Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Inter-DMZ NAT and connectivity issue

I have an ASA 5510 with sub-interfaces configured for multiple VLANs traversing a trunk on Interface 0/2; these interfaces are all DMZs - they all must reach a fellow DMZ VLAN that contains a domain controller:

interface Ethernet0/2.184

description VLAN-184-DMZdomaincontroller

vlan 184

nameif dmz184

security-level 49

ip address 10.10.184.1 255.255.255.0

The VLAN 190 represents a typical DMZ sub-interface; note that the security level is not the same, so that communication is allowed:

interface Ethernet0/2.190

description VLAN-190

vlan 190

nameif dmz190

security-level 50

ip address 10.10.190.1 255.255.255.0

Since all the DMZ VLANs are connected networks, no explicit routes are necessary; access-lists are currently wide-open for troubleshooting:

access-list dmz184_out extended permit ip any any

access-list dmz190_out extended permit ip any any

access-group dmz184_out in interface dmz184

access-group dmz190_out in interface dmz190

Both DMZs have Internet access:

nat (dmz184) 1 10.10.184.0 255.255.255.0

nat (dmz190) 1 10.10.190.0 255.255.255.0

global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

Both DMZs have a static NAT to each other:

static (dmz184,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

static (dmz190,dmz184) 10.10.190.0 10.10.190.0 netmask 255.255.255.0

Problem: Packet tracer shows different results for flow sourced from each VLAN and I cannot ping fron a host in VLAN 190 to a host in VLAN 184:

OK - packet-tracer input dmz184 icmp 10.10.184.100 8 8 10.10.190.155

Result:

input-interface: dmz184

input-status: up

input-line-status: up

output-interface: dmz190

output-status: up

output-line-status: up

Action: allow

NOT OK - packet-tracer input dmz190 icmp 10.10.190.155 8 8 10.10.184.100

Result:

input-interface: dmz190

input-status: up

input-line-status: up

output-interface: transit

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-adjacency) No valid adjacency

I don't have access to the VLAN 184 host and can only ping one-way. I'm running version 8.0(5).

Suggestions? Troubleshooting ideas?

Thanks in advance,

Marc

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: ASA 5510 Inter-DMZ NAT and connectivity issue

Hi,

The following configuration line in the "packet-tracer" output seems abit off

static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

Whats the purpose of this command? It seems its a nat command for a network that has nothing to do with either of the interfaces in the configuration?

And as you can see the at the very end of the "packet-tracer" output, the output interface is way off. The same as in the configuration above.

It seems like the test traffic incoming from dmz190 interface gets sent throught the transit interface because theres a NAT configuration in place from transit to dmz190 interface.

- Jouni

Re: ASA 5510 Inter-DMZ NAT and connectivity issue

Hello,

As Jouni said.

This is not properly configured, you have some problems with the nat...

Please provide the show run static.

Also do remove this for now:

(transit,dmz190) 10.10.184.0 10.10.184.0

And then do a packet tracer and provide us the output!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
5 REPLIES

ASA 5510 Inter-DMZ NAT and connectivity issue

Hello,

From the ASA are you able to ping both hosts?

Can you provide the full Packet tracer input for the failed one.

Also I would like to see a sh route from the ASA

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 5510 Inter-DMZ NAT and connectivity issue

Hi Julio;

Yes, I can ping hosts in both VLANs from the ASA; partial 'sh route' output is:

Gateway of last resort is 64.xx.xx.1 to network 0.0.0.0

C    64.xx.xx.0 255.255.255.0 is directly connected, outside

S    10.10.0.0 255.255.128.0 [1/0] via 10.10.250.12, transit

C    10.10.184.0 255.255.255.0 is directly connected, dmz184

C    10.10.190.0 255.255.255.0 is directly connected, dmz190

S*   0.0.0.0 0.0.0.0 [1/0] via 64.xx.xx.1, outside

ASA1# 

Full failed packet-tracer output:

ASA1#   packet-tracer input dmz190 icmp 10.10.190.155 8 8 10.10.184.$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

nat-control

  match ip transit 10.10.184.0 255.255.255.0 dmz190 any

    static translation to 10.10.184.0

    translate_hits = 0, untranslate_hits = 153

Additional Information:

NAT divert to egress interface transit

Untranslate 10.10.184.0/0 to 10.10.184.0/0 using netmask 255.255.255.0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz190_out in interface dmz190

access-list dmz190_out extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (dmz190,dmz184) 10.10.190.0 10.10.190.0 netmask 255.255.255.0

nat-control

  match ip dmz190 10.10.190.0 255.255.255.0 dmz184 any

    static translation to 10.10.190.0

    translate_hits = 0, untranslate_hits = 2

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

nat-control

  match ip transit 10.10.184.0 255.255.255.0 dmz190 any

    static translation to 10.10.184.0

    translate_hits = 0, untranslate_hits = 153

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3374152, packet dispatched to next module

Result:

input-interface: dmz190

input-status: up

input-line-status: up

output-interface: transit

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-adjacency) No valid adjacency

ASA1#  

I hope this helps,

Marc

Super Bronze

Re: ASA 5510 Inter-DMZ NAT and connectivity issue

Hi,

The following configuration line in the "packet-tracer" output seems abit off

static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

Whats the purpose of this command? It seems its a nat command for a network that has nothing to do with either of the interfaces in the configuration?

And as you can see the at the very end of the "packet-tracer" output, the output interface is way off. The same as in the configuration above.

It seems like the test traffic incoming from dmz190 interface gets sent throught the transit interface because theres a NAT configuration in place from transit to dmz190 interface.

- Jouni

New Member

Re: ASA 5510 Inter-DMZ NAT and connectivity issue

You caught it, Jouni!

I was confident that the issue was simply a typo in my configuration and you caught it...

Once I removed that incorrect command and performed a 'clear xlate' in the ASA, I immediately began moving pings between the DMZ190 and DMZ184 hosts, as well as internal networks to the DMZ184

Thanks to both you and Julio for your time,

Marc

Re: ASA 5510 Inter-DMZ NAT and connectivity issue

Hello,

As Jouni said.

This is not properly configured, you have some problems with the nat...

Please provide the show run static.

Also do remove this for now:

(transit,dmz190) 10.10.184.0 10.10.184.0

And then do a packet tracer and provide us the output!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1572
Views
0
Helpful
5
Replies
CreatePlease login to create content