Solved

Can't Ping Between DMZ And Inside

Posted on 2010-09-14
18
2,298 Views
Last Modified: 2013-11-16
Please see the attached config...this is just a test lab that I'm setting up, and the outside interface isn't connected to anything yet.  I'm just trying to ping between a host on the inside network (172.16.1.200, connected to a switch on port 0/2 on the ASA) and a host on the DMZ (172.16.3.10, connected to a switch on port 0/1).  

I'm getting a deny message in the syslog when pinging from the DMZ host to the inside host (not sure why as I have an ACL to allow pings from DMZ to inside), however I get no message when pinging from the inside host to the DMZ (shouldn't need an ACL since I'm going from higher to lower security, right?)  Both ways all of the packets are dropped.

I'm guessing I didn't set up the NAT right between the inside and DMZ but any help is much appreciated.
: Saved

:

ASA Version 8.2(1) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password XCFDGSsVlDNJzctG encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 172.16.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address X.X.X.X X.X.X.X 

!

interface Vlan101

 nameif dmz

 security-level 50

 ip address 172.16.3.1 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 101

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

object-group icmp-type Good_ICMP

 icmp-object echo

 icmp-object echo-reply

 icmp-object time-exceeded

 icmp-object traceroute

 icmp-object unreachable

access-list inside_access_in extended permit icmp any any object-group Good_ICMP 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.16.1.5-172.16.1.254 inside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:657fd032cc30333a4f1c0598cfd5e858

: end

asdm image disk0:/asdm-621.bin

no asdm history enable

Open in new window

0
Comment
Question by:hachemp
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33679435
Add "fixup protocol icmp" to your configuration. This is a shortcut that accomplis this:

policy-map global_policy
 class inspection_default
  inspect icmp

This will make the firewall handling ICMP "stateful", so that the return-traffic will automatically be allowed in from your dmz to your inside.

/Kvistofta
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33681883
no nat (dmz) 1 0.0.0.0 0.0.0.0

global(dmz) 1 interface

give in these two commands and it should work.
and you dont really need any access-list for traffic originating from higher sec level to lower.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33682071
ullas_unni: I am afraid that you just add confusion to the author here...

> no nat (dmz) 1 0.0.0.0 0.0.0.0
Removing that command will prevent your dmz from accessing internet, which is probably not the desired result.

> global(dmz) 1 interface
Adding that command will hide inside-addresses when going to dmz which also has nothing to do with the question.

There is nothing wrong with the NAT between inside and dmz in the original configuration posted above. The problem is that the echo-reply from dmz is not allowed in. This can be solved either the way I wrote in my previous comment above or by adding an acl inbound to dmz-interface that allowes echo-replies. I prefer to make the icmp "stateful" by inspecting it, but it is just a matter of taste.

/Kvistofta
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33682144
hmm.. ok i dint see he had static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0  in place ok so you might not need to do the commands i posted. i thought he was missing source translation from inside to dmz.

#fixup protocol icmp

should do like Kvistofta mentioned.
0
 

Author Comment

by:hachemp
ID: 33682589
Thank you both for the responses.  Kvistofta, I tried what you suggested but no dice, still the same issue.  I didn't think I would need the ICMP inspect since echo and echo_reply are part of the Good_ICMP group that I am allowing to the inside network.  However I added it, and when I ping from the DMZ host to the inside host, I still receive the following in the syslog:

"Deny inbound icmp src dmz: 172.16.3.10 dst inside: 172.16.1.200 (type 8, code 0)"

Still nothing in the syslog when pinging from the inside host to the DMZ. Any ideas?  I know this is probably something simple but I'm not seeing it.  Thanks.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33682667
what if you add this:

access-l dmz_access_in ext permit icmp any any echo
access-group dmz_access_in in interface dmz

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33683026
Halfway there!  After adding that, I can now ping from the DMZ host to the inside host.  However, I still cannot ping from the inside host to the DMZ.  Any ideas on that last part?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33683053
That SHOULD work if you applied the fixup mention earlier. How does "show run service-policy" and "show run policy-map" look like?

