Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ not Accessing Internet 5505 8.2(5)

Hello,

I have a bit of a situation here, my packets  from the DMZ to the outside interface are being rejected to the Outside by the DMZ interface implicit deny rule. Even when I add an extended implicit allow any any rule to that interface the traffic is still blocked by the implicit deny rule. Traffic flow from the inside to the outside is ok. Below is part of the running config I have, is there anything I am missing?

Access-Lists

 

access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit ip any 192.168.4.0 255.255.255.0
access-group dmz_access_in in interface dmz

PAT
global (outside) 101 interface
nat (inside) 0 access-list outside_1_cryptomap
nat (inside) 101 Server1 255.255.255.255
nat (inside) 101 Server2 255.255.255.255
nat (inside) 101 Server3 255.255.255.255
nat (dmz) 101 0.0.0.0 0.0.0.0


route outside 0.0.0.0 0.0.0.0 MY_ISP_PUB_IP DEFAULT GW 1



: end

 

Everyone's tags (1)
14 REPLIES

Hi ,    What is the security

Hi ,

    What is the security level configured for your DMZ and outside interface , If both security level are same they you need to have 

same-security-traffic permit inter-interface

 

Run packet-tracer command for trouble shooting 

packet-tracer input dmz protocol x.x.x.x 8080 4.2.2.2 80 [detailed] [xml]

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81815-generic-ports.html

HTH

Sandy

New Member

The DMZ is on security level

The DMZ is on security level 50, I have however tried to put it on the same security level after the same-security-traffic permit inter-interface command as the outside interface but no luck. Below is my packet tracer output.

<Phase>
<id>1</id>
<type>ROUTE-LOOKUP</type>
<subtype>input</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
in   0.0.0.0         0.0.0.0         outside
</extra>
</Phase>

<Phase>
<id>2</id>
<type>ACCESS-LIST</type>
<subtype></subtype>
<result>DROP</result>
<config>
Implicit Rule
</config>
<extra>
</extra>
</Phase>

<result>
<input-interface>dmz</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>outside</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason>
</result>

 

Hi , Kindly share me your

Hi ,

 Kindly share me your system config . Let me check for any configuration errors

HTH

Sandy

New Member

The 192.168.4.0 network is

The 192.168.4.0 network is the one not accessing the internet.

 

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa

names
name 192.168.94.24 ABCtest_Server description NHL test server
name 192.168.94.0 ABCNETWORK description NHL INTERNAL NW
name 192.168.180.2 ABCLinux description ABCRouter
name 10.XXXXXXXXXX SW description SW
name 196.XXXXXXXXXX AT description AT
name 196.XXXXXXXXXX AD description AD
name 192.168.180.4 WXZ description WXZ
name 10.XXXXXXXXXX QW description AIRTIME_RW_MTN
name 44.XXXXXXXXXX ABCPublic_Address description NHL Public Address
name 192.168.5.0 GY description GYNetwork
name 192.168.180.5 GY_Connection description GY_Connection
name 192.168.4.1 Wifi_Connection description Wifi_Connection
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 4
!
interface Ethernet0/3
 switchport access vlan 245
!
interface Ethernet0/4
 switchport trunk allowed vlan 245
 switchport mode trunk
!
interface Ethernet0/5
 switchport access vlan 20
!
interface Ethernet0/6
 speed 94
 duplex full
!
interface Ethernet0/7
 speed 94
 duplex full
!
interface Vlan1
 nameif inside
 security-level 94
 ip address 192.168.180.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 41.XXXXXXXXXXXXXXXXXXXXXXXX 255.255.255.252
!
interface Vlan4
 nameif dmz
 security-level 0
 ip address Wifi_Connection 255.255.255.0
!
ftp mode passive
clock timezone EAT 3
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 41.XXXXXXXXXXXX
 name-server 41.XXXXXXXXXXXX
 name-server 41.XXXXXXXXXXXX
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network ABCRouter
object-group service ABCEmail
 description ABCEmail
 service-object tcp eq smtp
object-group service ABCl_Server
 description ABCl_Server
 service-object tcp eq https
object-group service SSH_ACCESS
 service-object tcp eq 22
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object icmp
 service-object udp
 service-object tcp
 service-object icmp traceroute
 service-object tcp-udp eq www
object-group service Access
 description Access From Outside
 service-object tcp eq 8080
object-group service QQTVirtualhost
 service-object tcp eq 8089
 service-object tcp eq 9400
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object tcp eq www
 service-object icmp
object-group service DM_INLINE_SERVICE_3
 service-object tcp-udp
 service-object udp
 service-object tcp-udp eq www
 service-object tcp eq www
 service-object tcp eq https
object-group network GY
 network-object GY255.255.255.0
access-list outside_1_cryptomap extended permit ip host WXZ host QW
access-list outside_1_cryptomap extended permit ip host QWhost WXZ
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit ip any interface outside log alerts
access-list outside_access_in extended permit tcp any interface outside eq 22
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq 8089
access-list outside_access_in extended permit tcp any interface outside eq 9400
access-list outside_access_in extended permit ip host WXZ any
access-list outside_access_in extended permit tcp any interface outside eq 2202
access-list outside_access_in extended permit object-group TCPUDP any host WXZ eq sip
access-list outside_access_in extended permit tcp any interface outside eq 3306
access-list outside_access_in extended permit tcp any interface outside eq 8090
access-list outside_access_in extended permit ip host GY_Connection any
access-list outside_2_cryptomap extended permit ip host WXZ host AT
access-list outside_2_cryptomap extended permit ip host AT host WXZ
access-list GY_access_in extended permit ip GY255.255.255.0 any
access-list GY_access_in extended permit icmp GY255.255.255.0 any
pager lines 24
logging enable
logging asdm errors
mtu inside 50
mtu outside 50
mtu dmz 50
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list outside_1_cryptomap
nat (inside) 101 ABCLinux 255.255.255.255
nat (inside) 101 WXZ 255.255.255.255
nat (inside) 101 GY_Connection 255.255.255.255
nat (inside) 101 192.168.4.0 255.255.255.0
static (inside,outside) tcp interface smtp ABCLinux smtp netmask 255.255.255.255
static (inside,outside) tcp interface https ABCLinux https netmask 255.255.255.255
static (inside,outside) tcp interface www ABCLinux www netmask 255.255.255.255
static (inside,outside) tcp interface telnet ABCLinux telnet netmask 255.255.255.255
static (inside,outside) tcp interface 2222 ABCLinux 2222 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 ABCLinux 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 8089 WXZ 8089 netmask 255.255.255.255
static (inside,outside) tcp interface 9400 ABCLinux 9400 netmask 255.255.255.255
static (inside,outside) tcp interface 2202 WXZ ssh netmask 255.255.255.255
static (inside,outside) tcp interface sip WXZ sip netmask 255.255.255.255
static (inside,outside) tcp interface 3306 WXZ 3306 netmask 255.255.255.255
static (inside,outside) tcp interface 8090 WXZ www netmask 255.255.255.255
static (inside,outside) udp interface sip WXZ sip netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 41.XXXXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 4430
http 50.XXXXXXXXXXXX 255.255.255.255 outside
http 192.168.180.0 255.255.255.0 inside
http 41.XXXXXXXXXXXX outside
http 41.XXXXXXXXXXXX outside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp nat-traversal 200
telnet 192.168.180.0 255.255.255.0 inside
telnet ABCNETWORK 255.255.255.0 inside
telnet timeout 5
ssh 192.168.180.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 41.XXXXXXXXXXXX 41.XXXXXXXXXXXX interface inside
!

priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-filter value outside_1_cryptomap
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-filter value outside_2_cryptomap
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username helpdesk password  encrypted privilege 15
tunnel-group 41.XXXXXXXXXXXX type ipsec-l2l
tunnel-group 41.XXXXXXXXXXXX ipsec-attributes
 pre-shared-key
tunnel-group 196.XXXXXXXXXX type ipsec-l2l
tunnel-group 196.XXXXXXXXXX general-attributes
 default-group-policy GroupPolicy2
tunnel-group 196.XXXXXXXXXX ipsec-attributes
 pre-shared-key
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:wvf048c8f486c1661168cf8fcf87d5cf
: end

 

Hi , I do see this

Hi ,

 I do see this configuration is missing on your output above , either keep any  any acl rule or only access from 192.168.4.0/24 to any  (better to keep 192.168.4.0 to any)

access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit ip any 192.168.4.0 255.255.255.0   

access-list dmz_access_in extended permit ip 192.168.4.0 255.255.255.0 any


access-group dmz_access_in in interface dmz

Kindly check and let me know 

 

HTH

Sandy

New Member

Hi, I had only those ACEs

Hi, 

I had only those ACEs during testing but I have put back but the result is the same. The packets are being dropped. 

access-list dmz_access_in extended permit ip any any

access-group dmz_access_in in interface dmz

Result of the command: "packet-tracer input dmz tcp 192.168.4.1 555 8.8.8.8  www detailed"
 
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
 
Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab163a68, priority=500, domain=permit, deny=true
hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=Wireless_Connection, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi ,  Change Security level

Hi ,

  Change Security level to 90 from 0 . Apply this ACL , bound it to the interface . Let me know if any issue forseen.

 

HTH

Sandy

New Member

I have changed the security

I have changed the security level to 90 but no luck. The packet are still being dropped packet-tracer input dmz tcp 192.168.4.1 555 8.8.8.8  www detailed

But strangely packet-tracer input inside tcp 192.168.4.1 555 8.8.8.8  www detailed the packet is allowed. I already bounded the access-list dmz_access_in extended permit ip any any to the DMZ interface. 

Hi  Here is the catch ,

Hi 

 Here is the catch , missed out in my earlier investigation  Thanks 

nat (inside) 101 192.168.4.0 255.255.255.0

Change it dmz

nat (dmz) 101 192.168.4.0 255.255.255.0

Ensure ACL is configured and bounded to interface . 

HTH

Sandy

 

New Member

Hi,No luck either I had that

Hi,

No luck either I had that line originally, I have put out no nat (inside) 101 192.168.4.0 255.255.255.0 and replaced it with nat (dmz) 101 192.168.4.0 255.255.255.0. Below is my packet trace result 

 

Result of the command: "packet-tracer input dmz tcp 192.168.4.1 3883 8.8.8.8 www"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

 

When I check the logs, here is the message I get, does this mean anything? 

2May 20 201417:21:18     Deny IP spoof from (Wireless_Connection) to 8.8.8.8 on interface dmz
New Member

Further on the explanation

Further on the explanation says a packet arrived at the adaptive security appliance device interface that has a destination IP address of 0. This explanation is on the line in the logs. What could this mean? 

Hi ,

Hi ,

 Configure this command , it should work after that


ip verify reverse-path interface dmz

 

HTH

Sandy

New Member

No luck either Result of the

No luck either 


Result of the command: "packet-tracer input dmz tcp 192.168.4.1 2829 8.8.8.8 www"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   Wireless_Connection 255.255.255.255 identity

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

 

Hi , Share me following

Hi ,

 Share me following output from your device 

 

show running-config | in access-group

show xlate

show nat 

show route 

show runn | in ip verify 

 

It should work if everything correctly . 

HTH

Sandy

153
Views
0
Helpful
14
Replies
CreatePlease login to create content