Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Can't Ping Between DMZ And Inside

Posted on 2010-09-14
18
Medium Priority
?
2,720 Views
Last Modified: 2013-11-16
Please see the attached config...this is just a test lab that I'm setting up, and the outside interface isn't connected to anything yet.  I'm just trying to ping between a host on the inside network (172.16.1.200, connected to a switch on port 0/2 on the ASA) and a host on the DMZ (172.16.3.10, connected to a switch on port 0/1).  

I'm getting a deny message in the syslog when pinging from the DMZ host to the inside host (not sure why as I have an ACL to allow pings from DMZ to inside), however I get no message when pinging from the inside host to the DMZ (shouldn't need an ACL since I'm going from higher to lower security, right?)  Both ways all of the packets are dropped.

I'm guessing I didn't set up the NAT right between the inside and DMZ but any help is much appreciated.
: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XCFDGSsVlDNJzctG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.X X.X.X.X 
!
interface Vlan101
 nameif dmz
 security-level 50
 ip address 172.16.3.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 101
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group icmp-type Good_ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list inside_access_in extended permit icmp any any object-group Good_ICMP 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.1.5-172.16.1.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:657fd032cc30333a4f1c0598cfd5e858
: end
asdm image disk0:/asdm-621.bin
no asdm history enable

Open in new window

0
Comment
Question by:hachemp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 2000 total points
ID: 33679435
Add "fixup protocol icmp" to your configuration. This is a shortcut that accomplis this:

policy-map global_policy
 class inspection_default
  inspect icmp

This will make the firewall handling ICMP "stateful", so that the return-traffic will automatically be allowed in from your dmz to your inside.

/Kvistofta
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33681883
no nat (dmz) 1 0.0.0.0 0.0.0.0

global(dmz) 1 interface

give in these two commands and it should work.
and you dont really need any access-list for traffic originating from higher sec level to lower.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33682071
ullas_unni: I am afraid that you just add confusion to the author here...

> no nat (dmz) 1 0.0.0.0 0.0.0.0
Removing that command will prevent your dmz from accessing internet, which is probably not the desired result.

> global(dmz) 1 interface
Adding that command will hide inside-addresses when going to dmz which also has nothing to do with the question.

There is nothing wrong with the NAT between inside and dmz in the original configuration posted above. The problem is that the echo-reply from dmz is not allowed in. This can be solved either the way I wrote in my previous comment above or by adding an acl inbound to dmz-interface that allowes echo-replies. I prefer to make the icmp "stateful" by inspecting it, but it is just a matter of taste.

/Kvistofta
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 4

Expert Comment

by:ullas_unni
ID: 33682144
hmm.. ok i dint see he had static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0  in place ok so you might not need to do the commands i posted. i thought he was missing source translation from inside to dmz.

#fixup protocol icmp

should do like Kvistofta mentioned.
0
 

Author Comment

by:hachemp
ID: 33682589
Thank you both for the responses.  Kvistofta, I tried what you suggested but no dice, still the same issue.  I didn't think I would need the ICMP inspect since echo and echo_reply are part of the Good_ICMP group that I am allowing to the inside network.  However I added it, and when I ping from the DMZ host to the inside host, I still receive the following in the syslog:

"Deny inbound icmp src dmz: 172.16.3.10 dst inside: 172.16.1.200 (type 8, code 0)"

Still nothing in the syslog when pinging from the inside host to the DMZ. Any ideas?  I know this is probably something simple but I'm not seeing it.  Thanks.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33682667
what if you add this:

access-l dmz_access_in ext permit icmp any any echo
access-group dmz_access_in in interface dmz

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33683026
Halfway there!  After adding that, I can now ping from the DMZ host to the inside host.  However, I still cannot ping from the inside host to the DMZ.  Any ideas on that last part?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33683053
That SHOULD work if you applied the fixup mention earlier. How does "show run service-policy" and "show run policy-map" look like?

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33683133
show run service-policy:

service-policy global_policy global


show run policy-map:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp

0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33683530
It sounds like it doesnt do the inspect icmp that is configured. Try this:

access-l dmz_access_in ext permit icmp any any echo-reply

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33683982
I added that as well, but still no go.  I even added another node in the DMZ to eliminate any potential issues with the other one.  They can ping each other and both can ping the inside node, but the inside node can't ping either of them.  No messages in the syslog from this, even with debugging level logging turned on - seems that if there was a missing ACL for this it would show up in the syslog, correct?

Do I maybe need a NAT statement for the DMZ like the one for the inside network?  None of the examples I've seen show that.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33684068
What if you try the packet-tracer?

packet-tracer input inside icmp  8 0  detailed

and the reverse:

packet-tracer input dmz icmp  0 0  detailed

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33684241
I tried both ways from the CLI and both show that they are allowed at each phase and the end result is that the packet is allowed.  However, when I tried to use the ASDM graphical packet tracer, I get the attached image.  I get that for both ways.  Don't know if that's of any significance, but wanted to share.

BTW, i didn't know about the CLI packet-tracer command.  That will come in useful, thanks.
ASAdmz.JPG
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33688811
Would this help?

interface Ethernet0/2
 switchport access vlan 1
0
 

Author Comment

by:hachemp
ID: 33692567
kuoh, thanks, but I believe that vlan 1 is implied on ports where no other vlan is specified.

I finally figured out what was happening on this by resetting the ASA to defaults and re-configuring it from scratch:  When I would add the ICMP allow rule to the inside interface, it would remove the implicit rule on that interface that by default allows traffic from 'any' to 'any less secure networks'.  So when I would ping from the inside network to the DMZ, I'm guessing the packet wasn't allowed to exit the inside network any more.  Not sure why that wasn't showing in the syslog, though.  

Since i was configuring from the CLI, I never saw that implicit rule and never noticed once it was gone until I used the ASDM.  So I set up NAT as before and ICMP inspect and voila, I can ping from the inside to the DMZ.  I can't ping from DMZ to inside yet because once I add the rule to allow ICMP on the inside, I lose the implicit rule allowing traffic out of the inside to the other networks.  

So below is the config I used to fix that and allow the following:

Inside network has no restrictions to DMZ or Outside network
DMZ can only ping the inside network, has full access to the Outside network
Nothing should be able to come to the inside network except for pings from the DMZ

Kvistofta, I'm awarding you the points since you were of much help on this.  If you would be so kind, would you take a quick look at this config and let me know if I'm allowing more than I'm intending?
: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
enable password XXXXXXXXXXX
passwd XXXXXXXXXXXX
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXXXXXXXXX 255.255.255.248 
!
interface Vlan101
 nameif dmz
 security-level 50
 ip address 172.16.3.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 101
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group icmp-type Good_ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any 
access-list dmz_access_in extended permit icmp 172.16.3.0 255.255.255.0 172.16.1.0 255.255.255.0 object-group Good_ICMP 
access-list dmz_access_in extended permit ip 172.16.3.0 255.255.255.0 <outside net> 255.255.255.248 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.1.5-172.16.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:89f64bd350cba417ad8b3f3a6af7d22b
: end
no asdm history enable

Open in new window

0
 

Author Closing Comment

by:hachemp
ID: 33692588
See below for full solution
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33692630
Hello

Your configuration looks good. Nice that I could help. :-)

/Kvistofta
0
 

Author Comment

by:hachemp
ID: 33692701
Thanks!
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question