Announcement

Collapse
No announcement yet.

ASA 8.4 DMZ cannot get to internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 8.4 DMZ cannot get to internet

    WE have a DMZ on ASA5510 8.4, it can access anything internal interface but cannot get out to internet or outside interface.
    I try to ping from a host in the DMZ to 8.8.8.8 and get this in the log
    6Apr 25 201208:24:431100038.8.8.80172.10.1.1501Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1Please help.
    Thanks in advance.


    please see attached file for config.
    Attached Files

  • #2
    Re: ASA 8.4 DMZ cannot get to internet

    Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1Please help.

    You say you tried pinging from a host in the DMZ but per that log message the ASA is routing 172.10.1.150 to the inside interface not the dmz interface

    May want to check your routing table


    Also why would you put a security-level of 100 for your dmz?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: ASA 8.4 DMZ cannot get to internet

      Hi, could you look at the config file please? The ASA for some reason keeps sending the traffic back to the inside interface to look for a subnet belong to DMZ.
      We use 100 security level only to try to figure out what the problem is.
      Thanks.

      Comment


      • #4
        Re: ASA 8.4 DMZ cannot get to internet

        The ASA is routing to the inside because as you said its probably using a default route as it doesnt have more specific information. Is there a router or layer 3 switch behind the dmz interface?
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: ASA 8.4 DMZ cannot get to internet

          Originally posted by auglan View Post
          The ASA is routing to the inside because as you said its probably using a default route as it doesnt have more specific information. Is there a router or layer 3 switch behind the dmz interface?
          There is a 3650 switch connected to the dmz.
          here is part of the config:
          interface Vlan1
          description MPLS
          ip address 172.20.20.130 255.255.255.252
          !
          interface Vlan2
          description ISP <-> ASA Outside
          no ip address
          !
          interface Vlan10
          description ASA Inside Data + Voice
          ip address 192.168.10.2 255.255.255.0
          !
          interface Vlan20
          description INTERNET
          ip address 38.103.153.129 255.255.255.224
          !
          interface Vlan30
          description Internal Video
          ip address 172.30.1.1 255.255.255.0
          !
          interface Vlan35
          ip address 192.168.35.1 255.255.255.0
          !
          interface Vlan110
          ip address 192.168.110.1 255.255.255.0
          !
          interface Vlan111
          description DMZ
          ip address 172.10.1.2 255.255.255.0
          !
          ip classless
          ip route 0.0.0.0 0.0.0.0 192.168.10.1
          ip route 192.168.1.0 255.255.255.0 172.20.20.129
          ip route 192.168.2.0 255.255.255.0 172.20.20.129
          ip route 192.168.3.0 255.255.255.0 172.20.20.129
          ip route 192.168.6.0 255.255.255.0 172.20.20.129
          ip route 192.168.10.0 255.255.255.0 172.20.20.129
          ip route 192.168.101.0 255.255.255.0 172.20.20.129
          ip route 192.168.102.0 255.255.255.0 172.20.20.129
          ip route 192.168.103.0 255.255.255.0 172.20.20.129
          ip route 192.168.106.0 255.255.255.0 172.20.20.129
          ip route 192.168.201.0 255.255.255.0 172.20.20.129
          ip route 192.168.202.0 255.255.255.0 172.20.20.129
          ip route 192.168.203.0 255.255.255.0 172.20.20.129
          ip route 192.168.206.0 255.255.255.0 172.20.20.129
          ip http server
          !
          !
          control-plane

          Comment


          • #6
            Re: ASA 8.4 DMZ cannot get to internet

            route dmz 172.10.1.0 255.255.255.0 172.10.1.2
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: ASA 8.4 DMZ cannot get to internet

              Originally posted by auglan View Post
              route dmz 172.10.1.0 255.255.255.0 172.10.1.2
              I've tried that before removing that line on the ASA. It doesn't do anything.

              I was also trying
              route inside 172.10.1.0 255.255.255.0 192.168.10.2

              but can't add the route because it's a connected route.

              Comment


              • #8
                Re: ASA 8.4 DMZ cannot get to internet

                Yeah you shouldnt need it as that network is directly connected. Do you see a nat translation when you try the ping?

