Solved

ASA DMZ access problems / Packet tracer

Posted on 2014-02-12
5
1,234 Views
Last Modified: 2014-02-19
I'm trying unsuccessfully to establish an http connection from inside host 5.6.7.80 to DMZ host 1.2.3.31.  To troubleshoot the problem I've attempted to use the packet tracer tool (Also unsuccessfully) - the packet tracer tool seems to indicate that this traffic would be allowed when in fact it is not allowed.  Am I using this tool correctly?  Is there another way to troubleshoot these dropped packets?  (See below for packet trace results)

ASA# packet-tracer input inside tcp 5.6.7.80 1024 1.2.3.31 80


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.3.0   255.255.255.0   dmz

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static Internal-Nets Internal-Nets destination static dmz-net dmz-net no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface dmz
Untranslate 1.2.3.31/80 to 1.2.3.31/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out in interface inside
access-list inside_access_out extended permit ip any any
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,dmz) source static Internal-Nets Internal-Nets destination static dmz-net dmz-net no-proxy-arp route-lookup
Additional Information:
Static translate 5.6.7.80/1024 to 5.6.7.80/1024

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FILTER
Subtype: filter-url
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,dmz) source static Internal-Nets Internal-Nets destination static dmz-net dmz-net no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 29559213, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Open in new window


FYI - this is ASA software version 9.
0
Comment
Question by:tballin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39853855
Can you post a sanitized version of your config here please? Let us know.
0
 

Author Comment

by:tballin
ID: 39854006
There's a lot of config here and sanitizing it would take me all day - is there a portion of the config maybe that I could post for you?
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39854159
The inside host, dmz host, Nat, and ACL portion would be good for starters.
0
 

Accepted Solution

by:
tballin earned 0 total points
ID: 39859164
Turns out it was a problem with the host, and not the firewall.  Thanks for the help though.
0
 

Author Closing Comment

by:tballin
ID: 39869808
Not the problem I thought it was.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question