04-23-2010 02:33 PM - edited 03-11-2019 10:36 AM
I think that I am on the last part of my Firewall config, and that is allowing traffic out of the DMZ to the Internet. In theory I have it working where Internet traffic coming in is allowed, but I haven't been able to test that yet.
Here is the config for the DMZ:
interface Ethernet0/1
description TWTelecom Internet
speed 100
duplex full
nameif ExtNet
security-level 1
ip address 207.170.247.122 255.255.255.252
interface Ethernet0/2
description DMZ Interface
nameif DMZNet
security-level 25
ip address 10.2.2.254 255.255.0.0
object-group service WebPorts tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
port-object eq pop3
access-list DMZACL remark Allow all ICMP traffic
access-list DMZACL extended permit icmp any any
access-list DMZACL remark Allow SQL traffic from websites to SQL servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSQL eq 1433
access-list DMZACL remark Allow SMTP traffic from websites to Exchange servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSMTP eq smtp
access-list DMZACL remark Deny all DMZ traffic to Internal Network
access-list DMZACL extended deny ip any host 10.1.0.0
access-list DMZACL remark Allow DMZ access to the Internet
access-list DMZACL extended permit tcp 10.2.0.0 255.255.0.0 any object-group WebPorts
access-list DMZACL remark Deny EVERYTHING
access-list DMZACL extended deny ip any any
global (ExtNet) 1 216.64.172.34 netmask 255.255.255.255
global (ExtNet) 2 216.64.172.33 netmask 255.255.255.255
nat (IntNet) 0 access-list nonat
nat (IntNet) 1 10.1.0.0 255.255.0.0
nat (DMZNet) 2 10.2.0.0 255.255.0.0
static (IntNet,DMZNet) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
access-group IntACL in interface IntNet
access-group ExtACL in interface ExtNet
access-group DMZACL in interface DMZNet
route ExtNet 0.0.0.0 0.0.0.0 207.170.247.121 1
But so far I am unable to ping anything on the Internet, nor am I able to connect to anything using HTTP.
I don't think that the traffic is being blocked as I am able to use
packet-tracer input DMZNet tcp 10.2.1.100 80 209.85.171.104 80 detail
without any errors.
I have also checked the logs and it shows that it is trying to do the connection, but it doesn't appear like the connection ever finishes.
I think that it might be a routing issue. But I am not sure.
Can someone help to shed some light on this issue? I am pretty sure the ACL's are good, but I am still a bit skeptical of the NAT or possibly the routing.
Solved! Go to Solution.
04-29-2010 08:48 AM
I cannot PING 209.85.171.104 or open a browser with that IP either.
Can you try a PING to 4.2.2.2?
Federico.
04-23-2010 02:43 PM
Hi,
You're tryintg to get out to the internet from the interface called DMZNet correct?
This interface has a security level of 25.
The outside ExNet has a security level of 1.
This means that traffic should flow from this interface to the outside interface (security level 0) without any ACLs.
The DMZNet has an IP range of 10.2.0.0/16
The ExNet has a public IP.
Can you PING 207.170.247.121 from the ASA itself?
Can you PING 4.2.2.2 from the ASA itself?
If the answer is yes, then you have Internet from the ASA itself.
Check with the ''sh xlate local 10.2.2.x'' when attempting to get out to the Internet from that host on the DMZ.
Federico.
04-23-2010 02:53 PM
Wow, thank you for that fast reply.
In most cases, yes the Internet would flow freely from one interface to a lower interface, but I have specific denies in place to block unwanted traffic out.
But as I said my packet trace works without issue.
So I ran sh xlate local 10.2.50.100 and here is the output that I received:
PAT Global 216.64.172.33(1551) Local 10.2.50.100 ICMP id 768
Using the IntNet interface I am able to ping 209.85.171.104, but I am unable to ping that using either ExtNet or DMZNet
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.85.171.104, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
When running a ping from 10.2.50.100 to 209.85.171.104 this is what is showing up in the log
6 | Apr 23 2010 | 07:38:17 | 302020 | 10.2.50.100 | 768 | 209.85.171.104 | 0 | Built outbound ICMP connection for faddr 209.85.171.104/0 gaddr 216.64.172.33/42153 laddr 10.2.50.100/768 |
6 | Apr 23 2010 | 07:38:21 | 302021 | 209.85.171.104 | 0 | 10.2.50.100 | 768 | Teardown ICMP connection for faddr 209.85.171.104/0 gaddr 216.64.172.33/42153 laddr 10.2.50.100/768 |
04-23-2010 03:00 PM
The only difference that I see is:
The IntNet gets translated to 216.64.172.34
The DMZNet gets translated to 216.64.172.33
You say, Internet works fine from the IntNet interface?
Could you do a test:
no nat (DMZNet) 2 10.2.0.0 255.255.0.0
nat (DMZNet) 1 10.2.0.0 255.255.0.0
clear xlate
In this way, the DMZNet will get translated to .34 as the IntNet.
Let's see if it works.
04-28-2010 03:17 PM
I apologize for the late response.
But I made those changes, and I am still unable to ping from my DMZNet interface.
I am actually stumped as to why I am unable to connect out at this point.
04-28-2010 03:23 PM
Please double-check that the destination that you're trying to reach is allowed on the DMZACL access-list.
Also, check if the translation is being built when attempting the connection.
sh xlate
Also, try to reach the default gateway of the ASA from the host on the DMZ, to check if traffic from the DMZ through the outside interface is working.
You can use an utility called Packet Tracer which you can use it via the CLI or ASDM that shows if any process on the ASA is blocking the connection.
Federico.
04-29-2010 06:20 AM
It is creating the xlate when I run the ping:
Firewall# sh xlate | inc 10.2
PAT Global 216.64.172.33(16856) Local 10.2.50.100 ICMP id 768
I am able to ping the default gateway just fine from the computer I am testing with. When I try to ping from the ASA itself (ping DMZNet 209.85.171.104) I get request timed out.
I am afraid that I do not know how to do the packet tracer command with ICMP properly (I will have to look that up a bit later). But when I ran the command:
packet-tracer input DMZNet icmp 10.2.2.100 1 1 1 209.85.171.104
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 ExtNet
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZACL in interface DMZNet
access-list DMZACL extended permit icmp any any
access-list DMZACL remark Allow SQL traffic from websites to SQL servers
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (DMZNet) 2 10.2.0.0 255.255.0.0
match ip DMZNet 10.2.0.0 255.255.0.0 ExtNet any
dynamic translation to pool 2 (216.64.172.33)
translate_hits = 10, untranslate_hits = 0
Additional Information:
Result:
input-interface: DMZNet
input-status: up
input-line-status: up
output-interface: ExtNet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Now I do know how to run the packet tracer for TCP and this is what I got from there:
packet-tracer input DMZNet tcp 10.2.2.100 80 209.85.171.104 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 ExtNet
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZACL in interface DMZNet
access-list DMZACL extended permit tcp 10.2.0.0 255.255.0.0 any object-group WebPorts
access-list DMZACL remark Deny EVERYTHING
object-group service WebPorts tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
port-object eq pop3
port-object eq imap4
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZNet) 2 10.2.0.0 255.255.0.0
match ip DMZNet 10.2.0.0 255.255.0.0 ExtNet any
dynamic translation to pool 2 (216.64.172.33)
translate_hits = 11, untranslate_hits = 0
Additional Information:
Dynamic translate 10.2.2.100/80 to 216.64.172.33/319 using netmask 255.255.255.255
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZNet) 2 10.2.0.0 255.255.0.0
match ip DMZNet 10.2.0.0 255.255.0.0 ExtNet any
dynamic translation to pool 2 (216.64.172.33)
translate_hits = 11, untranslate_hits = 0
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 701784, packet dispatched to next module
Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 207.170.247.121 using egress ifc ExtNet
adjacency Active
next-hop mac address 001b.c016.c8f7 hits 42500
Result:
input-interface: DMZNet
input-status: up
input-line-status: up
output-interface: ExtNet
output-status: up
output-line-status: up
Action: allow
It looks like I might have a NAT problem....again.
04-29-2010 07:23 AM
The problem seems NAT, let's do the following:
Please post the output of:
sh run nat
sh run global
sh run static
sh run access-group
sh run access-list
Federico.
