Link to home
Start Free TrialLog in
Avatar of reb_elmagnifico
reb_elmagnifico

asked on

ASA 5510 DMZ to INSIDE problems - Urgent!

Hi All,

Inside - 10.1.2.0 /24
Security level 100

DMZ - 172.16.1.0 /24
Security level 60

I am trying to simply allow traffic from the INSIDE network to the DMZ network.  From the ASA I can ping both connected networks (DMZ and INSIDE), but I can't ping from the DMZ to the INSIDE or visa versa.  I will eventually put ACLs to restrict traffic, but I am avoiding that for now for testing purposes.

portmap translation creation failed for tcp src inside:10.1.2.245/2130 dst DMZ:172.16.1.2/80

Built ICMP connection for faddr 10.1.2.245/1280 gaddr 172.16.1.1/0 laddr 172.16.1.1/0
Teardown ICMP connection for faddr 10.1.2.245/1280 gaddr 172.16.1.1/0 laddr 172.16.1.1/0

10.1.2.245 is the client I am testing the connection from (on the INSIDE)
172.16.1.1 is the IP of the DMZ interface on the ASA
172.16.1.2 is one of the clients on the DMZ network

Do I have to setup NAT to go from DMZ to INSIDE?

Don't assume I know the obvious because I don't :)

I don't usually try to be demanding when posting questions, but this is very urgent.  Please help ASAP.  

Your help is greatly appreciated.

Thanks

REB
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of reb_elmagnifico
reb_elmagnifico

ASKER

Thanks for your reply!

I was able to figure it out a few hours ago.  You're right it was a NAT problem.  I was missing a statement to translate the source and destination IP ranges, which happen to be the same since I didn't need NAT.

In order to cover all of the subnets the following lines did the trick:

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Thanks

REB

Avatar of reb_elmagnifico
reb_elmagnifico

ASKER

Thought it was resolved, but now it stopped working for some reason.  Without changing anything, it went from success to failure.

In retrospect, when I added the statements:
static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

it gave me a warning:

INFO: Global address overlaps with NAT exempt configuration

I was worried at first, but since it worked I didn't think much of it.  What is this telling me?  Could this be why it stopped working all of a sudden.

Thanks for your help!

REB
Avatar of batry_boy
batry_boy
Flag of United States of America image
It's saying that one of your static statements has some source IP addresses that are in a "nat 0" statement in your configuration.  Can you post your "nat 0" statement?
Avatar of reb_elmagnifico
reb_elmagnifico

ASKER

nat (inside) 0 access-list NONAT-INSIDE


access-list NONAT-INSIDE extended permit ip host 10.1.2.228 10.37.0.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip host 192.168.31.81 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 192.168.31.83 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.192 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.200 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip host 10.1.2.215 host xxx.xxx.201.138
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip any 172.31.100.144 255.255.255.254
Avatar of reb_elmagnifico
reb_elmagnifico

ASKER

I am not really sure how this is used.  It was configured before I started working on it...

Thanks for your help!

REB
Avatar of reb_elmagnifico
reb_elmagnifico

ASKER

Correction to previous posting:

static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

is actually

static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

Sorry to post so many times in a row...I should get my ducks in a row before hitting that submit button :)
Avatar of reb_elmagnifico
reb_elmagnifico

ASKER

This might help some too:

show run global
global (outside) 1 interface

show run nat
nat (inside) 0 access-list NONAT-INSIDE
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 10.1.3.0 255.255.255.0
nat (inside) 1 10.1.4.0 255.255.255.0
nat (inside) 1 10.1.11.0 255.255.255.0
nat (inside) 1 10.1.12.0 255.255.255.0
nat (inside) 1 10.1.13.0 255.255.255.0
nat (inside) 1 10.1.14.0 255.255.255.0
nat (inside) 1 192.168.31.0 255.255.255.0

show run static

--remove outside statics--

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0



REB
Avatar of batry_boy
batry_boy
Flag of United States of America image
Convoluted nat configuration you have there.  Do you know if all of the statements in the "NONAT-INSIDE" ACL are needed?  You have the following statements in there:

access-list NONAT-INSIDE extended permit ip host 10.1.2.228 10.37.0.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.40.1.0 255.255.255.128
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 10.1.2.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip any 172.31.100.144 255.255.255.254

These are the ones that are all private class networks.  Do these exist on other PIX interfaces, or across VPN connections?  Can you post the output of the "show xlate" command to see how the nat is being implemented?
Avatar of reb_elmagnifico
reb_elmagnifico

ASKER

Most of the NONAT-INSIDE ACL are for VPN tunnels.  The rest also have special purposes...atleast that is what the remarks say.  I didn't post the remarks because they are little to descriptive for the Internet to see.

Honestly I haven't grasped the entire concept of the access list for NONAT.  Assuming that all of the existing statements are necessary, what do you suggest?

show xlate
11 in use, 1058 most used
Global 10.1.0.0 Local 10.1.0.0
PAT Global 206.x.x.140(4433) Local 10.1.1.100(443)
Global 206.x.x.141 Local 192.168.31.125
Global 206.x.x.142 Local 192.168.31.135
Global 206.x.x.137 Local 10.1.2.135
Global 206.x.x.139 Local 192.168.31.68
Global 67.x.x.177 Local 10.1.2.240
Global 172.26.221.0 Local 10.1.2.0
Global 172.26.220.0 Local 192.168.31.0
Global 67.x.x.178 Local 172.16.1.3

Thanks

REB
Avatar of reb_elmagnifico
reb_elmagnifico

ASKER

So, I was doing some research on the "nat 0" statement.

Would it be better if I removed the statements :

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,DMZ) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

And added :

access-list NONAT-INSIDE extended permit ip 10.1.0.0 255.255.0 172.16.1.0 255.255.255.0
access-list NONAT-INSIDE extended permit ip 192.168.31.0 255.255.255.0 172.16.1.0 255.255.255.0

?
Avatar of AskSandy
AskSandy
thanks for the solution I appreciate for the solution