Trouble routing server initiated traffic from DMZ out to WAN/Internet

terrymelton · ‎04-26-2011

I have setup an ASA 5505 w/ Security Plus with three subnets. The subnets are as follows:

VLAN	Subnet
WAN	10.0.0.80/29
LAN	192.168.1.0/24
DMZ	172.30.200.0/24

The ASA is the gateway router at .1 for the LAN and DMZ networks. On the WAN network, the ASA occupies .85 and uses .86 as it's gateway to the Internet. Clients on the LAN are able to access the Internet without any troubles. On the DMZ there is a mail/web server that LAN users are able to access by a hairpinning NAT that allows them to access the external IP address of the server from the LAN. Users from the outside can access HTTP and FTP traffic hosted on the DMZ server just fine. However mail services are not working properly because the mail server is unable to initiate any traffic from the DMZ to the Internet. The same server can respond to HTTP requests, but that same server cannot do a DNS lookup, traceroute out of the network, or ping anything that is not on the 172.30.200.0/24 network.

I have a static NAT setup to map the DMZ server's 172.30.200.81 address to 10.0.0.81. I also have a general NAT that should allow other servers on that network to access the internet, but no machine at all on that network can route outside of 172.30.200.0/24. I used the packet tracer and had it trace traffic coming from the DMZ network to the Internet, and it did not show me any conflicts with any of the access lists or anything else. However, no matter what I do, I cannot initiate traffic from the DMZ and have it go out to the Internet successfully.

I attempted to follow the directions in the article PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example; but I have obviously missed something, done something wrong, or perhaps the example assumes something about my configuration that I have not done.

I would very much appreciate any assistance that anyone can offer. Please see the attached config file that I have scrubbed. I have removed VPN configuration information and other unneccessary parts of the config file to make it easier to read. I can provide more information as requested.

Thanks!

mvsheik123 · ‎04-26-2011

Hi,

From the config you can remove...

1. access-group dmz_access_out out interface dmz

2. nat (dmz) 10 172.30.200.0 255.255.255.0

and try if that helps. If you still have issues, try use ip to hit internet than dns (to ruleout dns resolution).

hth

MS

terrymelton · ‎04-27-2011

Wow, thanks for the quick response! Unfortunately I got wrapped up in other things yesterday, so I took a little longer to give your advice a try. I tried to remove the NAT and the access group lines, but I still can't get out of the DMZ network. Trying IP addresses gives me the same problem. When I try to traceroute from any machine, I just get line after line of of asterisks.

mvsheik123 · ‎04-27-2011

Hi,

In addtion to the above try by removing the ACL.

if you still have issues, run 'debug icmp trace' and initiate ping from DMZ server to internet and see where the packets drops.

MS

Thx

access-list OUTSIDE_TO_IN extended permit ip object-group DM_INLINE_NETWORK_1 any

terrymelton · ‎04-29-2011

I removed the ACL, but I'm still unable to initiate traffic from the DMZ network out to the internet. LAN access is still fine, and LAN clients can still hairpin to the external IP address of the server.

I ran the debug icmp trace command and tried to ping an ip address on the outside, and I got this same message over and over again:

ICMP echo request from dmz:172.30.200.81 to outside:4.2.2.3 ID=30852 seq=42 len=56
ICMP echo request translating dmz:172.30.200.81 to outside:10.0.0.81

However I do not get any responses back from the ping on the server. I'm starting to think that it ispossible that my NAT isn't setup correctly. I just tried to ping my external interface IP address, and it responds, however I cannot ping the web server IP address even though the ACLs for incoming traffic on the outside interface should allow ping responses on the entire 10.0.0.80/29 network.

How would you recommend making sure that the static NAT is working properly?