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33683133
show run service-policy:

service-policy global_policy global


show run policy-map:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 17

Expert Comment

by:Kvistofta
ID: 33683530
It sounds like it doesnt do the inspect icmp that is configured. Try this:

access-l dmz_access_in ext permit icmp any any echo-reply

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33683982
I added that as well, but still no go.  I even added another node in the DMZ to eliminate any potential issues with the other one.  They can ping each other and both can ping the inside node, but the inside node can't ping either of them.  No messages in the syslog from this, even with debugging level logging turned on - seems that if there was a missing ACL for this it would show up in the syslog, correct?

Do I maybe need a NAT statement for the DMZ like the one for the inside network?  None of the examples I've seen show that.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33684068
What if you try the packet-tracer?

packet-tracer input inside icmp  8 0  detailed

and the reverse:

packet-tracer input dmz icmp  0 0  detailed

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33684241
I tried both ways from the CLI and both show that they are allowed at each phase and the end result is that the packet is allowed.  However, when I tried to use the ASDM graphical packet tracer, I get the attached image.  I get that for both ways.  Don't know if that's of any significance, but wanted to share.

BTW, i didn't know about the CLI packet-tracer command.  That will come in useful, thanks.
ASAdmz.JPG
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33688811
Would this help?

interface Ethernet0/2
 switchport access vlan 1
0
 

Author Comment

by:hachemp
ID: 33692567
kuoh, thanks, but I believe that vlan 1 is implied on ports where no other vlan is specified.

I finally figured out what was happening on this by resetting the ASA to defaults and re-configuring it from scratch:  When I would add the ICMP allow rule to the inside interface, it would remove the implicit rule on that interface that by default allows traffic from 'any' to 'any less secure networks'.  So when I would ping from the inside network to the DMZ, I'm guessing the packet wasn't allowed to exit the inside network any more.  Not sure why that wasn't showing in the syslog, though.  

Since i was configuring from the CLI, I never saw that implicit rule and never noticed once it was gone until I used the ASDM.  So I set up NAT as before and ICMP inspect and voila, I can ping from the inside to the DMZ.  I can't ping from DMZ to inside yet because once I add the rule to allow ICMP on the inside, I lose the implicit rule allowing traffic out of the inside to the other networks.  

So below is the config I used to fix that and allow the following:

Inside network has no restrictions to DMZ or Outside network
DMZ can only ping the inside network, has full access to the Outside network
Nothing should be able to come to the inside network except for pings from the DMZ

Kvistofta, I'm awarding you the points since you were of much help on this.  If you would be so kind, would you take a quick look at this config and let me know if I'm allowing more than I'm intending?
: Saved

:

ASA Version 8.2(1) 

!

hostname ciscoasa

enable password XXXXXXXXXXX

passwd XXXXXXXXXXXX

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 172.16.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address XXXXXXXXXX 255.255.255.248 

!

interface Vlan101

 nameif dmz

 security-level 50

 ip address 172.16.3.1 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 101

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object-group icmp-type Good_ICMP

 icmp-object echo

 icmp-object echo-reply

 icmp-object time-exceeded

 icmp-object traceroute

 icmp-object unreachable

access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any 

access-list dmz_access_in extended permit icmp 172.16.3.0 255.255.255.0 172.16.1.0 255.255.255.0 object-group Good_ICMP 

access-list dmz_access_in extended permit ip 172.16.3.0 255.255.255.0 <outside net> 255.255.255.248 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.16.1.5-172.16.1.254 inside

dhcpd enable inside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:89f64bd350cba417ad8b3f3a6af7d22b

: end

no asdm history enable

Open in new window

0
 

Author Closing Comment

by:hachemp
ID: 33692588
See below for full solution
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33692630
Hello

Your configuration looks good. Nice that I could help. :-)

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33692701
Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now