ASA5510 - DMZ to LAN Communication Not Working
Hi All,
I wonder if you can help.
I have just setup a dmz interface on my cisco asa to put some web servers in.
Now I have done this on ASA before and not had any issues.
So I wanted to test the communcation between the DMZ and the LAN, so I tried putting in an any - any rule, but no communication is happening and I am getting the following error in the logs :
No translation group found for icmp src dmz:Secure_Gateway dst inside:philby-dr (type 8, code 0)
portmap translation creation failed for icmp src inside:dc01-dr dst dmz:Secure_Gateway (type 8, code 0)
Can anyone pleae help (my full config is attached)
Thanks
Paul
I wonder if you can help.
I have just setup a dmz interface on my cisco asa to put some web servers in.
Now I have done this on ASA before and not had any issues.
So I wanted to test the communcation between the DMZ and the LAN, so I tried putting in an any - any rule, but no communication is happening and I am getting the following error in the logs :
No translation group found for icmp src dmz:Secure_Gateway dst inside:philby-dr (type 8, code 0)
portmap translation creation failed for icmp src inside:dc01-dr dst dmz:Secure_Gateway (type 8, code 0)
Can anyone pleae help (my full config is attached)
Thanks
Paul
ASA Version 8.0(4)
!
hostname asa5510-dr
domain-name drasa
names
name 192.168.254.0 DR_LAN
name 192.168.254.111 philby-dr
name 193.109.254.0 ML1
name 195.245.230.0 ML2
name 195.216.0.0 ML3
name 212.125.64.0 ML4
name 62.231.128.0 ML5
name 62.173.108.0 ML6
name 85.158.136.0 ML7
name 194.106.220.0 ML8
name 194.205.110.128 ML9
name 212.125.74.44 ML10
name 212.125.75.0 ML11
name 216.82.240.0 ML12
name 192.168.254.10 fm01-dr
name 192.168.254.13 exch01-dr
name 192.168.100.0 London_LAN
name 192.168.200.0 Guernsey_LAN
name 192.168.30.0 London_DMZ
name 111.222.333.117 philby-dr-ext
name 333.222.111.235 philby-ext
name 111.222.333.118 fm01-dr-ext
name 111.222.333.119 exch01-dr-ext
name 62.85.111.192 BFTL1
name 210.17.177.16 BFTL2
name 195.157.52.64 BFTL3
name 111.222.333.120 citrix01-ext
name 10.1.200.0 Telehouse_LAN
name 192.168.104.128 London-RAS
name 192.168.254.253 Webserver
name 111.222.333.126 Webserver-Ext
name 192.168.254.7 citrix01
name 192.168.254.4 marshal01-dr
name 192.168.252.10 Secure_Gateway
name 192.168.254.1 dc01-dr
!
interface Ethernet0/0
description LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet0/1
description WAN
speed 100
duplex full
nameif outside
security-level 0
ip address 111.222.333.116 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description DR DMZ
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.252.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name ourdomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network MessageLabs
description MessageLabs Mail Servers
network-object ML1 255.255.254.0
network-object ML2 255.255.254.0
network-object ML3 255.255.224.0
network-object ML4 255.255.224.0
network-object ML5 255.255.224.0
network-object ML6 255.255.255.0
network-object ML7 255.255.248.0
network-object ML8 255.255.254.0
network-object ML9 255.255.255.224
network-object ML10 255.255.255.255
network-object ML11 255.255.255.224
network-object ML12 255.255.240.0
object-group service XoSoft tcp
port-object eq 25000
object-group network Beauchamp
description Beauchamp Networks
network-object BFTL2 255.255.255.240
network-object BFTL1 255.255.255.224
network-object BFTL3 255.255.255.240
object-group service Radmin tcp
port-object eq 4899
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object London_LAN 255.255.252.0
network-object London_DMZ 255.255.255.0
object-group network Bloomberg
description Bloomberg Networks
network-object 69.184.0.0 255.255.0.0
network-object 199.105.176.0 255.255.255.0
network-object 199.105.184.0 255.255.255.0
network-object 205.183.246.0 255.255.255.0
network-object 208.134.161.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 100MB_access_in extended permit ip DR_LAN 255.255.255.0 192.168.140.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip DR_LAN 255.255.255.0 Guernsey_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip DR_LAN 255.255.255.0 Telehouse_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip DR_LAN 255.255.255.0 172.16.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip DR_LAN 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Group_VPN_splitTunnelAcl standard permit DR_LAN 255.255.255.0
access-list outside_2_cryptomap extended permit ip DR_LAN 255.255.255.0 Guernsey_LAN 255.255.255.0
access-list inside_access_in extended deny ip host Webserver London_LAN 255.255.252.0 inactive
access-list inside_access_in extended deny ip host Webserver DR_LAN 255.255.255.0 inactive
access-list inside_access_in extended deny ip host Webserver Guernsey_LAN 255.255.255.0 inactive
access-list inside_access_in extended permit ip DR_LAN 255.255.255.0 any
access-list inside_access_in extended permit ip DR_LAN 255.255.255.0 London_LAN 255.255.252.0
access-list inside_access_in extended permit ip Guernsey_LAN 255.255.255.0 any
access-list inside_access_in extended permit ip London_DMZ 255.255.255.0 DR_LAN 255.255.255.0 inactive
access-list inside_access_in extended permit ip 192.168.140.0 255.255.255.0 DR_LAN 255.255.255.0 inactive
access-list outside_access_in extended permit ip host philby-ext host philby-dr-ext
access-list outside_access_in extended permit tcp object-group Beauchamp host fm01-dr-ext eq 4899
access-list outside_access_in extended permit tcp any host citrix01-ext object-group DM_INLINE_TCP_2 inactive
access-list outside_access_in remark DR Inbound Email to DR Exchange Server
access-list outside_access_in extended permit tcp object-group MessageLabs host exch01-dr-ext eq smtp inactive
access-list outside_access_in extended permit tcp any host exch01-dr-ext object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit tcp any host citrix01-ext eq citrix-ica inactive
access-list outside_access_in extended permit tcp any host Webserver-Ext object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host Webserver-Ext object-group DM_INLINE_TCP_4 inactive
access-list outside_access_in remark DR Inbound Email to DR Mail Marshal
access-list outside_access_in extended permit tcp object-group MessageLabs host 111.222.333.116 eq smtp inactive
access-list outside_access_in extended permit tcp any host exch01-dr-ext object-group DM_INLINE_TCP_5 inactive
access-list outside_access_in remark Temp Access from Citrix Course
access-list outside_access_in extended permit tcp host Citrix_Course host citrix01-ext eq https inactive
access-list outside_access_inside remark BFTL Remote Access
access-list outside_access_inside extended permit tcp object-group Beauchamp host fm01-dr-ext eq 4899
access-list Group_VPN_splitTunnelAcl_1 standard permit DR_LAN 255.255.255.0
access-list outside_3_cryptomap extended permit ip DR_LAN 255.255.255.0 Telehouse_LAN 255.255.255.0
access-list Group_VPN_splitTunnelAcl_2 standard permit DR_LAN 255.255.255.0
access-list Group_VPN_DR_splitTunnelAcl standard permit DR_LAN 255.255.255.0
access-list Group_VPN_DR_splitTunnelAcl standard permit London_LAN 255.255.252.0
access-list Group_VPN_DR_splitTunnelAcl standard permit London_DMZ 255.255.255.0
access-list outside_1_cryptomap extended permit ip DR_LAN 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit ip any any
access-list dmz_nat0_outbound extended permit ip host Secure_Gateway DR_LAN 255.255.255.0
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1404
mtu dmz 1404
ip local pool VPN_RAS 172.16.254.1-172.16.254.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit London_LAN 255.255.252.0 inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 Secure_Gateway 255.255.255.255
static (inside,outside) tcp interface smtp marshal01-dr smtp netmask 255.255.255.255
static (inside,outside) philby-dr-ext philby-dr netmask 255.255.255.255 dns
static (inside,outside) fm01-dr-ext fm01-dr netmask 255.255.255.255
static (inside,outside) exch01-dr-ext exch01-dr netmask 255.255.255.255
static (inside,outside) citrix01-ext citrix01 netmask 255.255.255.255
static (inside,outside) Webserver-Ext Webserver netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 111.222.333.113 1
route inside 69.184.0.0 255.255.0.0 192.168.254.200 1
route inside London_LAN 255.255.252.0 192.168.254.5 1
route inside 199.105.176.0 255.255.255.0 192.168.254.200 1
route inside 199.105.184.0 255.255.255.0 192.168.254.200 1
route inside 205.183.246.0 255.255.255.0 192.168.254.200 1
