ASA5510 stops allowed DMZ traffic

Unanswered Question

This is the second time this week that my ASA 5510 has stopped allowing my web server to pass traffic to my database server.


overview of config


I have an access rule allowing my web server 10.10.10.6 to pass traffic across a specific port to 192.199.1.8.


The 1st time this happend this week there was no access rule allowing this traffic, i wrote this off as me not writing my config before the asa was restarted, this time, the access rule was in place, but when you tried to access the internal database there was no traffic being passed, this includes icmp. To get traffic allowed again i had to restart the asa.


Is there something im missing that is stopping this traffic, this morning it worked fine, when i get back from lunch it does not work any more.



If you need any information that i have not give please let me know, i will be glad to post.


Thank you

Shane

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
astripat Wed, 04/28/2010 - 13:32

Hi Shane,


Can you paste the config and the syslogs at the time of issue so that we can see whats blocking it?


Regards,

Ashu

After asking the dumb question below it looks like i do not have syslog enabled on the firewall, i'm working to get it setup now, but i dont think that i will have the information i need in it.


Ok this is going to sound like a very dumb question, especially since i set the firewall up but how

do i get the syslogs?


I did how every post the config



Thank you

Shane

Attachment: 
dtochilovsky Wed, 04/28/2010 - 14:42

Based on your configuration, logging is enabled already, you just need to modify what level you are going to be logging and where you are going to be sending the logs to. There are multiple options:  a dedicated syslog server (you already have one configured - 192.199.1.4) or to an internal buffer...


To configure logging to a syslog server you need to set the logging level : logging trap {severity_level} then you can set up a syslog server to listen for syslog messages and write them to a file. "Kiwi Syslog" by Solarwinds does this very well. Just install the Syslog server software on that server and capture the logs.
For buffered logging you need the following : logging buffered {severity_level}


To view the internal buffer just run: show log

You can find a lot more info on logging here :
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html



As for our traffic problem I think you are missing a nonat statement for the traffic leaving the MCI interface and going back to the DMZ :


access-list mci_nat0_outbound extended permit ip 192.199.1.0 255.255.255.0 10.10.10.0 255.255.255.0

Hope this helps and post a rating if you find the answer useful.


Dmitry.

Actions

This Discussion