ASA5510 - DMZ to LAN Communication Not Working

Hi All,

I wonder if you can help.

I have just setup a dmz interface on my cisco asa to put some web servers in.

Now I have done this on ASA before and not had any issues.

So I wanted to test the communcation between the DMZ and the LAN, so I tried putting in an any - any rule, but no communication is happening and I am getting the following error in the logs :

No translation group found for icmp src dmz:Secure_Gateway dst inside:philby-dr (type 8, code 0)

portmap translation creation failed for icmp src inside:dc01-dr dst dmz:Secure_Gateway (type 8, code 0)

Can anyone pleae help (my full config is attached)

Thanks

Paul
ASA Version 8.0(4) 
!
hostname asa5510-dr
domain-name drasa

names
name 192.168.254.0 DR_LAN
name 192.168.254.111 philby-dr
name 193.109.254.0 ML1
name 195.245.230.0 ML2
name 195.216.0.0 ML3
name 212.125.64.0 ML4
name 62.231.128.0 ML5
name 62.173.108.0 ML6
name 85.158.136.0 ML7
name 194.106.220.0 ML8
name 194.205.110.128 ML9
name 212.125.74.44 ML10
name 212.125.75.0 ML11
name 216.82.240.0 ML12
name 192.168.254.10 fm01-dr
name 192.168.254.13 exch01-dr
name 192.168.100.0 London_LAN
name 192.168.200.0 Guernsey_LAN
name 192.168.30.0 London_DMZ
name 111.222.333.117 philby-dr-ext
name 333.222.111.235 philby-ext
name 111.222.333.118 fm01-dr-ext
name 111.222.333.119 exch01-dr-ext
name 62.85.111.192 BFTL1
name 210.17.177.16 BFTL2
name 195.157.52.64 BFTL3
name 111.222.333.120 citrix01-ext
name 10.1.200.0 Telehouse_LAN
name 192.168.104.128 London-RAS
name 192.168.254.253 Webserver
name 111.222.333.126 Webserver-Ext
name 192.168.254.7 citrix01
name 192.168.254.4 marshal01-dr
name 192.168.252.10 Secure_Gateway
name 192.168.254.1 dc01-dr
!
interface Ethernet0/0
 description LAN
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.254.254 255.255.255.0 
!
interface Ethernet0/1
 description WAN
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 111.222.333.116 255.255.255.240 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description DR DMZ
 speed 100
 duplex full
 nameif dmz
 security-level 50
 ip address 192.168.252.1 255.255.255.0 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name ourdomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network MessageLabs
 description MessageLabs Mail Servers
 network-object ML1 255.255.254.0
 network-object ML2 255.255.254.0
 network-object ML3 255.255.224.0
 network-object ML4 255.255.224.0
 network-object ML5 255.255.224.0
 network-object ML6 255.255.255.0
 network-object ML7 255.255.248.0
 network-object ML8 255.255.254.0
 network-object ML9 255.255.255.224
 network-object ML10 255.255.255.255
 network-object ML11 255.255.255.224
 network-object ML12 255.255.240.0
object-group service XoSoft tcp
 port-object eq 25000
object-group network Beauchamp
 description Beauchamp Networks
 network-object BFTL2 255.255.255.240
 network-object BFTL1 255.255.255.224
 network-object BFTL3 255.255.255.240
object-group service Radmin tcp
 port-object eq 4899
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_4 tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object London_LAN 255.255.252.0
 network-object London_DMZ 255.255.255.0
object-group network Bloomberg
 description Bloomberg Networks
 network-object 69.184.0.0 255.255.0.0
 network-object 199.105.176.0 255.255.255.0
 network-object 199.105.184.0 255.255.255.0
 network-object 205.183.246.0 255.255.255.0
 network-object 208.134.161.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list 100MB_access_in extended permit ip DR_LAN 255.255.255.0 192.168.140.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip DR_LAN 255.255.255.0 Guernsey_LAN 255.255.255.0 
access-list inside_nat0_outbound extended permit ip DR_LAN 255.255.255.0 Telehouse_LAN 255.255.255.0 
access-list inside_nat0_outbound extended permit ip DR_LAN 255.255.255.0 172.16.254.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip DR_LAN 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list Group_VPN_splitTunnelAcl standard permit DR_LAN 255.255.255.0 
access-list outside_2_cryptomap extended permit ip DR_LAN 255.255.255.0 Guernsey_LAN 255.255.255.0 
access-list inside_access_in extended deny ip host Webserver London_LAN 255.255.252.0 inactive 
access-list inside_access_in extended deny ip host Webserver DR_LAN 255.255.255.0 inactive 
