cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
891
Views
0
Helpful
6
Replies

dmz hosts cannot access Internet PIX515E Version 8.0(3)

rizwanr74
Level 7
Level 7

I have two dmz host, wanted to access to Internet, so I setup dmz nat as follows.  I am running PIX515E Version 8.0(3).  But these two host in the dmz still cannot access to Internet.  Please help me out.

global (outside) 1 interface

nat (outside) 1 10.40.40.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 172.30.0.253 255.255.255.255

nat (dmz) 1 172.30.0.254 255.255.255.255

access-list incoming_dmz extended permit ip 172.30.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list incoming_dmz extended permit ip host 172.30.0.254 any

access-list incoming_dmz extended permit ip host 172.30.0.253 any

---------------------------------------------------------------------------------------------------

here is the output from packet-tracer

DR-FW01# packet-tracer input dmz icmp 172.30.0.253 0 0 4.2.2.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group incoming_dmz in interface dmz

access-list incoming_dmz extended permit ip host 172.30.0.253 any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (dmz) 1 172.30.0.253 255.255.255.255

  match ip dmz host 172.30.0.253 outside any

    dynamic translation to pool 1 (66.252.158.82 [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 Accepted Solution

Accepted Solutions

Hi,

I was actually hoping you could try 'packet-tracer input dmz icmp 172.30.0.253 8 0 4.2.2.2' (notice I changed the type/code to 8/0 instead of 0/0).

-Mike

View solution in original post

6 Replies 6

mirober2
Cisco Employee
Cisco Employee

Hello,


Try the packet-tracer as 'packet-tracer input dmz icmp 172.30.0.253 8 0 4.2.2.2' instead. What does that show?


Have you tried access from the DMZ hosts themselves? Or have you only tested with packet-tracer?


-Mike

System administrators confirmed to me, that they still cannot access the Internet on those two host.

Packet-tracer output is posted right above.

Hi,

I was actually hoping you could try 'packet-tracer input dmz icmp 172.30.0.253 8 0 4.2.2.2' (notice I changed the type/code to 8/0 instead of 0/0).

-Mike

DR-FW01# packet-tracer input dmz icmp 172.30.0.253 8 0 4.2.2.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group incoming_dmz in interface dmz

access-list incoming_dmz extended permit ip host 172.30.0.253 any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (dmz) 1 172.30.0.253 255.255.255.255

  match ip dmz host 172.30.0.253 outside any

    dynamic translation to pool 1 (66.252.158.82 [Interface PAT])

    translate_hits = 2, untranslate_hits = 0

Additional Information:

Dynamic translate 172.30.0.253/0 to 66.252.158.82/26 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (dmz) 1 172.30.0.253 255.255.255.255

  match ip dmz host 172.30.0.253 outside any

    dynamic translation to pool 1 (66.252.158.82 [Interface PAT])

    translate_hits = 2, untranslate_hits = 0

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1289818, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 66.252.158.81 using egress ifc outside

adjacency Active

next-hop mac address 0004.8044.f000 hits 1

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

DR-FW01#

Hello,

Does 'packet-tracer in dmz tcp 172.30.0.253 12345 4.2.2.2 80' also show the packet being allowed?

Do syslogs show anything for these connections when the DMZ hosts try to get out to the Internet?

I would also suggest setting up bi-directional, simultaneous captures on the dmz and outside interfaces of the ASA. The ASA may be passing the traffic but the problem could be upstream, which the captures will show you. Here is a guide that describes setting up the captures on the ASA's interfaces:

https://supportforums.cisco.com/docs/DOC-1222

-Mike

Yes of course.

It is most likely issue on the DMZ switch itself.

Thank you very much for your input 5 stars.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: