 [Interface PAT])

translate_hits = 118, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

If you can tell reason for drop from here that will great

Thanks

MAhesh

Jouni Forss · ‎04-20-2013

Hi,

You were using the ICMP Type 6 and Code 6

You could try adding the following

class inspection_default

inspect dns preset_dns_map

inspect icmp error

And then trying it again and it might go through with the DROP.

I imagine it might go through also if you used the "packet-tracer" with the following command

packet-tracer input inside icmp 192.168.52.11 0 8

- Jouni

mahesh18 · ‎04-20-2013

Hi jouni,

I tried as per you above post but packet tracer again dropped.

Mahesh

Jouni Forss · ‎04-20-2013

Hi,

Can you post the current ASA configuration.

Which "packet-tracer" command did you use?

- Jouni

mahesh18 · ‎04-20-2013

Hi Jouni,

Here is config