                Has internet access ever worked prior off the DMZ ? If not thats the main reason to test things before add to the config. Doesn't help you know but for future deployments start with the basics before adding advanced configurations.
                Last edited by auglan; 25th April 2012, 23:46.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: ASA 8.4 DMZ cannot get to internet

                  internet works fine from INSIDE. DMZ is new and it's not working.

                  maybe this would help?
                  Result of the command: "packet-tracer input DMZ tcp 172.10.1.150 1025 8.8.8.8 80 det"

                  Phase: 1
                  Type: CAPTURE
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xaf2b05c8, priority=13, domain=capture, deny=false
                  hits=12031, user_data=0xae88a3c8, cs_id=0x0, l3_type=0x0
                  src mac=0000.0000.0000, mask=0000.0000.0000
                  dst mac=0000.0000.0000, mask=0000.0000.0000
                  input_ifc=DMZ, output_ifc=any

                  Phase: 2
                  Type: ACCESS-LIST
                  Subtype:
                  Result: ALLOW
                  Config:
                  Implicit Rule
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xad7dde88, priority=1, domain=permit, deny=false
                  hits=1365, user_data=0x0, cs_id=0x0, l3_type=0x8
                  src mac=0000.0000.0000, mask=0000.0000.0000
                  dst mac=0000.0000.0000, mask=0100.0000.0000
                  input_ifc=DMZ, output_ifc=any

                  Phase: 3
                  Type: ROUTE-LOOKUP
                  Subtype: input
                  Result: ALLOW
                  Config:
                  Additional Information:
                  in 0.0.0.0 0.0.0.0 outside

                  Phase: 4
                  Type: ACCESS-LIST
                  Subtype: log
                  Result: ALLOW
                  Config:
                  access-group DMZ_access_in in interface DMZ
                  access-list DMZ_access_in extended permit ip any any
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xaf2ad180, priority=13, domain=permit, deny=false
                  hits=5, user_data=0xaa842680, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=any

                  Phase: 5
                  Type: IP-OPTIONS
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xad7e2be8, priority=0, domain=inspect-ip-options, deny=true
                  hits=5035, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=any

                  Phase: 6
                  Type: SSM-DIVERT
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xafd9b5e8, priority=50, domain=ssm-isvw, deny=true
                  hits=514, user_data=0xae62ef80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
                  src ip/id=172.10.1.0, mask=255.255.255.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=any

                  Phase: 7
                  Type: SSM_SERVICE
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xaeaf8480, priority=49, domain=ssm-isvw-capable, deny=false
                  hits=60, user_data=0x1, cs_id=0x0, flags=0x0, protocol=6
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
                  input_ifc=DMZ, output_ifc=any

                  Phase: 8
                  Type: NAT
                  Subtype:
                  Result: ALLOW
                  Config:
                  object network obj_any-09
                  nat (DMZ,outside) dynamic interface
                  Additional Information:
                  Dynamic translate 172.10.1.150/1025 to 38.103.153.130/45841
                  Forward Flow based lookup yields rule:
                  in id=0xafe4d7a0, priority=6, domain=nat, deny=false
                  hits=1, user_data=0xae2b4de8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=outside

                  Phase: 9
                  Type: SSM_SERVICE
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  out id=0xae462cf8, priority=49, domain=ssm-isvw-capable, deny=false
                  hits=10210675, user_data=0x2, cs_id=0x0, flags=0x0, protocol=6
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
                  input_ifc=any, output_ifc=outside

                  Phase: 10
                  Type: IP-OPTIONS
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Reverse Flow based lookup yields rule:
                  in id=0xad785940, priority=0, domain=inspect-ip-options, deny=true
                  hits=69252483, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=outside, output_ifc=any

                  Phase: 11
                  Type: FLOW-CREATION
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  New flow created with id 73800074, packet dispatched to next module
                  Module information for forward flow ...
                  snp_fp_tracer_drop
                  snp_fp_inspect_ip_options
                  snp_fp_tcp_normalizer
                  snp_fp_translate
                  snp_fp_adjacency
                  snp_fp_fragment
                  snp_ifc_stat

                  Module information for reverse flow ...
                  snp_fp_tracer_drop
                  snp_fp_inspect_ip_options
                  snp_fp_translate
                  snp_fp_tcp_normalizer
                  snp_fp_adjacency
                  snp_fp_fragment
                  snp_ifc_stat

                  Result:
                  input-interface: DMZ
                  input-status: up
                  input-line-status: up
                  output-interface: outside
                  output-status: up
                  output-line-status: up
                  Action: allow




                  Result of the command: "packet-tracer input DMZ icmp 172.10.1.150 0 0 8.8.8.8 det"

                  Phase: 1
                  Type: CAPTURE
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xaf2b05c8, priority=13, domain=capture, deny=false
                  hits=12043, user_data=0xae88a3c8, cs_id=0x0, l3_type=0x0
                  src mac=0000.0000.0000, mask=0000.0000.0000
                  dst mac=0000.0000.0000, mask=0000.0000.0000
                  input_ifc=DMZ, output_ifc=any

                  Phase: 2
                  Type: ACCESS-LIST
                  Subtype:
                  Result: ALLOW
                  Config:
                  Implicit Rule
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xad7dde88, priority=1, domain=permit, deny=false
                  hits=1366, user_data=0x0, cs_id=0x0, l3_type=0x8
                  src mac=0000.0000.0000, mask=0000.0000.0000
                  dst mac=0000.0000.0000, mask=0100.0000.0000
                  input_ifc=DMZ, output_ifc=any

