ASA inside to dmz access

Unanswered Question
Mar 25th, 2010
User Badges:

Hello


Could someone give me a hand with INSIDE access to the DMZ interface? I've set this up in the past, and am unsure of the problem I am running into. I think that when a host access a server on the dmz, instead of a session being setup the outbound response is being nat'd and sent out the outside interface. Attached is the running config, and also below is a trace.


Also through debug icmp trace, i see an echo request when pinging the 172.16.0.1 DMZ interface from a host on the 172.16.72.0 INSIDE interface, but not a reply.



ASA# packet-tracer input inside icmp 172.16.72.7 1 1 172.16.0.1


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow


Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.1      255.255.255.255 identity


Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:


Phase: 4     
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:


Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:


Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 172.16.72.0 172.16.72.0 netmask 255.255.255.0
  match ip inside 172.16.72.0 255.255.255.0 dmz any
    static translation to 172.16.72.0
    translate_hits = 0, untranslate_hits = 0
Additional Information:


Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 889825065, packet dispatched to next module


Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity
adjacency Active
next-hop mac address 0000.0000.0000 hits 26434041


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 03/25/2010 - 14:57
User Badges:
  • Cisco Employee,

For ping to work, please configure the following:


policy-map global_policy
class inspection_default

     inspect icmp


Hope it helps.

bmurray2_home Thu, 03/25/2010 - 18:03
User Badges:

I don't see nat-control enabled within your config, but it seems like you're still trying to use nat.  I'm guessing you may either need to add nat-control, or get rid of the identity nat statements.  I'm not an "expert" though...  Good luck.

allenelson Fri, 03/26/2010 - 06:05
User Badges:

Hey guys


Thanks for the input.. I think the config is working out ok, the customer might have given me the wrong IP address to test with.. I'll post back once confirmed, thanks again.

Actions

This Discussion