Can you try this one too?

packet-tracer input DMZ udp 10.250.0.1 49 10.250.100.142 49 detail

BIHASA# packet-tracer input DMZ udp 10.250.0.1 49 10.250.100.142 49 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.250.100.142  255.255.255.255 DMZ

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x5774dd08, priority=111, domain=permit, deny=true
        hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=DMZ, output_ifc=DMZ

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks. I'm curious on the next hop. Can you try-

traceroute 10.250.100.142

yea it dosent go anywhere

BIHASA# traceroute 10.250.100.142

Type escape sequence to abort.
Tracing the route to 10.250.100.142

1   *  *  *
2   *  *  *
3   *  *

What do you think about this... I have an extra PC that I can setup the tacacs server on and connect it directly to Gi0/2 on like a 10.250.101.0/30 but I am not sure if this would help us in this case?

.6 is a cisco 1800 series router

Yes I have access to it

Sh Run

logging buffered 1000000 informational

logging reload debugging

logging rate-limit console 5

no logging console

enable secret 5 $1$tcXv$wtK8ERTYUIO_)(*&%^&*(DovQnfMYwcuCQ0LjX1

!

aaa new-model

!

!

aaa group server tacacs+ BiHTac

server 10.250.100.142

!

aaa authentication login BiHTac group BiHTac local

aaa authentication enable default group BiHTac enable

aaa authorization commands 15 BiHTac group BiHTac if-authenticated

aaa accounting exec BiHTac

action-type start-stop

group BiHTac

!

!

!

!

!

!

aaa session-id common

!

!

!

dot11 syslog

ip source-route

!        

!

!

!

ip cef

no ip domain lookup

!

multilink bundle-name authenticated

!

!

key chain BIHAUTH

key 99

  key-string 7 1435411234567890--09876543456789257471

!

!

!

!

license udi pid CISCO1841 sn FTX0945W22J

username b privilahege 15 secret 5 $1$Q3#$%^&*()_WdJz9HD.

!

redundancy

!

!

interface FastEthernet0/0

description LAN_Network

no ip address

duplex auto

speed auto

!

!

interface FastEthernet0/0.99

description DMZ_LAN

encapsulation dot1Q 99 native

ip address 10.250.100.129 255.255.255.128

ip helper-address 10.250.100.140

no ip redirects

no ip proxy-arp

ip verify unicast reverse-path

ip flow ingress

ip pim sparse-mode

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1

description EIGRP Transit to ASA

ip address 10.250.0.6 255.255.255.252

ip authentication mode eigrp 99 md5

ip authentication key-chain eigrp 99 BIHAUTH

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

!

!

!

router eigrp 99

network 10.250.0.4 0.0.0.3

network 10.250.100.128 0.0.0.127

passive-interface default

no passive-interface FastEthernet0/1

eigrp router-id 10.250.0.6

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source route-map DMZ interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 10.250.0.5

!

ip access-list extended internal-ips

permit ip 10.250.100.128 0.0.0.127 10.250.0.4 0.0.0.3

ip access-list extended vtyaccess

permit tcp 10.250.100.0 0.0.0.127 any range 22 telnet

permit tcp 10.250.100.128 0.0.0.127 any range 22 telnet

permit tcp 10.250.150.0 0.0.0.255 any range 22 telnet

permit tcp 10.250.160.0 0.0.0.7 any range 22 telnet

deny   tcp any any

!

!

!

!

route-map DMZ permit 10

description NAT via DMZ

match ip address internal-ips

match interface FastEthernet0/1

!

!

tacacs-server host 10.250.100.142

tacacs-server timeout 1

tacacs-server directed-request

tacacs-server key 7 04795B5301011234567890-09876543234567890

!

control-plane

!

!

!

line con 0

exec-timeout 11 0

logging synchronous

line aux 0

exec-timeout 11 0

line vty 0 4

access-class vtyaccess in

exec-timeout 11 0

logging synchronous

login authentication BiHTac

transport input all

transport output all

!

scheduler allocate 20000 1000

end

BIH_DMZ_RTR#  sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.250.0.5 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.250.0.5
      10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
D        10.250.0.0/30 [90/28416] via 10.250.0.5, 1d23h, FastEthernet0/1
C        10.250.0.4/30 is directly connected, FastEthernet0/1
L        10.250.0.6/32 is directly connected, FastEthernet0/1
D        10.250.100.0/25 [90/30976] via 10.250.0.5, 1d23h, FastEthernet0/1
C        10.250.100.128/25 is directly connected, FastEthernet0/0.99
L        10.250.100.129/32 is directly connected, FastEthernet0/0.99
      192.168.250.0/29 is subnetted, 1 subnets
D        192.168.250.0 [90/30976] via 10.250.0.5, 1d23h, FastEthernet0/1

Hi Mariusz,

Happy New Year to you as well.

Here is the two comands you asked

BIHASA# sh run all | i sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt radius ignore-secret

no sysopt noproxyarp inside

no sysopt noproxyarp DMZ

no sysopt noproxyarp outside

BIHASA#

BIHASA#  sh run all | i arp permit-nonconnected

no arp permit-nonconnected

Thanks for that.

Looks like proxyarp is enabled which is fine but I'm sure if the second feature applies here as I can't find any detailed documentation about that.

Worth trying:

arp permit-nonconnected

Source: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.pdf

The ASA ARP cache only contains entries from directly-connected subnets by default. You

can now enable the ARP cache to also include non-directly-connected subnets. We do not

recommend enabling this feature unless you know the security risks. This feature could

facilitate denial of service (DoS) attack against the ASA; a user on any interface could send

out many ARP replies and overload the ASA ARP table with false entries.

You may want to use this feature if you use:

• Secondary subnets.

• Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected.

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Not sure if this prevents registering MAC addresses in ARP cache only or resolving as well.

I tried thhat but getting nowcchere even with enabeling arp permit-nonconnected

Are you sugesting that the tacacs server needs to be directly plugged into the ASA? But at work we have a tacacs server and our production 5580 in diffrent geographical regions and they can still comunicate with each other. I am not sure why this setup is not working, from the looks of it (routing) the ASA knows about that network but cant ping it. I have eco-reply and traceroute permited on all interfaes and I am still not getting there. However the taacs server can ping the DMZ interface of the ASA

A true test of our troublshooting skills as well.

I am glad you fixed it. Well spoted

Regards

Mariusz