Solved

ASA 5510 DMZ to INSIDE problems - Urgent!

Posted on 2007-04-09
12
2,110 Views
Last Modified: 2013-11-16
Hi All,

Inside - 10.1.2.0 /24
Security level 100

DMZ - 172.16.1.0 /24
Security level 60

I am trying to simply allow traffic from the INSIDE network to the DMZ network.  From the ASA I can ping both connected networks (DMZ and INSIDE), but I can't ping from the DMZ to the INSIDE or visa versa.  I will eventually put ACLs to restrict traffic, but I am avoiding that for now for testing purposes.

portmap translation creation failed for tcp src inside:10.1.2.245/2130 dst DMZ:172.16.1.2/80

Built ICMP connection for faddr 10.1.2.245/1280 gaddr 172.16.1.1/0 laddr 172.16.1.1/0
Teardown ICMP connection for faddr 10.1.2.245/1280 gaddr 172.16.1.1/0 laddr 172.16.1.1/0

10.1.2.245 is the client I am testing the connection from (on the INSIDE)
172.16.1.1 is the IP of the DMZ interface on the ASA
172.16.1.2 is one of the clients on the DMZ network

Do I have to setup NAT to go from DMZ to INSIDE?

Don't assume I know the obvious because I don't :)

I don't usually try to be demanding when posting questions, but this is very urgent.  Please help ASAP.  

Your help is greatly appreciated.

Thanks

REB
0
Comment
Question by:reb_elmagnifico
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
12 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18879957
What do your nat, global and static statements look like?  Sounds like a nat problem going from inside to dmz.  

You have to have some static translations set up to go from dmz to inside since this traffic is from lower to higher security level interfaces on the firewall.

If you want to ping from inside to dmz, you will also need an ACL that allows the return ping traffic back from the DMZ to the inside network.

access-list acl_dmz_in permit icmp any any echo-reply
access-group acl_dmz_in in interface DMZ

However, I would start with posting your nat, global and static commands so we can take a look...
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18880522
Thanks for your reply!

I was able to figure it out a few hours ago.  You're right it was a NAT problem.  I was missing a statement to translate the source and destination IP ranges, which happen to be the same since I didn't need NAT.

In order to cover all of the subnets the following lines did the trick:

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Thanks

REB

0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886417
Thought it was resolved, but now it stopped working for some reason.  Without changing anything, it went from success to failure.

In retrospect, when I added the statements:
static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

it gave me a warning:

INFO: Global address overlaps with NAT exempt configuration

I was worried at first, but since it worked I didn't think much of it.  What is this telling me?  Could this be why it stopped working all of a sudden.

Thanks for your help!

REB
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 28

Expert Comment

by:batry_boy
ID: 18886469
It's saying that one of your static statements has some source IP addresses that are in a "nat 0" statement in your configuration.  Can you post your "nat 0" statement?
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886485
nat (inside) 0 access-list NONAT-INSIDE


access-list NONAT-INSIDE extended permit ip host 10.1.2.228 10.37.0.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip host 192.168.31.81 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 192.168.31.83 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.192 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.200 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.215 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip any 172.31.100.144 255.255.255.254
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886489
I am not really sure how this is used.  It was configured before I started working on it...

Thanks for your help!

REB
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886499
Correction to previous posting:

static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

is actually

static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

Sorry to post so many times in a row...I should get my ducks in a row before hitting that submit button :)
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18886533
This might help some too:

show run global
global (outside) 1 interface

show run nat
nat (inside) 0 access-list NONAT-INSIDE
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 10.1.3.0 255.255.255.0
nat (inside) 1 10.1.4.0 255.255.255.0
nat (inside) 1 10.1.11.0 255.255.255.0
nat (inside) 1 10.1.12.0 255.255.255.0
nat (inside) 1 10.1.13.0 255.255.255.0
nat (inside) 1 10.1.14.0 255.255.255.0
nat (inside) 1 192.168.31.0 255.255.255.0

show run static

--remove outside statics--

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0



REB
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18887290
Convoluted nat configuration you have there.  Do you know if all of the statements in the "NONAT-INSIDE" ACL are needed?  You have the following statements in there:

access-list NONAT-INSIDE extended permit ip host 10.1.2.228 10.37.0.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip any 172.31.100.144 255.255.255.254

These are the ones that are all private class networks.  Do these exist on other PIX interfaces, or across VPN connections?  Can you post the output of the "show xlate" command to see how the nat is being implemented?
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18887395
Most of the NONAT-INSIDE ACL are for VPN tunnels.  The rest also have special purposes...atleast that is what the remarks say.  I didn't post the remarks because they are little to descriptive for the Internet to see.

Honestly I haven't grasped the entire concept of the access list for NONAT.  Assuming that all of the existing statements are necessary, what do you suggest?

show xlate
11 in use, 1058 most used
Global 10.1.0.0 Local 10.1.0.0
PAT Global 206.x.x.140(4433) Local 10.1.1.100(443)
Global 206.x.x.141 Local 192.168.31.125
Global 206.x.x.142 Local 192.168.31.135
Global 206.x.x.137 Local 10.1.2.135
Global 206.x.x.139 Local 192.168.31.68
Global 67.x.x.177 Local 10.1.2.240
Global 172.26.221.0 Local 10.1.2.0
Global 172.26.220.0 Local 192.168.31.0
Global 67.x.x.178 Local 172.16.1.3

Thanks

REB
0
 
LVL 5

Author Comment

by:reb_elmagnifico
ID: 18887559
So, I was doing some research on the "nat 0" statement.

Would it be better if I removed the statements :

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

And added :

access-list NONAT-INSIDE extended permit ip 10.1.0.0 255.255.0 172.16.1.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.16.1.0 255.255.255.0

?
0
 

Expert Comment

by:AskSandy
ID: 24925303
thanks for the solution I appreciate for the solution
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question