Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

From DMZ to Internal network connection

Hi Guys,

My setup is I have 3 zones (External, Internal, DMZ) and traffic flow from all zones are ok. I am using Cisco ASA Software Version 8.2(1)

My laptop connected to Internal network and telnet to DMZ (natted ip) port 22 but fails.

Here is my packet tracer result. It drops under Phase 9, may I know if this is feature problem is ASA or have configuration need to change? Thanks

ASA# show int ip bri

Interface                  IP-Address      OK? Method Status                Protocol

Internal-Data0/0           unassigned      YES unset  up                    up

Internal-Data0/1           unassigned      YES unset  up                    up

Vlan11                     48.22.29.10     YES CONFIG up                    up

Vlan21                     192.168.25.254  YES CONFIG up                    up

Vlan31                     192.168.15.102  YES CONFIG up                    up

Vlan41                     192.168.10.254  YES CONFIG up                    up

Vlan991                    192.168.1.254   YES unset  up                    up

Virtual0                   127.0.0.1       YES unset  up                    up

Ethernet0/0                unassigned      YES unset  up                    up

Ethernet0/1                unassigned      YES unset  up                    up

Ethernet0/2                unassigned      YES unset  up                    up

Ethernet0/3                unassigned      YES unset  up                    up

Ethernet0/4                unassigned      YES unset  administratively down down

Ethernet0/5                unassigned      YES unset  up                    up

Ethernet0/6                unassigned      YES unset  administratively down down

Ethernet0/7                unassigned      YES unset  administratively down down

ASA#

ASA#

ASA# packet-tracer input DMZ tcp 48.22.29.10 22 192.168.15.101 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.15.0   255.255.255.0   internal

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ_access_in in interface DMZ

access-list DMZ_access_in extended permit object-group TCPUDP any any

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip DMZ any internal 192.168.15.0 255.255.255.0

    NAT exempt

    translate_hits = 105470, untranslate_hits = 204

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (DMZ) 1 0.0.0.0 0.0.0.0

  match ip DMZ any internal any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 14, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (DMZ) 1 0.0.0.0 0.0.0.0

  match ip DMZ any external any

    dynamic translation to pool 1 (48.22.29.10 [Interface PAT])

    translate_hits = 289676, untranslate_hits = 15395

Additional Information:

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (internal) 1 0.0.0.0 0.0.0.0

  match ip internal any DMZ any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 13, untranslate_hits = 0

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: internal

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA#

286
Views
0
Helpful
0
Replies
CreatePlease to create content