access-list inside_access_in extended deny ip host Webserver Guernsey_LAN 255.255.255.0 inactive 
access-list inside_access_in extended permit ip DR_LAN 255.255.255.0 any 
access-list inside_access_in extended permit ip DR_LAN 255.255.255.0 London_LAN 255.255.252.0 
access-list inside_access_in extended permit ip Guernsey_LAN 255.255.255.0 any 
access-list inside_access_in extended permit ip London_DMZ 255.255.255.0 DR_LAN 255.255.255.0 inactive 
access-list inside_access_in extended permit ip 192.168.140.0 255.255.255.0 DR_LAN 255.255.255.0 inactive 
access-list outside_access_in extended permit ip host philby-ext host philby-dr-ext 
access-list outside_access_in extended permit tcp object-group Beauchamp host fm01-dr-ext eq 4899 
access-list outside_access_in extended permit tcp any host citrix01-ext object-group DM_INLINE_TCP_2 inactive 
access-list outside_access_in remark DR Inbound Email to DR Exchange Server
access-list outside_access_in extended permit tcp object-group MessageLabs host exch01-dr-ext eq smtp inactive 
access-list outside_access_in extended permit tcp any host exch01-dr-ext object-group DM_INLINE_TCP_1 inactive 
access-list outside_access_in extended permit tcp any host citrix01-ext eq citrix-ica inactive 
access-list outside_access_in extended permit tcp any host Webserver-Ext object-group DM_INLINE_TCP_3 
access-list outside_access_in extended permit tcp any host Webserver-Ext object-group DM_INLINE_TCP_4 inactive 
access-list outside_access_in remark DR Inbound Email to DR Mail Marshal
access-list outside_access_in extended permit tcp object-group MessageLabs host 111.222.333.116 eq smtp inactive 
access-list outside_access_in extended permit tcp any host exch01-dr-ext object-group DM_INLINE_TCP_5 inactive 
access-list outside_access_in remark Temp Access from Citrix Course
access-list outside_access_in extended permit tcp host Citrix_Course host citrix01-ext eq https inactive 
access-list outside_access_inside remark BFTL Remote Access
access-list outside_access_inside extended permit tcp object-group Beauchamp host fm01-dr-ext eq 4899 
access-list Group_VPN_splitTunnelAcl_1 standard permit DR_LAN 255.255.255.0 
access-list outside_3_cryptomap extended permit ip DR_LAN 255.255.255.0 Telehouse_LAN 255.255.255.0 
access-list Group_VPN_splitTunnelAcl_2 standard permit DR_LAN 255.255.255.0 
access-list Group_VPN_DR_splitTunnelAcl standard permit DR_LAN 255.255.255.0 
access-list Group_VPN_DR_splitTunnelAcl standard permit London_LAN 255.255.252.0 
access-list Group_VPN_DR_splitTunnelAcl standard permit London_DMZ 255.255.255.0 
access-list outside_1_cryptomap extended permit ip DR_LAN 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list dmz_access_in extended permit ip any any 
access-list dmz_nat0_outbound extended permit ip host Secure_Gateway DR_LAN 255.255.255.0 
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1404
mtu dmz 1404
ip local pool VPN_RAS 172.16.254.1-172.16.254.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit London_LAN 255.255.252.0 inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 Secure_Gateway 255.255.255.255
static (inside,outside) tcp interface smtp marshal01-dr smtp netmask 255.255.255.255 
static (inside,outside) philby-dr-ext philby-dr netmask 255.255.255.255 dns 
static (inside,outside) fm01-dr-ext fm01-dr netmask 255.255.255.255 
static (inside,outside) exch01-dr-ext exch01-dr netmask 255.255.255.255 
static (inside,outside) citrix01-ext citrix01 netmask 255.255.255.255 
static (inside,outside) Webserver-Ext Webserver netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 111.222.333.113 1
route inside 69.184.0.0 255.255.0.0 192.168.254.200 1
route inside London_LAN 255.255.252.0 192.168.254.5 1
route inside 199.105.176.0 255.255.255.0 192.168.254.200 1
route inside 199.105.184.0 255.255.255.0 192.168.254.200 1
route inside 205.183.246.0 255.255.255.0 192.168.254.200 1
route inside 208.134.161.0 255.255.255.0 192.168.254.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (inside) host philby-dr
 key thisisourkey
 authentication-port 1655
 accounting-port 1656
 radius-common-pw thisisourkey
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http DR_LAN 255.255.255.0 inside
http 333.222.111.232 255.255.255.248 outside
http London_LAN 255.255.252.0 inside
snmp-server host inside 192.168.100.1 community company_snmp
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-

AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 333.222.111.234 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 111.333.222.50 
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 333.111.222.145 
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
telnet DR_LAN 255.255.255.0 inside
telnet London_LAN 255.255.252.0 inside
telnet timeout 5
ssh 333.222.111.232 255.255.255.248 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
group-policy Group_VPN_DR internal
group-policy Group_VPN_DR attributes
 wins-server value 192.168.254.111
 dns-server value 192.168.254.111
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Group_VPN_DR_splitTunnelAcl
 default-domain value ourdomain.com
group-policy DR_VPN internal
group-policy DR_VPN attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 msie-proxy pac-url none
 vlan none
 nac-settings none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  url-list none
  filter none
  homepage none
  mapi disable
  http-proxy disable
  sso-server none
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client 30
  svc dpd-interval gateway 30
  svc compression deflate
  svc modules none
  svc profiles none
  svc ask none default webvpn
  customization value DfltCustomization
  keep-alive-ignore 4
  http-comp gzip
  user-storage none
  storage-objects value cookies,credentials
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  file-entry enable
  file-browsing enable
  url-entry enable
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to 

use any of the VPN features. Contact your IT administrator for more information.
  smart-tunnel auto-signon disable
username pauls password WqG8BePEGm42pd0k encrypted privilege 15
username pauls attributes
 vpn-group-policy DfltGrpPolicy
username osgood password kL27CwlpwsuDs/Io encrypted privilege 15
tunnel-group Group_VPN_DR type remote-access
tunnel-group Group_VPN_DR general-attributes
 address-pool VPN_RAS
 authentication-server-group radius
 default-group-policy Group_VPN_DR
tunnel-group Group_VPN_DR ipsec-attributes
 pre-shared-key *
tunnel-group 111.333.222.50 type ipsec-l2l
tunnel-group 111.333.222.50 ipsec-attributes
 pre-shared-key *
tunnel-group 333.111.222.145 type ipsec-l2l
tunnel-group 333.111.222.145 ipsec-attributes
 pre-shared-key *
tunnel-group 333.222.111.234 type ipsec-l2l
tunnel-group 333.222.111.234 general-attributes
 default-group-policy DR_VPN
tunnel-group 333.222.111.234 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:838f7941ef482fc44059baeb7077fa03
: end

Open in new window

LVL 1
essexboy80Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alexey KomarovChief Project EngineerCommented:
Hi,
This is problem in Nat0.
try
access-list inside_nat0_outbound permit ip 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list dmz_nat0_outbound permit ip 192.168.252.0 255.255.255.0 192.168.254.0 255.255.255.0

0
essexboy80Author Commented:
do I need to remove anything?
0
Alexey KomarovChief Project EngineerCommented:
I think it should not necessary
0
essexboy80Author Commented:
Hi All,

I now have another issue, I can ping servers on the LAN from the DMZ, but I cannot telnet to anything. I cannot see any reason why not, but I am getting the following in the log :

Built inbound TCP connection 130135 for dmz:Secure_Gateway/1101 (Secure_Gateway/1101) to inside:philby-dr/53 (philby-dr/53)

Teardown TCP connection 130137 for dmz:Secure_Gateway/1101 to inside:philby-dr/53 duration 0:00:06 bytes 0 TCP Reset-O

Deny TCP (no connection) from Secure_Gateway/1101 to philby-dr/53 flags RST  on interface dmz

Can anyone offer some advice.

Thanks

Paul
0
essexboy80Author Commented:
Hi All,

I have resolved this element of my problem now.

Not sure what the problem was, but ended up via the telnet windows removing anythinig to do with the dmz and then starting again and it worked.

Rogue rule I suspect.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.