Solved

ASA 5510 DMZ to INSIDE problems - Urgent!

Posted on 2007-04-09
12
2,091 Views
Last Modified: 2013-11-16
Hi All,

Inside - 10.1.2.0 /24
Security level 100

DMZ - 172.16.1.0 /24
Security level 60

I am trying to simply allow traffic from the INSIDE network to the DMZ network.  From the ASA I can ping both connected networks (DMZ and INSIDE), but I can't ping from the DMZ to the INSIDE or visa versa.  I will eventually put ACLs to restrict traffic, but I am avoiding that for now for testing purposes.

portmap translation creation failed for tcp src inside:10.1.2.245/2130 dst DMZ:172.16.1.2/80

Built ICMP connection for faddr 10.1.2.245/1280 gaddr 172.16.1.1/0 laddr 172.16.1.1/0
Teardown ICMP connection for faddr 10.1.2.245/1280 gaddr 172.16.1.1/0 laddr 172.16.1.1/0

10.1.2.245 is the client I am testing the connection from (on the INSIDE)
172.16.1.1 is the IP of the DMZ interface on the ASA
172.16.1.2 is one of the clients on the DMZ network

Do I have to setup NAT to go from DMZ to INSIDE?

Don't assume I know the obvious because I don't :)

I don't usually try to be demanding when posting questions, but this is very urgent.  Please help ASAP.  

Your help is greatly appreciated.

Thanks

REB
0
Comment
Question by:reb_elmagnifico
  • 8
  • 3
12 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18879957
What do your nat, global and static statements look like?  Sounds like a nat problem going from inside to dmz.  

You have to have some static translations set up to go from dmz to inside since this traffic is from lower to higher security level interfaces on the firewall.

If you want to ping from inside to dmz, you will also need an ACL that allows the return ping traffic back from the DMZ to the inside network.

access-list acl_dmz_in permit icmp any any echo-reply
access-group acl_dmz_in in interface DMZ

However, I would start with posting your nat, global and static commands so we can take a look...
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18880522
Thanks for your reply!

I was able to figure it out a few hours ago.  You're right it was a NAT problem.  I was missing a statement to translate the source and destination IP ranges, which happen to be the same since I didn't need NAT.

In order to cover all of the subnets the following lines did the trick:

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Thanks

REB

0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886417
Thought it was resolved, but now it stopped working for some reason.  Without changing anything, it went from success to failure.

In retrospect, when I added the statements:
static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

it gave me a warning:

INFO: Global address overlaps with NAT exempt configuration

I was worried at first, but since it worked I didn't think much of it.  What is this telling me?  Could this be why it stopped working all of a sudden.

Thanks for your help!

REB
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18886469
It's saying that one of your static statements has some source IP addresses that are in a "nat 0" statement in your configuration.  Can you post your "nat 0" statement?
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886485
nat (inside) 0 access-list NONAT-INSIDE


access-list NONAT-INSIDE extended permit ip host 10.1.2.228 10.37.0.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip host 192.168.31.81 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 192.168.31.83 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.192 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.200 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.215 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip any 172.31.100.144 255.255.255.254
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886489
I am not really sure how this is used.  It was configured before I started working on it...

Thanks for your help!

REB
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886499
Correction to previous posting:

static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

is actually

static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

Sorry to post so many times in a row...I should get my ducks in a row before hitting that submit button :)
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886533
This might help some too:

show run global
global (outside) 1 interface

show run nat
nat (inside) 0 access-list NONAT-INSIDE
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 10.1.3.0 255.255.255.0
nat (inside) 1 10.1.4.0 255.255.255.0
nat (inside) 1 10.1.11.0 255.255.255.0
nat (inside) 1 10.1.12.0 255.255.255.0
nat (inside) 1 10.1.13.0 255.255.255.0
nat (inside) 1 10.1.14.0 255.255.255.0
nat (inside) 1 192.168.31.0 255.255.255.0

show run static

--remove outside statics--

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0



REB
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18887290
Convoluted nat configuration you have there.  Do you know if all of the statements in the "NONAT-INSIDE" ACL are needed?  You have the following statements in there:

access-list NONAT-INSIDE extended permit ip host 10.1.2.228 10.37.0.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip any 172.31.100.144 255.255.255.254

These are the ones that are all private class networks.  Do these exist on other PIX interfaces, or across VPN connections?  Can you post the output of the "show xlate" command to see how the nat is being implemented?
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18887395
Most of the NONAT-INSIDE ACL are for VPN tunnels.  The rest also have special purposes...atleast that is what the remarks say.  I didn't post the remarks because they are little to descriptive for the Internet to see.

Honestly I haven't grasped the entire concept of the access list for NONAT.  Assuming that all of the existing statements are necessary, what do you suggest?

show xlate
11 in use, 1058 most used
Global 10.1.0.0 Local 10.1.0.0
PAT Global 206.x.x.140(4433) Local 10.1.1.100(443)
Global 206.x.x.141 Local 192.168.31.125
Global 206.x.x.142 Local 192.168.31.135
Global 206.x.x.137 Local 10.1.2.135
Global 206.x.x.139 Local 192.168.31.68
Global 67.x.x.177 Local 10.1.2.240
Global 172.26.221.0 Local 10.1.2.0
Global 172.26.220.0 Local 192.168.31.0
Global 67.x.x.178 Local 172.16.1.3

Thanks

REB
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18887559
So, I was doing some research on the "nat 0" statement.

Would it be better if I removed the statements :

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

And added :

access-list NONAT-INSIDE extended permit ip 10.1.0.0 255.255.0 172.16.1.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.16.1.0 255.255.255.0

?
0
 

Expert Comment

by:AskSandy
ID: 24925303
thanks for the solution I appreciate for the solution
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now