                  Phase: 3
                  Type: ROUTE-LOOKUP
                  Subtype: input
                  Result: ALLOW
                  Config:
                  Additional Information:
                  in 0.0.0.0 0.0.0.0 outside

                  Phase: 4
                  Type: ACCESS-LIST
                  Subtype: log
                  Result: ALLOW
                  Config:
                  access-group DMZ_access_in in interface DMZ
                  access-list DMZ_access_in extended permit ip any any
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xaf2ad180, priority=13, domain=permit, deny=false
                  hits=6, user_data=0xaa842680, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=any

                  Phase: 5
                  Type: IP-OPTIONS
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xad7e2be8, priority=0, domain=inspect-ip-options, deny=true
                  hits=5036, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=any

                  Phase: 6
                  Type: INSPECT
                  Subtype: np-inspect
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xad7e26c8, priority=66, domain=inspect-icmp-error, deny=false
                  hits=63, user_data=0xad7e1ce0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
                  src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=any

                  Phase: 7
                  Type: SSM-DIVERT
                  Subtype:
                  Result: ALLOW
                  Config:
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xafd9b5e8, priority=50, domain=ssm-isvw, deny=true
                  hits=515, user_data=0xae62ef80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
                  src ip/id=172.10.1.0, mask=255.255.255.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=any

                  Phase: 8
                  Type: NAT
                  Subtype:
                  Result: DROP
                  Config:
                  object network obj_any-09
                  nat (DMZ,outside) dynamic interface
                  Additional Information:
                  Forward Flow based lookup yields rule:
                  in id=0xafe4d7a0, priority=6, domain=nat, deny=false
                  hits=2, user_data=0xae2b4de8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
                  src ip/id=0.0.0.0, mask=0.0.0.0, port=0
                  dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
                  input_ifc=DMZ, output_ifc=outside

                  Result:
                  input-interface: DMZ
                  input-status: up
                  input-line-status: up
                  output-interface: outside
                  output-status: up
                  output-line-status: up
                  Action: drop
                  Drop-reason: (acl-drop) Flow is denied by configured rule

                  Comment


                  • #10
                    Re: ASA 8.4 DMZ cannot get to internet

                    So a trace with tcp traffic seems to work (or at least is allowed) but the icmp trace fails on :

                    Drop-reason: (acl-drop) Flow is denied by configured rule. Cant seem to find that object

                    Phase: 8
                    Type: NAT
                    Subtype:
                    Result: DROP
                    Config:
                    object network obj_any-09
                    nat (DMZ,outside) dynamic interface

                    Regardless of the tcp flow being allowed, you still cant access the internet from that .150 host right?
                    Last edited by auglan; 26th April 2012, 00:52.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: ASA 8.4 DMZ cannot get to internet

                      Try sending a ping sourcing it from the vlan111 interface on the switch to an address on the outside.

                      Why cisco changed the nat configuration with 8.3 and above is beyond me. I think its more confusing now than it ever was.
                      Last edited by auglan; 26th April 2012, 01:09.
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment


                      • #12
                        Re: ASA 8.4 DMZ cannot get to internet

                        exactly, I can't get out to the net from any host in that subnet. It's any service, not just ping. that's why I'm puzzled.

                        I believed the NAT statements in the ASA are correct to take care of the traffic to the outside from the DMZ, so I am running out of idea why.....

                        Comment


                        • #13
                          Re: ASA 8.4 DMZ cannot get to internet

                          Try sourcing that ping from the vlan111 interface on the switch.
                          CCNA, CCNA-Security, CCNP
                          CCIE Security (In Progress)

                          Comment


                          • #14
                            Re: ASA 8.4 DMZ cannot get to internet

                            same thing. It keeps looking for subnet 172.10.1.0 on INSIDE

                            6 Apr 25 2012 21:30:49 305011 172.10.1.2 34 99.99.99.130 34 Built dynamic ICMP translation from inside:172.10.1.2/34 to outside:99.99.99.130/34

                            Comment


                            • #15
                              Re: ASA 8.4 DMZ cannot get to internet

                              That message is different.

                              6 Apr 25 2012 21:30:49 305011 172.10.1.2 34 99.99.99.130 34 Built dynamic ICMP translation from inside:172.10.1.2/34 to outside:99.99.99.130/34

                              So the translation is working. At this stage I would remove any ACL's on in the DMZ (ASA,Switch etc) and really take a look at your nat's again. Have you done a reboot of the ASA since the changes?
                              CCNA, CCNA-Security, CCNP
                              CCIE Security (In Progress)

                              Comment

                              Working...
                              X