Solved: ASA 5510 Inter-DMZ NAT and connectivity issue

drumrb0y · ‎04-14-2012

I have an ASA 5510 with sub-interfaces configured for multiple VLANs traversing a trunk on Interface 0/2; these interfaces are all DMZs - they all must reach a fellow DMZ VLAN that contains a domain controller:

interface Ethernet0/2.184

description VLAN-184-DMZdomaincontroller

vlan 184

nameif dmz184

security-level 49

ip address 10.10.184.1 255.255.255.0

The VLAN 190 represents a typical DMZ sub-interface; note that the security level is not the same, so that communication is allowed:

interface Ethernet0/2.190

description VLAN-190

vlan 190

nameif dmz190

security-level 50

ip address 10.10.190.1 255.255.255.0

Since all the DMZ VLANs are connected networks, no explicit routes are necessary; access-lists are currently wide-open for troubleshooting:

access-list dmz184_out extended permit ip any any

access-list dmz190_out extended permit ip any any

access-group dmz184_out in interface dmz184

access-group dmz190_out in interface dmz190

Both DMZs have Internet access:

nat (dmz184) 1 10.10.184.0 255.255.255.0

nat (dmz190) 1 10.10.190.0 255.255.255.0

global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

Both DMZs have a static NAT to each other:

static (dmz184,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

static (dmz190,dmz184) 10.10.190.0 10.10.190.0 netmask 255.255.255.0

Problem: Packet tracer shows different results for flow sourced from each VLAN and I cannot ping fron a host in VLAN 190 to a host in VLAN 184:

OK - packet-tracer input dmz184 icmp 10.10.184.100 8 8 10.10.190.155

Result:

input-interface: dmz184

input-status: up

input-line-status: up

output-interface: dmz190

output-status: up

output-line-status: up

Action: allow

NOT OK - packet-tracer input dmz190 icmp 10.10.190.155 8 8 10.10.184.100

Result:

input-interface: dmz190

input-status: up

input-line-status: up

output-interface: transit

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-adjacency) No valid adjacency

I don't have access to the VLAN 184 host and can only ping one-way. I'm running version 8.0(5).

Suggestions? Troubleshooting ideas?

Thanks in advance,

Marc

Jouni Forss · ‎04-14-2012

Hi,

The following configuration line in the "packet-tracer" output seems abit off

static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

Whats the purpose of this command? It seems its a nat command for a network that has nothing to do with either of the interfaces in the configuration?

And as you can see the at the very end of the "packet-tracer" output, the output interface is way off. The same as in the configuration above.

It seems like the test traffic incoming from dmz190 interface gets sent throught the transit interface because theres a NAT configuration in place from transit to dmz190 interface.

- Jouni

View solution in original post

Julio Carvajal · ‎04-14-2012

Hello,

As Jouni said.

This is not properly configured, you have some problems with the nat...

Please provide the show run static.

Also do remove this for now:

(transit,dmz190) 10.10.184.0 10.10.184.0

And then do a packet tracer and provide us the output!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎04-14-2012

Hello,

From the ASA are you able to ping both hosts?

Can you provide the full Packet tracer input for the failed one.

Also I would like to see a sh route from the ASA

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

drumrb0y · ‎04-14-2012

Hi Julio;

Yes, I can ping hosts in both VLANs from the ASA; partial 'sh route' output is:

Gateway of last resort is 64.xx.xx.1 to network 0.0.0.0

C 64.xx.xx.0 255.255.255.0 is directly connected, outside

S 10.10.0.0 255.255.128.0 [1/0] via 10.10.250.12, transit

C 10.10.184.0 255.255.255.0 is directly connected, dmz184

C 10.10.190.0 255.255.255.0 is directly connected, dmz190

S* 0.0.0.0 0.0.0.0 [1/0] via 64.xx.xx.1, outside

ASA1#

Full failed packet-tracer output:

ASA1# packet-tracer input dmz190 icmp 10.10.190.155 8 8 10.10.184.$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

nat-control

match ip transit 10.10.184.0 255.255.255.0 dmz190 any

static translation to 10.10.184.0

translate_hits = 0, untranslate_hits = 153

Additional Information:

NAT divert to egress interface transit

Untranslate 10.10.184.0/0 to 10.10.184.0/0 using netmask 255.255.255.0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz190_out in interface dmz190

access-list dmz190_out extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (dmz190,dmz184) 10.10.190.0 10.10.190.0 netmask 255.255.255.0

nat-control

match ip dmz190 10.10.190.0 255.255.255.0 dmz184 any

static translation to 10.10.190.0

translate_hits = 0, untranslate_hits = 2

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

nat-control

match ip transit 10.10.184.0 255.255.255.0 dmz190 any

static translation to 10.10.184.0

translate_hits = 0, untranslate_hits = 153

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3374152, packet dispatched to next module

Result:

input-interface: dmz190

input-status: up

input-line-status: up

output-interface: transit

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-adjacency) No valid adjacency

ASA1#

I hope this helps,

Marc

Jouni Forss · ‎04-14-2012

Hi,

The following configuration line in the "packet-tracer" output seems abit off

static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0

Whats the purpose of this command? It seems its a nat command for a network that has nothing to do with either of the interfaces in the configuration?

And as you can see the at the very end of the "packet-tracer" output, the output interface is way off. The same as in the configuration above.

It seems like the test traffic incoming from dmz190 interface gets sent throught the transit interface because theres a NAT configuration in place from transit to dmz190 interface.

- Jouni

drumrb0y · ‎04-14-2012

You caught it, Jouni!

I was confident that the issue was simply a typo in my configuration and you caught it...

Once I removed that incorrect command and performed a 'clear xlate' in the ASA, I immediately began moving pings between the DMZ190 and DMZ184 hosts, as well as internal networks to the DMZ184

Thanks to both you and Julio for your time,

Marc

Julio Carvajal · ‎04-14-2012

Hello,

As Jouni said.

This is not properly configured, you have some problems with the nat...

Please provide the show run static.

Also do remove this for now:

(transit,dmz190) 10.10.184.0 10.10.184.0

And then do a packet tracer and provide us the output!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC