Routing issue from DMZ to internal network

Unanswered Question
Jan 23rd, 2009
User Badges:

This is a bit complicated so let me layout my setup first. I have a 5510 ASA for my firewall. On it I have the following interfaces configured:


Outside - x.x.x.x

Inside - 192.168.200.210

DMZ1 - 192.168.0.1


This is a list of my routes:


Gateway of last resort is x.x.x.x to network 0.0.0.0


S 192.168.211.0 255.255.255.0 [1/0] via 192.168.200.4, Inside

C x.x.x.x y.y.y.y is directly connected, Outside

C 127.0.0.0 255.255.0.0 is directly connected, cplane

S 192.168.216.0 255.255.255.0 [1/0] via 192.168.200.4, Inside

S 10.10.0.0 255.255.0.0 [1/0] via 192.168.200.4, Inside

C 192.168.0.0 255.255.255.0 is directly connected, DMZ1

S 192.168.50.0 255.255.255.0 [1/0] via 192.168.200.4, Inside

S 192.168.100.0 255.255.255.0 [1/0] via 192.168.200.4, Inside

S* 0.0.0.0 0.0.0.0 [1/0] via 65.118.6.129, Outside

C 192.168.200.0 255.255.248.0 is directly connected, Inside

S 192.168.16.0 255.255.248.0 [1/0] via 192.168.200.4, Inside


192.168.200.4 is my LAN gateway router (Cisco 2811) and these are its directly connected networks:


C 192.168.216.0/24 is directly connected, Loopback0

C 192.168.50.0 is directly connected, FastEthernet0/1

C 192.168.200.0/21 is directly connected, FastEthernet0/0


I'm trying to get traffic to pass from my DMZ (specifically 192.168.0.25) to 192.168.50.2 which is a directly connected network on my GW router. Access-lists are correct and increment on the expected lines when I try to pass traffic. What I believe is happening is that when 192.168.0.25 tries to ping 192.168.50.2 the ASA is passing the traffic out the Outside interface into the world instead of routing it through to my GW router as defined in the ASA static routes.


I don't have a problem with accessing any of the resources that reside in other networks that are defined by the static routes. During one test I did get the following alert from my Cisco MARS device that provided some insight to the fact that the ASA is routing the traffic out the default route instead of the static route.


"No ARP for host. Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.0.1/0 to DMZ1:192.168.50.2/0"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
kwillacey Fri, 01/23/2009 - 14:12
User Badges:
  • Bronze, 100 points or more

Does your router have a route point to the DMZ?

qbakies11 Fri, 01/23/2009 - 14:21
User Badges:

Yes, I pass a ton of traffic from all my internal networks to the DMZ. This new network (192.168.50.0) is the only one I'm having an issue with. I can ping 192.168.50.2 from the CLI of the ASA itself so I know the traffic can route there successfully.

Jon Marshall Fri, 01/23/2009 - 14:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Quinton


You need to confirm that traffic is going where you think it is going ie. to the outside interface instead of the inside.


access-list to_inside permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list to_inside permit ip any any


access-list to_inside out interface inside


Apply this outbound on the inside interface. Then when you ping from the DMZ if the ASA is routing correctly you will see a hitcnt on the first line in the above acl if the ASA is sending it via the inside interface.


Jon

qbakies11 Mon, 01/26/2009 - 08:24
User Badges:

Thanks for all the help on this but I figured out my problem. I didn't add a static NAT for access to the DMZ from the 192.168.5.0 network. This statement fixed my problem:


static (Inside,DMZ1) 192.168.50.0 192.168.50.0 netmask 255.255.255.252

Actions

This Discussion