09-09-2010 12:35 PM - edited 03-11-2019 11:38 AM
I have two dmz host, wanted to access to Internet, so I setup dmz nat as follows. I am running PIX515E Version 8.0(3). But these two host in the dmz still cannot access to Internet. Please help me out.
global (outside) 1 interface
nat (outside) 1 10.40.40.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.30.0.253 255.255.255.255
nat (dmz) 1 172.30.0.254 255.255.255.255
access-list incoming_dmz extended permit ip 172.30.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list incoming_dmz extended permit ip host 172.30.0.254 any
access-list incoming_dmz extended permit ip host 172.30.0.253 any
---------------------------------------------------------------------------------------------------
here is the output from packet-tracer
DR-FW01# packet-tracer input dmz icmp 172.30.0.253 0 0 4.2.2.2
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group incoming_dmz in interface dmz
access-list incoming_dmz extended permit ip host 172.30.0.253 any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (dmz) 1 172.30.0.253 255.255.255.255
match ip dmz host 172.30.0.253 outside any
dynamic translation to pool 1 (66.252.158.82 [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
09-09-2010 12:56 PM
Hi,
I was actually hoping you could try 'packet-tracer input dmz icmp 172.30.0.253 8 0 4.2.2.2' (notice I changed the type/code to 8/0 instead of 0/0).
-Mike
09-09-2010 12:41 PM
Hello,
Try the packet-tracer as 'packet-tracer input dmz icmp 172.30.0.253 8 0 4.2.2.2' instead. What does that show?
Have you tried access from the DMZ hosts themselves? Or have you only tested with packet-tracer?
-Mike
09-09-2010 12:51 PM
System administrators confirmed to me, that they still cannot access the Internet on those two host.
Packet-tracer output is posted right above.
09-09-2010 12:56 PM
Hi,
I was actually hoping you could try 'packet-tracer input dmz icmp 172.30.0.253 8 0 4.2.2.2' (notice I changed the type/code to 8/0 instead of 0/0).
-Mike
09-09-2010 01:03 PM
DR-FW01# packet-tracer input dmz icmp 172.30.0.253 8 0 4.2.2.2
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group incoming_dmz in interface dmz
access-list incoming_dmz extended permit ip host 172.30.0.253 any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz) 1 172.30.0.253 255.255.255.255
match ip dmz host 172.30.0.253 outside any
dynamic translation to pool 1 (66.252.158.82 [Interface PAT])
translate_hits = 2, untranslate_hits = 0
Additional Information:
Dynamic translate 172.30.0.253/0 to 66.252.158.82/26 using netmask 255.255.255.255
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 1 172.30.0.253 255.255.255.255
match ip dmz host 172.30.0.253 outside any
dynamic translation to pool 1 (66.252.158.82 [Interface PAT])
translate_hits = 2, untranslate_hits = 0
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1289818, packet dispatched to next module
Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 66.252.158.81 using egress ifc outside
adjacency Active
next-hop mac address 0004.8044.f000 hits 1
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
DR-FW01#
09-09-2010 01:09 PM
Hello,
Does 'packet-tracer in dmz tcp 172.30.0.253 12345 4.2.2.2 80' also show the packet being allowed?
Do syslogs show anything for these connections when the DMZ hosts try to get out to the Internet?
I would also suggest setting up bi-directional, simultaneous captures on the dmz and outside interfaces of the ASA. The ASA may be passing the traffic but the problem could be upstream, which the captures will show you. Here is a guide that describes setting up the captures on the ASA's interfaces:
https://supportforums.cisco.com/docs/DOC-1222
-Mike
09-09-2010 01:22 PM
Yes of course.
It is most likely issue on the DMZ switch itself.
Thank you very much for your input 5 stars.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: