ASA 5510 DMZ to INSIDE problems - Urgent!

Hi All,

Inside - 10.1.2.0 /24
Security level 100

DMZ - 172.16.1.0 /24
Security level 60

I am trying to simply allow traffic from the INSIDE network to the DMZ network.  From the ASA I can ping both connected networks (DMZ and INSIDE), but I can't ping from the DMZ to the INSIDE or visa versa.  I will eventually put ACLs to restrict traffic, but I am avoiding that for now for testing purposes.

portmap translation creation failed for tcp src inside:10.1.2.245/2130 dst DMZ:172.16.1.2/80

Built ICMP connection for faddr 10.1.2.245/1280 gaddr 172.16.1.1/0 laddr 172.16.1.1/0
Teardown ICMP connection for faddr 10.1.2.245/1280 gaddr 172.16.1.1/0 laddr 172.16.1.1/0

10.1.2.245 is the client I am testing the connection from (on the INSIDE)
172.16.1.1 is the IP of the DMZ interface on the ASA
172.16.1.2 is one of the clients on the DMZ network

Do I have to setup NAT to go from DMZ to INSIDE?

Don't assume I know the obvious because I don't :)

I don't usually try to be demanding when posting questions, but this is very urgent.  Please help ASAP.  

Your help is greatly appreciated.

Thanks

REB
LVL 5
reb_elmagnificoAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
batry_boyConnect With a Mentor Commented:
What do your nat, global and static statements look like?  Sounds like a nat problem going from inside to dmz.  

You have to have some static translations set up to go from dmz to inside since this traffic is from lower to higher security level interfaces on the firewall.

If you want to ping from inside to dmz, you will also need an ACL that allows the return ping traffic back from the DMZ to the inside network.

access-list acl_dmz_in permit icmp any any echo-reply
access-group acl_dmz_in in interface DMZ

However, I would start with posting your nat, global and static commands so we can take a look...
0
 
reb_elmagnificoAuthor Commented:
Thanks for your reply!

I was able to figure it out a few hours ago.  You're right it was a NAT problem.  I was missing a statement to translate the source and destination IP ranges, which happen to be the same since I didn't need NAT.

In order to cover all of the subnets the following lines did the trick:

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Thanks

REB

0
 
reb_elmagnificoAuthor Commented:
Thought it was resolved, but now it stopped working for some reason.  Without changing anything, it went from success to failure.

In retrospect, when I added the statements:
static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

it gave me a warning:

INFO: Global address overlaps with NAT exempt configuration

I was worried at first, but since it worked I didn't think much of it.  What is this telling me?  Could this be why it stopped working all of a sudden.

Thanks for your help!

REB
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
batry_boyCommented:
It's saying that one of your static statements has some source IP addresses that are in a "nat 0" statement in your configuration.  Can you post your "nat 0" statement?
0
 
reb_elmagnificoAuthor Commented:
nat (inside) 0 access-list NONAT-INSIDE


access-list NONAT-INSIDE extended permit ip host 10.1.2.228 10.37.0.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip host 192.168.31.81 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 192.168.31.83 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.192 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.200 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.215 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip any 172.31.100.144 255.255.255.254
0
 
reb_elmagnificoAuthor Commented:
I am not really sure how this is used.  It was configured before I started working on it...

Thanks for your help!

REB
0
 
reb_elmagnificoAuthor Commented:
Correction to previous posting:

static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

is actually

static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

Sorry to post so many times in a row...I should get my ducks in a row before hitting that submit button :)
0
 
reb_elmagnificoAuthor Commented:
This might help some too:

show run global
global (outside) 1 interface

show run nat
nat (inside) 0 access-list NONAT-INSIDE
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 10.1.3.0 255.255.255.0
nat (inside) 1 10.1.4.0 255.255.255.0
nat (inside) 1 10.1.11.0 255.255.255.0
nat (inside) 1 10.1.12.0 255.255.255.0
nat (inside) 1 10.1.13.0 255.255.255.0
nat (inside) 1 10.1.14.0 255.255.255.0
nat (inside) 1 192.168.31.0 255.255.255.0

show run static

--remove outside statics--

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0



REB
0
 
batry_boyCommented:
Convoluted nat configuration you have there.  Do you know if all of the statements in the "NONAT-INSIDE" ACL are needed?  You have the following statements in there:

access-list NONAT-INSIDE extended permit ip host 10.1.2.228 10.37.0.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip any 172.31.100.144 255.255.255.254

These are the ones that are all private class networks.  Do these exist on other PIX interfaces, or across VPN connections?  Can you post the output of the "show xlate" command to see how the nat is being implemented?
0
 
reb_elmagnificoAuthor Commented:
Most of the NONAT-INSIDE ACL are for VPN tunnels.  The rest also have special purposes...atleast that is what the remarks say.  I didn't post the remarks because they are little to descriptive for the Internet to see.

Honestly I haven't grasped the entire concept of the access list for NONAT.  Assuming that all of the existing statements are necessary, what do you suggest?

show xlate
11 in use, 1058 most used
Global 10.1.0.0 Local 10.1.0.0
PAT Global 206.x.x.140(4433) Local 10.1.1.100(443)
Global 206.x.x.141 Local 192.168.31.125
Global 206.x.x.142 Local 192.168.31.135
Global 206.x.x.137 Local 10.1.2.135
Global 206.x.x.139 Local 192.168.31.68
Global 67.x.x.177 Local 10.1.2.240
Global 172.26.221.0 Local 10.1.2.0
Global 172.26.220.0 Local 192.168.31.0
Global 67.x.x.178 Local 172.16.1.3

Thanks

REB
0
 
reb_elmagnificoAuthor Commented:
So, I was doing some research on the "nat 0" statement.

Would it be better if I removed the statements :

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

And added :

access-list NONAT-INSIDE extended permit ip 10.1.0.0 255.255.0 172.16.1.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.16.1.0 255.255.255.0

?
0
 
AskSandyCommented:
thanks for the solution I appreciate for the solution
0
All Courses

From novice to tech pro — start learning today.