Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASA DMZ access problems / Packet tracer

Posted on 2014-02-12
5
Medium Priority
?
1,284 Views
Last Modified: 2014-02-19
I'm trying unsuccessfully to establish an http connection from inside host 5.6.7.80 to DMZ host 1.2.3.31.  To troubleshoot the problem I've attempted to use the packet tracer tool (Also unsuccessfully) - the packet tracer tool seems to indicate that this traffic would be allowed when in fact it is not allowed.  Am I using this tool correctly?  Is there another way to troubleshoot these dropped packets?  (See below for packet trace results)

ASA# packet-tracer input inside tcp 5.6.7.80 1024 1.2.3.31 80


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.3.0   255.255.255.0   dmz

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static Internal-Nets Internal-Nets destination static dmz-net dmz-net no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface dmz
Untranslate 1.2.3.31/80 to 1.2.3.31/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out in interface inside
access-list inside_access_out extended permit ip any any
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,dmz) source static Internal-Nets Internal-Nets destination static dmz-net dmz-net no-proxy-arp route-lookup
Additional Information:
Static translate 5.6.7.80/1024 to 5.6.7.80/1024

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FILTER
Subtype: filter-url
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,dmz) source static Internal-Nets Internal-Nets destination static dmz-net dmz-net no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 29559213, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Open in new window


FYI - this is ASA software version 9.
0
Comment
Question by:tballin
  • 3
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39853855
Can you post a sanitized version of your config here please? Let us know.
0
 

Author Comment

by:tballin
ID: 39854006
There's a lot of config here and sanitizing it would take me all day - is there a portion of the config maybe that I could post for you?
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39854159
The inside host, dmz host, Nat, and ACL portion would be good for starters.
0
 

Accepted Solution

by:
tballin earned 0 total points
ID: 39859164
Turns out it was a problem with the host, and not the firewall.  Thanks for the help though.
0
 

Author Closing Comment

by:tballin
ID: 39869808
Not the problem I thought it was.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question