cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2238
Views
0
Helpful
9
Replies

PIX/ASA not able to reach DMZ

Hi everyone ,

I am able to ping from outside to inside all ips , but there is no communication from inside and outside to DMZ .

I did debug icmp trace 255 and it gives below debug , anyone can guide me if i am doing any mistake here in config .

pixfirewall(config)# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=0 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=1 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=2 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=3 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=4 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10

DMZ>sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.0.1     YES manual up                    up 
Ethernet0/1                unassigned      YES unset  administratively down down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
FastEthernet1/0            20.1.1.2        YES NVRAM  administratively down down
Loopback0                  192.168.10.10   YES manual up                    up 
Loopback1                  4.4.4.4         YES NVRAM  up                    up 
DMZ>

INSIDE-RTR>sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.10.254.2     YES NVRAM  up                    up 
Ethernet0/1                unassigned      YES NVRAM  administratively down down
Ethernet0/2                unassigned      YES NVRAM  administratively down down
Ethernet0/3                unassigned      YES NVRAM  administratively down down
Loopback0                  10.14.8.50      YES NVRAM  up                    up 
Loopback1                  10.10.10.10     YES manual up                    up 
INSIDE-RTR>

OUTSIDE>sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES TFTP   administratively down down
Ethernet0/1                131.1.23.1      YES NVRAM  up                    up 
Ethernet0/2                unassigned      YES NVRAM  administratively down down
Ethernet0/3                unassigned      YES NVRAM  administratively down down
Loopback0                  5.5.5.5         YES manual up                    up 
Loopback1                  1.1.1.1         YES NVRAM  up                    up 
OUTSIDE>

pixfirewall# sh run
: Saved
:
PIX Version 7.2(4)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif INSIDE
security-level 100
ip address 10.10.254.1 255.255.255.0
!
interface Ethernet1
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 131.1.23.2 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
shutdown
no nameif
security-level 50
no ip address
!
interface Ethernet3
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 101 extended permit ip any any log
access-list ACL-BW extended permit ip any any
access-list DMZtoINSIDE extended permit ip any any log
pager lines 24
logging buffered debugging
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 131.1.23.12-131.1.23.254
nat (INSIDE) 1 10.0.0.0 255.0.0.0
static (INSIDE,OUTSIDE) 131.1.23.11 10.14.8.50 netmask 255.255.255.255
static (INSIDE,DMZ) 192.168.11.11 10.10.10.10 netmask 255.255.255.255
static (DMZ,OUTSIDE) 131.1.23.10 192.168.10.10 netmask 255.255.255.255
access-group 101 in interface OUTSIDE
access-group DMZtoINSIDE in interface DMZ
route INSIDE 10.14.8.0 255.255.255.0 10.10.254.2 1
route INSIDE 10.10.10.0 255.255.255.0 10.10.254.2 1
route OUTSIDE 0.0.0.0 0.0.0.0 131.1.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue OUTSIDE
!
class-map CLASS-BW
match access-list ACL-BW
class-map bw-limit1
!
!
policy-map POLICY-BW
class CLASS-BW
  police output 8000 1000 conform-action drop
!
service-policy POLICY-BW interface OUTSIDE
prompt hostname context
Cryptochecksum:2544d2c2a04267b55ac2ae90ba42d40f
: end

=====================

thanks 4 reply

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Sagar,

1- Global (dmz) 1 interface

This will allow traffic from the inside to the DMZ because in order to allowt traffic from a higher to a lower security level interface you will need a NAT rule ( with nat control enabled)

2-Static (dmz,outside) xxxxx yyyyyy

In order to allow communication from a lower security level to a higher you need two things a bidirectional nat rule and an ACL applied to the lower security level interface.

I would like to see why this connection is not working:

OUTSIDE:131.1.23.1 to DMZ:131.1.23.1

So lets do a packet tracer

packet-tracer input outside icmp 131.1.23.1 8 0 131.1.23.10

Please provide output of the packet tracer

Please rate helpful posts.

Regards.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio ,

Thnks 4 reply .

I added command #global (DMZ) 1 interface   -------(even i m not able to understand the need of the command here as static nat is available )

later i did packet trace with below output , pls see if I m doing some mistake in configuration .

pixfirewall# packet-tracer input ouTSIDE icmp 131.1.23.1 8 0 131.1.23.10

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=0 seq=0 len=0
static (DMZ,OUTSIDE) 131.1.23.10 192.168.10.10 netmask 255.255.255.255
  match ip DMZ host 192.168.10.10 OUTSIDE any
<--- More --->ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    static translation to 131.1.23.10
    translate_hits = 0, untranslate_hits = 3
Additional Information:
NAT divert to egress interface DMZ
Untranslate 131.1.23.10/0 to 192.168.10.10/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface OUTSIDE
access-list 101 extended permit ip any any log
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 131.1.23.10 192.168.10.10 netmask 255.255.255.255
  match ip DMZ host 192.168.10.10 OUTSIDE any
    static translation to 131.1.23.10
    translate_hits = 0, untranslate_hits = 3
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 437, packet dispatched to next module

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

pixfirewall#

=================

Thanks 4 reply

Hello Sagar,

The Global (dmz) is for the users on the inside to get natted to the DMZ interface, but if you just want to get to the DMZ from 10.10.10.10 you already have the static as you said so you do not need the global.

Here is the problem we are seeing when the connection is made from the outside to the DMZ:

Drop-reason: (no-adjacency) No valid adjacency

This counter is incremented when the security appliance has tried to  obtain an adjacency and could not obtain the MAC address for the next  hop. The packet is dropped.

Recommendation: Configure a capture for this drop  reason and check if a host with the specified destination address exists  on the connected network or is routable from the security appliance.

On the packet tracer we can see that the traffic is hitting the right policies ( NAT statements, Access-list, Inspection)

I would like to see if you can perform the following tasks:

1-Can you ping 131.1.23.1 from the ASA

2-Can you ping 192.168.10.10 from the ASA.

Also lets create the following capture and let me know the outputs you get:

access-list capout permit icmp 131.1.23.1 255.255.255.255  host 131.1.23.10

access-list capout permit icmp host 131.1.23.10 131.1.23.1 255.255.255.255

access-list capdmz permit icmp host 131.1.23.1 host 192.168.10.10

access-list capdmz permit icmp host 192.168.10.10 host 131.1.23.1

capture capdmz access-list capdmz interface dmz

capture capout access-list capout interface outside

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio ,

Thanks 4 your reply .

Here are the outputs u asked me -

1-Can you ping 131.1.23.1 from the ASA ----yes pinging

pixfirewall# ping 131.1.23.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=36579 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72


2-Can you ping 192.168.10.10 from the ASA. ---not reachable
pixfirewall# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?
Success rate is 0 percent (0/5)
pixfirewall#

I have applied all below captures ----->>

access-list capout permit icmp 131.1.23.1 255.255.255.255  host 131.1.23.10
access-list capout permit icmp host 131.1.23.10 131.1.23.1 255.255.255.255
access-list capdmz permit icmp host 131.1.23.1 host 192.168.10.10
access-list capdmz permit icmp host 192.168.10.10 host 131.1.23.1
capture capdmz access-list capdmz interface dmz
capture capout access-list capout interface outside


pixfirewall# clear access-list capout counters
pixfirewall#
pixfirewall# clear access-list capdmz counters
pixfirewall#
pixfirewall# clear access-list 101 counters
pixfirewall#
pixfirewall# clear access-list DMZtoINSIDE counters
pixfirewall#

---then ---->
OUTSIDE#ping 131.1.23.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
OUTSIDE#

