Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
0
Helpful
2
Replies

Cisco asa 5508-x 9.6(2)23 DMZ to internet

swits0181
Level 1
Level 1

‎11-22-2017 05:05 PM - edited ‎02-21-2020 06:49 AM

I have a 5508-x running a remote office with servers in a DMZ, a guest network, and site to site VPN back to our headquarters.  I'm running into a problem where the DMZ servers cannot access the internet.  The servers are operating normally otherwise.  Both inside and public traffic can access the DMZ servers as allowed by ACL's.  If the DMZ servers try to initiate a connection it seems to go no where.  I think a nat rule may be the cause but I'm not sure.  Here is my nat config. 

 

nat (inside,outside) source static INS-main INS-main destination static OBJ-ASA OBJ-ASA no-proxy-arp route-lookup //IPSEC
nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp  //--|
nat (inside,DMZ) source static any any destination static DMZ-Host-img DMZ-Host-img-int no-proxy-arp      //--|--> inside access to DMZ
nat (inside,DMZ) source static any any destination static DMZ-Host-Shops DMZ-Host-Shops-int no-proxy-arp  //--|
!
object network obj_any
 nat (any,outside) dynamic interface
object network DMZ-Host-Sales-int
 nat (DMZ,outside) static DMZ-Host-Sales
object network DMZ-Host-img-int
 nat (DMZ,outside) static DMZ-Host-img
object network DMZ-subnet
 nat (DMZ,outside) dynamic interface
object network DMZ-Host-Shops-int
 nat (DMZ,outside) static DMZ-Host-Shops
!
nat (DMZ,outside) after-auto source dynamic any interface

I don't think that last nat rule is necessary I would have thought the (any,outside) would have covered the DMZ as well. 

 

Here are my ACL's

 

access-list CRYPTO-MAP-1 extended permit ip object INS-main object OBJ-ASA 
access-list inbound extended permit tcp any object DMZ-Host-Sales eq www 
access-list inbound extended permit tcp any object DMZ-Host-Sales eq https 
access-list inbound extended permit tcp any object DMZ-Host-Sales-int eq www 
access-list inbound extended permit tcp any object DMZ-Host-Sales-int eq https  
access-list inbound extended permit tcp any object DMZ-Host-Sales eq ssh 
access-list inbound extended permit tcp any object DMZ-Host-Sales-int eq ssh 
access-list inbound extended permit tcp any object DMZ-Host-img eq www 
access-list inbound extended permit tcp any object DMZ-Host-img eq https 
access-list inbound extended permit tcp any object DMZ-Host-img eq ssh 
access-list inbound extended permit tcp any object DMZ-Host-img-int eq www 
access-list inbound extended permit tcp any object DMZ-Host-img-int eq https 
access-list inbound extended permit tcp any object DMZ-Host-img-int eq ssh 
access-list inbound extended permit tcp any object DMZ-Host-Sales eq ftp 
access-list inbound extended permit tcp any object DMZ-Host-Sales-int eq ftp 
access-list inbound extended permit tcp any object DMZ-Host-Shops eq www 
access-list inbound extended permit tcp any object DMZ-Host-Shops eq https 
access-list inbound extended permit tcp any object DMZ-Host-Shops eq ssh  
access-list inbound extended permit tcp any object DMZ-Host-Shops-int eq www 
access-list inbound extended permit tcp any object DMZ-Host-Shops-int eq https 
access-list inbound extended permit tcp any object DMZ-Host-Shops-int eq ssh    
access-list snmp extended permit udp any eq snmptrap any 
access-list snmp extended permit udp any any eq snmp 
access-list dmz_access_in extended permit ip any any 
access-list dmz_access_in extended deny ip any any

I ran a packet-tracer with an input of a dmz server to 8.8.8.8 and it passed but it did land on the inside port which I don't think is correct.  Any info would be greatly appreciated. 

 

Thanks,

Jeremy

Labels:
0 Helpful
2 Replies 2

swits0181
Level 1
Level 1

‎11-22-2017 05:13 PM

Here is a copy of a packet trace to 8.8.8.8 that passes in the asa but doesn't actually work from that server in the DMZ.

 

ciscoasa# packet-tracer input DMZ tcp 10.11.2.10 1234 8.8.8.8 www   

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp
Additional Information:
NAT divert to egress interface inside
Untranslate 8.8.8.8/80 to 8.8.8.8/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface DMZ
access-list dmz_access_in extended permit ip any any 
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp
Additional Information:
Static translate 10.11.2.10/1234 to 123.123.100.100/1234

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 16275065, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
0 Helpful

Kornelia Gutierrez
Level 1
Level 1

‎12-14-2017 11:14 AM

Hello Swits,

 

 

From the packet tracer that you attached it seems the traffic is being sent to the inside interface and matching the following nat satement

 

nat (inside,DMZ) source static any any destination static DMZ-Host-Sales DMZ-Host-Sales-int no-proxy-arp  //--|

You should be more specific and careful with the any any statement since it is wide open and the nat rule in place is in the first section it works as a first match, I would suggest to change the any any for the network address that need to reach the dmz-host-sales servers.

 

If you want to actually confirm that the traffic is being redirected to the inside you can place packet captures like the following:

 

 capture dmz interface dmz trace match tcp host 10.11.2.10 any eq 80

 capture in  interface inside trace match tcp host 10.11.2.10 any eq 80

 

Then generate traffic from the 10.11.2.10 server, open a web browser and try to open a web page, after you do that go to the ASA and run the show cap command and show cap dmz and show cap in, you should see the traffic entering the dmz interface and leaving the inside interface.

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card