Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA inside to dmz access

Hello

Could someone give me a hand with INSIDE access to the DMZ interface? I've set this up in the past, and am unsure of the problem I am running into. I think that when a host access a server on the dmz, instead of a session being setup the outbound response is being nat'd and sent out the outside interface. Attached is the running config, and also below is a trace.

Also through debug icmp trace, i see an echo request when pinging the 172.16.0.1 DMZ interface from a host on the 172.16.72.0 INSIDE interface, but not a reply.


ASA# packet-tracer input inside icmp 172.16.72.7 1 1 172.16.0.1

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.1      255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4     
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 172.16.72.0 172.16.72.0 netmask 255.255.255.0
  match ip inside 172.16.72.0 255.255.255.0 dmz any
    static translation to 172.16.72.0
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 889825065, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity
adjacency Active
next-hop mac address 0000.0000.0000 hits 26434041

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

4 REPLIES
New Member

Re: ASA inside to dmz access

attachment

Cisco Employee

Re: ASA inside to dmz access

For ping to work, please configure the following:

policy-map global_policy
class inspection_default

     inspect icmp

Hope it helps.

New Member

Re: ASA inside to dmz access

I don't see nat-control enabled within your config, but it seems like you're still trying to use nat.  I'm guessing you may either need to add nat-control, or get rid of the identity nat statements.  I'm not an "expert" though...  Good luck.

New Member

Re: ASA inside to dmz access

Hey guys

Thanks for the input.. I think the config is working out ok, the customer might have given me the wrong IP address to test with.. I'll post back once confirmed, thanks again.

386
Views
0
Helpful
4
Replies
CreatePlease to create content