route inside 208.134.161.0 255.255.255.0 192.168.254.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (inside) host philby-dr
key thisisourkey
authentication-port 1655
accounting-port 1656
radius-common-pw thisisourkey
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http DR_LAN 255.255.255.0 inside
http 333.222.111.232 255.255.255.248 outside
http London_LAN 255.255.252.0 inside
snmp-server host inside 192.168.100.1 community company_snmp
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-
AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 333.222.111.234
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 111.333.222.50
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 333.111.222.145
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet DR_LAN 255.255.255.0 inside
telnet London_LAN 255.255.252.0 inside
telnet timeout 5
ssh 333.222.111.232 255.255.255.248 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy Group_VPN_DR internal
group-policy Group_VPN_DR attributes
wins-server value 192.168.254.111
dns-server value 192.168.254.111
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Group_VPN_DR_splitTunnelAcl
default-domain value ourdomain.com
group-policy DR_VPN internal
group-policy DR_VPN attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
url-list none
filter none
homepage none
mapi disable
http-proxy disable
sso-server none
svc dtls enable
svc mtu 1406
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client 30
svc dpd-interval gateway 30
svc compression deflate
svc modules none
svc profiles none
svc ask none default webvpn
customization value DfltCustomization
keep-alive-ignore 4
http-comp gzip
user-storage none
storage-objects value cookies,credentials
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to
use any of the VPN features. Contact your IT administrator for more information.
smart-tunnel auto-signon disable
username pauls password WqG8BePEGm42pd0k encrypted privilege 15
username pauls attributes
vpn-group-policy DfltGrpPolicy
username osgood password kL27CwlpwsuDs/Io encrypted privilege 15
tunnel-group Group_VPN_DR type remote-access
tunnel-group Group_VPN_DR general-attributes
address-pool VPN_RAS
authentication-server-group radius
default-group-policy Group_VPN_DR
tunnel-group Group_VPN_DR ipsec-attributes
pre-shared-key *
tunnel-group 111.333.222.50 type ipsec-l2l
tunnel-group 111.333.222.50 ipsec-attributes
pre-shared-key *
tunnel-group 333.111.222.145 type ipsec-l2l
tunnel-group 333.111.222.145 ipsec-attributes
pre-shared-key *
tunnel-group 333.222.111.234 type ipsec-l2l
tunnel-group 333.222.111.234 general-attributes
default-group-policy DR_VPN
tunnel-group 333.222.111.234 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:838f7941ef482fc44059baeb7077fa03
: end
ASKER
do I need to remove anything?
I think it should not necessary
ASKER
Hi All,
I now have another issue, I can ping servers on the LAN from the DMZ, but I cannot telnet to anything. I cannot see any reason why not, but I am getting the following in the log :
Built inbound TCP connection 130135 for dmz:Secure_Gateway/1101 (Secure_Gateway/1101) to inside:philby-dr/53 (philby-dr/53)
Teardown TCP connection 130137 for dmz:Secure_Gateway/1101 to inside:philby-dr/53 duration 0:00:06 bytes 0 TCP Reset-O
Deny TCP (no connection) from Secure_Gateway/1101 to philby-dr/53 flags RST on interface dmz
Can anyone offer some advice.
Thanks
Paul
I now have another issue, I can ping servers on the LAN from the DMZ, but I cannot telnet to anything. I cannot see any reason why not, but I am getting the following in the log :
Built inbound TCP connection 130135 for dmz:Secure_Gateway/1101 (Secure_Gateway/1101) to inside:philby-dr/53 (philby-dr/53)
Teardown TCP connection 130137 for dmz:Secure_Gateway/1101 to inside:philby-dr/53 duration 0:00:06 bytes 0 TCP Reset-O
Deny TCP (no connection) from Secure_Gateway/1101 to philby-dr/53 flags RST on interface dmz
Can anyone offer some advice.
Thanks
Paul
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is problem in Nat0.
try
access-list inside_nat0_outbound permit ip 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list dmz_nat0_outbound permit ip 192.168.252.0 255.255.255.0 192.168.254.0 255.255.255.0