----

pixfirewall# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=0 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=1 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=2 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=3 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=4 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10

pixfirewall#
pixfirewall# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?
Success rate is 0 percent (0/5)
pixfirewall#
pixfirewall#
pixfirewall# ping 131.1.23.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
!ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
!ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/50/90 ms
pixfirewall# ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72

pixfirewall#
pixfirewall#

pixfirewall# sh access-list
access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 extended permit ip any any log informational interval 300 (hitcnt=1) 0x28676dfa
access-list ACL-BW; 1 elements
access-list ACL-BW line 1 extended permit ip any any (hitcnt=156) 0xfa95bcad
access-list DMZtoINSIDE; 1 elements
access-list DMZtoINSIDE line 1 extended permit ip any any log informational interval 300 (hitcnt=0) 0xf5a55e4b
access-list capout; 2 elements
access-list capout line 1 extended permit icmp host 131.1.23.1 host 131.1.23.10 (hitcnt=5) 0xfb220e61
access-list capout line 2 extended permit icmp host 131.1.23.10 host 131.1.23.1 (hitcnt=0) 0xda226f3d
access-list capdmz; 2 elements
access-list capdmz line 1 extended permit icmp host 131.1.23.1 host 192.168.10.10 (hitcnt=0) 0xa133807b
access-list capdmz line 2 extended permit icmp host 192.168.10.10 host 131.1.23.1 (hitcnt=0) 0x99b84706
pixfirewall#

==================

Thanks 4 your reply again

Hello Sagar,

You did not understand the purpose of the capture, you had to make the connection from 131.1.23.1 to 131.1.23.10 in order to get the packets on the capture.

But do not worry at this time I think we already saw the problem. The ASA does not know how to get to 192.168.10.10.

you need the following command:

route dmz 192.168.10.10 255.255.255.0 192.168.0.1

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio ,

Thanks 4 reply

I added route for 192.168.10.10 in pix but still I m not able to ping 131.1.23.10 .

OUTSIDE#ping 131.1.23.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
OUTSIDE#

OUTSIDE#ping 131.1.23.10 source 131.1.23.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.10, timeout is 2 seconds:
Packet sent with a source address of 131.1.23.1
.....
Success rate is 0 percent (0/5)
OUTSIDE#

ACL captures======>

pixfirewall# sh access-list

access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list 101; 1 elements

access-list 101 line 1 extended permit ip any any log informational interval 300 (hitcnt=1) 0x28676dfa

access-list ACL-BW; 1 elements

access-list ACL-BW line 1 extended permit ip any any (hitcnt=156) 0xfa95bcad

access-list DMZtoINSIDE; 1 elements

access-list DMZtoINSIDE line 1 extended permit ip any any log informational interval 300 (hitcnt=0) 0xf5a55e4b

access-list capout; 2 elements

access-list capout line 1 extended permit icmp host 131.1.23.1 host 131.1.23.10 (hitcnt=5) 0xfb220e61

access-list capout line 2 extended permit icmp host 131.1.23.10 host 131.1.23.1 (hitcnt=0) 0xda226f3d

access-list capdmz; 2 elements

access-list capdmz line 1 extended permit icmp host 131.1.23.1 host 192.168.10.10 (hitcnt=0) 0xa133807b

access-list capdmz line 2 extended permit icmp host 192.168.10.10 host 131.1.23.1 (hitcnt=0) 0x99b84706

pixfirewall#

==============

Please let me know if I am doing anyting wrong here

Thanks again

Hello Sagar,

Just to see if we are on the same page you are trying to ping from the outside router (131.1.23.1) to the DMZ server Public IP address (131.1.23.10) right?

So the Pix should start proxy-arping that Ip address ( 131.1.23.10)

The configuration you need in order to allow this will be:

static (dmz,outside) 131.1.23.10 192.168.10.10

access-list 101 permit ip any host 131.1.23.10

access-group 101 in interface outside

route dmz 192.168.10.0 255.255.255.0 192.168.0.1

Can you check if you can have the same configuration?

Also Can you ping 192.168.10.10 now? If you cannot do it there is something wrong with the layer 3 device on the DMZ network because its blocking the ICMP request.

Please let me know this two things?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hey Julio ,

I am doing exactly the same , I am using GNS3 and trying to implement it .

Thanks 4 reply

---------------------

Hello Sagar,

Sure, let me know the result.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: