cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1245
Views
0
Helpful
6
Replies

Help to allow access for DMZ and inside networks.

Stevan44
Level 1
Level 1

I'm trying to setup access for my RA VPN client to the inside and DMZ.  Inside is a 144.244.244.0/24, DMZ is 144.168.0.0/24 and VPN is 124.140.1.0/24. At one time my secure routers were showing 144.244.244.0 and 144.168.0.0 but now they are under local LAN Router. 

 

Inside is 100

DMZ1 is 50

Inside cant ping anything in the DMZ or VPN clients/ VPN clients can't get to DMZ or inside.

 

Any help would be greatly taken.

6 Replies 6

@Stevan44 

Of these NAT rules:-

 

nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp description For Inside VPN Split tunnel
nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp description For DMZ VPN Split tunnel

Your configuration does not appear to have an object Obj-Remote-IPSEC-VPN - does this exist and does this represent the VPN client network? The configuration also does not have an object for DMZ1-Network, check this also.

 

Add this:-

 

nat (inside,dmz1) source static DukeLAN DukeLAN destination static DMZ1-Network DMZ1-Network no-proxy-arp 

You'll need an ACL inbound on the DMZ1 interface permitting traffic. Enable ICMP inspection using - fixup protocol icmp command

 

If you still have a problem, run packet-tracer from the CLI and provide the output for review. And provide the output of "show nat detail".

Hi Rob,

 

Thanks for the quick response. The Objects are there ( I my have removed by accident from the config when I sanitized it).

 

object network Obj-Remote-IPSEC-VPN
subnet 124.140.1.0 255.255.255.0

 

object network DMZ1-Network
subnet 144.168.0.0 255.255.255.0

 

I have add

nat (inside,dmz1) source static DukeLAN DukeLAN destination static DMZ1-Network DMZ1-Network no-proxy-arp

 It entered ok and I moved it up. Packet Tracer passes ok, but when I ping from a inside PC to DMZ there is no receive replies. Same from the VPN client to the inside. I've tried different things and at one time I could ping the inside from the VPN client but not from the inside. It worked after I removed the no sysopt connection permit-vpn. But after making a few more changes it stopped as well.

 

 

 

 

Stevan44
Level 1
Level 1

What would this command look like?

You'll need an ACL inbound on the DMZ1 interface permitting traffic. Enable ICMP inspection using - fixup protocol icmp command

@Stevan44 

You run the command fixup protocol icmp from the CLI

Do the VPN client or inside PCs have a local firewall enabled? ...check and make sure it is disabled.

You will need an ACL (like you already have on the inside interface) attached to the DMZ interface for communication from DMZ to INSIDE.

Please provide the output of "show nat detail" to confirm whether the NAT rules are being matched.

 

Don't ping the ASAs interfaces for testing, make sure you ping through the ASA.

 

 

Ran the fixup command. Came back with INFO: converting 'fixup protocol icmp ' to MPF commands, but I believe it took.
Add "access-list dmz1_access_in_1 extended permit ip object DMZ1-Network object DukeLAN"

 

Still can't get replies even that Packet Tracer runs ok:

 


DukeFirewall# packet-tracer input inside icmp 144.244.244.10 8 0 144.168.0.2 d$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x25715b50, priority=1, domain=permit, deny=false
hits=50090371, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz1) source static DukeLAN DukeLAN destination static DMZ1-Network DMZ1-Network no-proxy-arp
Additional Information:
NAT divert to egress interface dmz1
Untranslate 144.168.0.2/0 to 144.168.0.2/0

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in DukeLAN 255.255.255.0 inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group Telnet_FTP_ICMP any any
access-list inside_access_in remark Allow OpenVPN access to VPNMe
object-group service Telnet_FTP_ICMP
description: Allow Telnet, Ping, FTP Access
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq telnet
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2595f6a8, priority=13, domain=permit, deny=false
hits=76, user_data=0x21756e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,dmz1) source static DukeLAN DukeLAN destination static DMZ1-Network DMZ1-Network no-proxy-arp
Additional Information:
Static translate 144.244.244.10/0 to 144.244.244.10/0
Forward Flow based lookup yields rule:
in id=0x27d9b4c0, priority=6, domain=nat, deny=false
hits=3, user_data=0x27a84788, cs_id=0x0, flags=0x0, protocol=0
src ip/id=DukeLAN, mask=255.255.255.0, port=0, tag=0
dst ip/id=144.168.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=dmz1