04-29-2010 07:37 AM
Firewall# sh run nat
nat (IntNet) 0 access-list nonat
nat (IntNet) 1 10.1.0.0 255.255.0.0
nat (DMZNet) 2 10.2.0.0 255.255.0.0
Firewall# sh run global
global (ExtNet) 1 216.64.172.34 netmask 255.255.255.255
global (ExtNet) 2 216.64.172.33 netmask 255.255.255.255
Firewall# sh run static
static (IntNet,DMZNet) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (IntNet,ExtNet) 216.64.172.35 10.1.2.12 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.40 10.1.2.6 netmask 255.255.255.255
static (DMZNet,ExtNet) 216.64.172.41 10.1.2.2 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.61 10.1.1.100 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.62 10.1.1.101 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.59 10.1.1.102 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.58 10.1.1.104 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.42 10.1.1.106 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.57 10.1.2.150 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.38 10.1.2.30 netmask 255.255.255.255
Firewall# sh run access-group
access-group IntACL in interface IntNet
access-group ExtACL in interface ExtNet
access-group DMZACL in interface DMZNet
Firewall# sh run access-list
access-list DMZACL remark Allow all ICMP traffic
access-list DMZACL extended permit icmp any any
access-list DMZACL remark Allow SQL traffic from websites to SQL servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSQL eq 1433
access-list DMZACL remark Allow SMTP traffic from websites to Exchange servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSMTP eq smtp
access-list DMZACL remark Deny all DMZ traffic to Internal Network
access-list DMZACL extended deny ip any 10.1.0.0 255.255.0.0
access-list DMZACL remark Allow DMZ access to the Internet
access-list DMZACL extended permit tcp 10.2.0.0 255.255.0.0 any object-group WebPorts
access-list DMZACL remark Deny EVERYTHING
access-list DMZACL extended deny ip any any
04-29-2010 07:49 AM
Ok, here are the commands we need:
nat (DMZNet) 2 10.2.0.0 255.255.0.0
global (ExtNet) 2 216.64.172.33 netmask 255.255.255.255
access-group DMZACL in interface DMZNet
You need to get to 209.85.171.104 from 10.2.2.100 correct?
The access list applied to the DMZNet is DMZACL.
You are referring to an object-group called DMZWebsites, but from the configuration I only see
the object-group WebPorts tcp
You need to make sure that on the DMZACL, the outgoing traffic is allowed (or post the object-groups as well)
Then,
Host 10.2.2.100 (DMZNet) will be NATed to 216.64.172.33 when going out the outside interface.
We have checked that the translation takes place ''sh xlate local 10.2.2.100'' correct?
You have said, that you can PING 207.170.247.121 from 10.2.2.100 fine correct?
This means that traffic is flowing fine from the DMZNet to the outside.
The IP that you're trying to reach 209.85.171.104, is located on the outside interface from the ASA perspective correct?
What is this device?
Federico.
04-29-2010 08:43 AM
Sorry about that, I forgot about the object groups.
object-group service WebPorts tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
port-object eq pop3
port-object eq imap4
object-group network DMZWebsites
network-object host 10.2.1.101
network-object host 10.2.1.100
network-object host 10.2.1.104
network-object host 10.2.1.102
209.85.171.104 is just one of the IP addresses for www.google.com Since I may have a problem with DNS resolution, I am first testing with IP's, once I get the IP's functioning I will start playing with DNS.
So to answer your question I need all DMZNet systems (10.2.0.0/16) to be able to access the Internet.
The system that I am currently testing with is setup on DHCP and has an IP of 10.2.50.102
Firewall# sh xlate local 10.2.50.102
309 in use, 777 most used
This is on an ASA 5510 running 8.0(5)
04-29-2010 08:48 AM
I cannot PING 209.85.171.104 or open a browser with that IP either.
Can you try a PING to 4.2.2.2?
Federico.
04-29-2010 09:14 AM
Alright, so I am a dunce, and Google has changed their IP.
I am able to successfully ping the 4.2.2.2
Which means that this has probably been working since the start
I was also able to get DNS up and running, but allowing External DNS traffic.
Thank you very much Federico, you have perfectly resolved my problem.
04-29-2010 09:18 AM
Glad that is working.
Thank you Ken.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide