Networking Hardware-Other
--
Questions
--
Followers
Top Experts
ASA 5510 DMZ and Inside do not talk to one another
I have several machines out in my DMZ and cannot get a ping going between them and anything on the inside of my network. I've even tried setting my access list attached to my DMZ to ip any any with no luck. Attached is my (sanitized) config. Any help is appreciated, everything looks good to me, but obviously something is wrong.
Â
Thanks in advance.
73SiteAFW.log
Â
Thanks in advance.
73SiteAFW.log
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Packet tracer results running from DMZ to Inside:
Â
Â
Â
SiteA-Firewall# packet-tracer input dmz icmp 173.17.1.4 0 0 11.2.1.23
Â
Â
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Â
Â
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0
nat-control
 match ip inside 11.2.1.0 255.255.255.0 dmz any
  static translation to 11.2.1.0
  translate_hits = 1, untranslate_hits = 3
Additional Information:
NAT divert to egress interface inside
Untranslate 11.2.1.0/0 to 11.2.1.0/0 using netmask 255.255.255.0
Â
Â
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit icmp any any
Additional Information:
Â
Â
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Internet_Netflow
class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:
Â
Â
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 1 173.17.1.0 255.255.255.0
nat-control
 match ip dmz 173.17.1.0 255.255.255.0 dmz any
  dynamic translation to pool 1 (173.17.1.1 [Interface PAT])
  translate_hits = 0, untranslate_hits = 0
Additional Information:
Â
Â
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0
nat-control
 match ip inside 11.2.1.0 255.255.255.0 dmz any
  static translation to 11.2.1.0
  translate_hits = 1, untranslate_hits = 3
Additional Information:
Â
Â
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 263043, packet dispatched to next module
Â
Â
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Â
Â
Â
SiteA-Firewall# packet-tracer input dmz icmp 173.17.1.4 0 0 11.2.1.23
Â
Â
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Â
Â
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0
nat-control
 match ip inside 11.2.1.0 255.255.255.0 dmz any
  static translation to 11.2.1.0
  translate_hits = 1, untranslate_hits = 3
Additional Information:
NAT divert to egress interface inside
Untranslate 11.2.1.0/0 to 11.2.1.0/0 using netmask 255.255.255.0
Â
Â
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit icmp any any
Additional Information:
Â
Â
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Internet_Netflow
class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:
Â
Â
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 1 173.17.1.0 255.255.255.0
nat-control
 match ip dmz 173.17.1.0 255.255.255.0 dmz any
  dynamic translation to pool 1 (173.17.1.1 [Interface PAT])
  translate_hits = 0, untranslate_hits = 0
Additional Information:
Â
Â
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0
nat-control
 match ip inside 11.2.1.0 255.255.255.0 dmz any
  static translation to 11.2.1.0
  translate_hits = 1, untranslate_hits = 3
Additional Information:
Â
Â
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 263043, packet dispatched to next module
Â
Â
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
From inside to DMZ:
Â
Â
Â
SiteA-Firewall# packet-tracer input inside icmp 11.2.1.23 0 0 173.17.1.4
Â
Â
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Â
Â
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Â
Â
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in  173.17.1.0    255.255.255.0  dmz
Â
Â
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Internet_Netflow
class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:
Â
Â
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0
nat-control
 match ip inside 11.2.1.0 255.255.255.0 dmz any
  static translation to 11.2.1.0
  translate_hits = 2, untranslate_hits = 3
Additional Information:
Static translate 11.2.1.0/0 to 11.2.1.0/0 using netmask 255.255.255.0
Â
Â
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0
nat-control
 match ip inside 11.2.1.0 255.255.255.0 dmz any
  static translation to 11.2.1.0
  translate_hits = 2, untranslate_hits = 3
Additional Information:
Â
Â
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 266708, packet dispatched to next module
Â
Â
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
Â
Â
Â
SiteA-Firewall# packet-tracer input inside icmp 11.2.1.23 0 0 173.17.1.4
Â
Â
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Â
Â
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Â
Â
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in  173.17.1.0    255.255.255.0  dmz
Â
Â
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Internet_Netflow
class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:
Â
Â
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0
nat-control
 match ip inside 11.2.1.0 255.255.255.0 dmz any
  static translation to 11.2.1.0
  translate_hits = 2, untranslate_hits = 3
Additional Information:
Static translate 11.2.1.0/0 to 11.2.1.0/0 using netmask 255.255.255.0
Â
Â
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0
nat-control
 match ip inside 11.2.1.0 255.255.255.0 dmz any
  static translation to 11.2.1.0
  translate_hits = 2, untranslate_hits = 3
Additional Information:
Â
Â
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 266708, packet dispatched to next module
Â
Â
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
I apologize, that was an older santized config. The attached file is the most up to date config.
75ASAsitea.log
75ASAsitea.log
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
do you have the security plus license on your ASA?
Correct, we have a security plus license on this machine. Will that help, hinder, or not affect this issue?