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x24efb698, priority=0, domain=nat-per-session, deny=true
hits=523985, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2571b7e0, priority=0, domain=inspect-ip-options, deny=true
hits=687281, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Netflow_export_class
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x262e5360, priority=70, domain=inspect-icmp, deny=false
hits=204, user_data=0x262e2f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2571b280, priority=66, domain=inspect-icmp-error, deny=false
hits=31059, user_data=0x2571a8a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 10
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x262edd88, priority=18, domain=flow-export, deny=false
hits=718590, user_data=0x262ae3f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2624eb80, priority=13, domain=dynamic-filter, deny=false
hits=608150, user_data=0x2624e980, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 12
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2624fdd0, priority=12, domain=UNKNOWN:58, deny=false
hits=608150, user_data=0x2624fd90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 13
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,dmz1) source static DukeLAN DukeLAN destination static DMZ1-Network DMZ1-Network no-proxy-arp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x27d9a920, priority=6, domain=nat-reverse, deny=false
hits=4, user_data=0x27a844f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=DukeLAN, mask=255.255.255.0, port=0, tag=0
dst ip/id=144.168.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=dmz1

Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x262f15a0, priority=0, domain=user-statistics, deny=false
hits=1336, user_data=0x262aeda8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=dmz1

Phase: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x24efb698, priority=0, domain=nat-per-session, deny=true
hits=523987, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 16
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x257449e0, priority=0, domain=inspect-ip-options, deny=true
hits=1355, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=dmz1, output_ifc=any

Phase: 17
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x262f0af8, priority=0, domain=user-statistics, deny=false
hits=634218, user_data=0x262aeda8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=inside

Phase: 18
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 659642, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz1
output-status: up
output-line-status: up
Action: allow

 

********************

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp description For Inside VPN Split tunnel
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24
2 (dmz1) to (outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp description For DMZ VPN Split tunnel
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.168.0.0/24, Translated: 144.168.0.0/24
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24
3 (outside) to (outside) source dynamic DMZ1-Network interface description Allow VPN Access from the Outside
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.168.0.0/24, Translated: 107.142.207.220/22
4 (any) to (any) source static DukeLAN DukeLAN destination static DukeLAN DukeLAN no-proxy-arp description Allow inside traffic to go anywhere
translate_hits = 0, untranslate_hits = 33141
Source - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24
Destination - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24
5 (inside) to (dmz1) source static DukeLAN DukeLAN destination static DMZ1-Network DMZ1-Network no-proxy-arp
translate_hits = 4, untranslate_hits = 4
Source - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24
Destination - Origin: 144.168.0.0/24, Translated: 144.168.0.0/24
6 (inside) to (dmz1) source static any interface no-proxy-arp inactive description Allow Inside to DMZ
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 144.168.0.1/24
7 (inside) to (outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.168.0.0/24, Translated: 144.168.0.0/24
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24
8 (inside) to (outside) source static any any destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24
9 (inside) to (outside) source static DMZ1-Network DMZ1-Network destination static EricMcGheeDMZ EricMcGheeDMZ no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.168.0.0/24, Translated: 144.168.0.0/24
Destination - Origin: 10.9.8.0/32, Translated: 10.9.8.0/32

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Duke2019 interface service tcp 440 440
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.244.244.6/32, Translated: 107.142.207.220/22
Service - Protocol: tcp Real: 440 Mapped: 440
2 (any) to (outside) source static DukeDVR interface
translate_hits = 8774, untranslate_hits = 219
Source - Origin: 144.244.244.100/32, Translated: 107.142.207.220/22
3 (any) to (outside) source static NightOwl_AllowOutsideAccess interface service tcp 9000 9000
translate_hits = 0, untranslate_hits = 0
Source - Origin: 144.244.244.100/32, Translated: 107.142.207.220/22
Service - Protocol: tcp Real: 9000 Mapped: 9000
4 (inside) to (outside) source dynamic DukeLAN interface dns
translate_hits = 595700, untranslate_hits = 40181
Source - Origin: 144.244.244.0/24, Translated: 107.142.207.220/22
5 (inside) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 107.142.207.220/22

Manual NAT Policies (Section 3)
1 (dmz1) to (outside) source dynamic any interface
translate_hits = 1307, untranslate_hits = 4
Source - Origin: 0.0.0.0/0, Translated: 107.142.207.220/22

I believe i see the issue, all traffic requests are going to the outside instead of doing to either DMZ1 of  RA VPN interface.

 

This is what I get when I do a trace route:

DMZ1 address 144.168.0.3

Tracing route to p2-003.mail.z8lMeVgzLgYh.com [144.168.0.3]
over a maximum of 30 hops:

1 18 ms 20 ms 18 ms ^C

RA VPN  address 124.140.1.7

Tracing route to 124-140-1-7.rev.home.ne.jp [124.140.1.7]
over a maximum of 30 hops:

1 18 ms 18 ms 17 ms 10.7.18.1

 

I do not want to change my addresses, so how do I correct the routing paths to go to my DMZ1 and RA VPN gateway?


over a maximum of 30 hops:

1 18 ms 18 ms 17 ms ^C