I had a co-working check my config, he noticed the no_nat acl wasn't being applied to anything. We went through some old configs where the DMZ was still working, the command "nat (inside) 0 access-list no_nat" was present in some of those old configs.
I applied this command was able to ping, success! My question after that was "So what ACL actually controls what gets between the DMZ and the Inside interfaces?" I ran the following command to remove the dmz_access_in ACL from the device "clear configure access-list dmz_access_in" then I tried to ping again. I pinged the interface, which I reasoned I should still be able to because technically there's nothing coming "in" to the DMZ. But, when I pinged a machine inside the DMZ, I thought nothing would come back because there's no acl on DMZ letting things back "in" to the interface. Well that ping worked as well.
So, my question is, "Why does pinging stop when the ACL no_nat is removed, but it continues if the previous ACL is in play but the dmz_access_in ACL is removed?" additionally, "What does that dmz_access_in ACL control if anything? Because it doesn't appear to be controlling what goes "in" to that dmz interface."
Thanks.
I applied this command was able to ping, success! My question after that was "So what ACL actually controls what gets between the DMZ and the Inside interfaces?" I ran the following command to remove the dmz_access_in ACL from the device "clear configure access-list dmz_access_in" then I tried to ping again. I pinged the interface, which I reasoned I should still be able to because technically there's nothing coming "in" to the DMZ. But, when I pinged a machine inside the DMZ, I thought nothing would come back because there's no acl on DMZ letting things back "in" to the interface. Well that ping worked as well.
So, my question is, "Why does pinging stop when the ACL no_nat is removed, but it continues if the previous ACL is in play but the dmz_access_in ACL is removed?" additionally, "What does that dmz_access_in ACL control if anything? Because it doesn't appear to be controlling what goes "in" to that dmz interface."
Thanks.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
If packet-tracer results are to be believed, my issue is not solved, they can ping, but when I simulate traffice coming out of a machine on the DMZ, it gets dropped. Results below:
SiteA-Firewall# packet-tracer input dmz icmp 173.17.1.4 0 0 11.2.1.23
Â
Â
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Â
Â
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in  11.2.1.0     255.255.255.0  inside
Â
Â
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit ip any any
Additional Information:
Â
Â
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 description Internet_Netflow
 class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:
Â
Â
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 1 173.17.1.0 255.255.255.0
nat-control
 match ip dmz 173.17.1.0 255.255.255.0 dmz any
  dynamic translation to pool 1 (173.17.1.1 [Interface PAT])
  translate_hits = 0, untranslate_hits = 0
Additional Information:
Â
Â
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
 match ip inside any dmz any
  dynamic translation to pool 1 (173.17.1.1 [Interface PAT])
  translate_hits = 1, untranslate_hits = 0
Additional Information:
Â
Â
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
SiteA-Firewall# packet-tracer input dmz icmp 173.17.1.4 0 0 11.2.1.23
Â
Â
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Â
Â
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in  11.2.1.0     255.255.255.0  inside
Â
Â
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit ip any any
Additional Information:
Â
Â
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 description Internet_Netflow
 class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:
Â
Â
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Â
Â
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 1 173.17.1.0 255.255.255.0
nat-control
 match ip dmz 173.17.1.0 255.255.255.0 dmz any
  dynamic translation to pool 1 (173.17.1.1 [Interface PAT])
  translate_hits = 0, untranslate_hits = 0
Additional Information:
Â
Â
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
 match ip inside any dmz any
  dynamic translation to pool 1 (173.17.1.1 [Interface PAT])
  translate_hits = 1, untranslate_hits = 0
Additional Information:
Â
Â
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Addition, the above results are with a "permit ip any any" as the only line of dmz_access_in.
I removed the line "nat (dmz) 0 access-list no_nat_dmz",
And added the line: static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0.0
Â
The pings work through packet tracer. I'm a bit confused as to why though. If I understand right the static command you had me put in "maps" the 10.0.0.0 subnet on the dmz to that same network on the inside interface. But if that's right, how do I control what comes and goes from the dmz interface? Specifically since I don't have an acl controlling the show anymore.
And added the line: static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0.0
Â
The pings work through packet tracer. I'm a bit confused as to why though. If I understand right the static command you had me put in "maps" the 10.0.0.0 subnet on the dmz to that same network on the inside interface. But if that's right, how do I control what comes and goes from the dmz interface? Specifically since I don't have an acl controlling the show anymore.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
When you make a NAT change, it is good practice to do a "clear xlate" to ensure that it removes any running translations.
Can post the configuration as it is now.
Can post the configuration as it is now.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Figured out answer for myself.
Networking Hardware-Other
--
Questions
--
Followers
Top Experts
Networking hardware includes the physical devices facilitating the use of a computer network. Typically, networking hardware includes gateways, routers, network bridges, modems, wireless access points, networking cables, line drivers, switches, hubs, and repeaters. But it also includes hybrid network devices such as multilayer switches, protocol converters, bridge routers, proxy servers, firewalls, network address translators, multiplexers, network interface controllers, wireless network interface controllers, ISDN terminal adapters and other related hardware.