Hello,
I started managing a new network earlier this month that includes a Cisco ASA5510. The device has a fairly simple configuration with four interfaces: Inside, Outside, DMZ, and Others. The first three interfaces seem familiar for a firewall, and the fourth interface (the Others interface) seems to be used for special vendor routers that connect to private circuits (so traffic moves from the vendor router over the private circuit to other servers instead of moving through the Outside interface). Here are the security levels each the interfaces:
Outside = 0
Inside = 100
DMZ = 50
Others = 50
My problem is this: I have a server connected to the DMZ network that needs to send and receive requests to a server connected to the far end of one of the special vendor routers on the Others network, but communication doesn't seem to work properly. The DMZ and Others networks are both using NAT. I started out by checking to see if the two interfaces were listed in the ASA 5510 routing tables. The "show route" command says ...
C 172.21.0.32 255.255.255.224 is directly connected, Others
C 172.21.0.64 255.255.255.224 is directly connected, DMZ
... and there is a static route between the TargetRouter port (172.21.0.35/19) and the destination server (192.168.0.50/24) on the far end of the private circuit. The "show route" command says ...
S 192.168.0.50 255.255.255.255 [1/0] via TargetRouter, Others
... so I'm thinking that routing is established in the ASA 5510 tables. I also checked for the "same-security-traffic permit inter-interface" command (which is needed when two interfaces have the same security level), and that line is in the running configuration, so traffic should flow between the two interfaces as long as access lists are established for each interface.
I checked to see if Access Groups were in place for each interface using the "show run | include access-group" command, which said ...
access-group aclOthers in interface Others
access-group aclDMZ in interface DMZ
... then I checked the ACL lists configured for the DMZ access-group ...
access-list aclDMZ extended permit tcp host DMZserver any eq www
access-list aclDMZ extended permit tcp host DMZserver any eq https
... and the Others access-group ...
access-list aclOthers extended permit tcp host DMZserver host TargetRouter object-group DM_INLINE_TCP_1
- object-group service DM_INLINE_TCP_1 tcp
- port-object eq www
- port-object eq https
I used the Cisco ASDM Packet Tracer to send some simulated packets between the DMZserver and the TargetRouter IP addresses and verified that that the Access List, Flow Lookup, and Route Lookup are all Allowed. However, the packet ends up being dropped at the end of the exchange with an "(rpf-violated) Reverse-path verify failed" message in either direction. I checked the ASA 5510 configuration, and yes the IP Verify is enabled ...
ip verify reverse-path interface Others
ip verify reverse-path interface DMZ
... so I temporarily disabled the IP Verify interface configurations (using the "no ip verify ..." command for both interfaces), then re-sent the packets using the Packet Tracer. The packets still dropped with the "Reverse-path verify failed" info message.
At this point, I am open to any suggestions you may offer to figure out if I missed a configuration step, or if my diagnostics are faulty, or if there is anything I can do to verify my routing and connection setup - or if the problem lies outside the ASA 5510 entirely.
Thanks in advance!
Raoul
I started managing a new network earlier this month that includes a Cisco ASA5510. The device has a fairly simple configuration with four interfaces: Inside, Outside, DMZ, and Others. The first three interfaces seem familiar for a firewall, and the fourth interface (the Others interface) seems to be used for special vendor routers that connect to private circuits (so traffic moves from the vendor router over the private circuit to other servers instead of moving through the Outside interface). Here are the security levels each the interfaces:
Outside = 0
Inside = 100
DMZ = 50
Others = 50
My problem is this: I have a server connected to the DMZ network that needs to send and receive requests to a server connected to the far end of one of the special vendor routers on the Others network, but communication doesn't seem to work properly. The DMZ and Others networks are both using NAT. I started out by checking to see if the two interfaces were listed in the ASA 5510 routing tables. The "show route" command says ...
C 172.21.0.32 255.255.255.224 is directly connected, Others
C 172.21.0.64 255.255.255.224 is directly connected, DMZ
... and there is a static route between the TargetRouter port (172.21.0.35/19) and the destination server (192.168.0.50/24) on the far end of the private circuit. The "show route" command says ...
S 192.168.0.50 255.255.255.255 [1/0] via TargetRouter, Others
... so I'm thinking that routing is established in the ASA 5510 tables. I also checked for the "same-security-traffic permit inter-interface" command (which is needed when two interfaces have the same security level), and that line is in the running configuration, so traffic should flow between the two interfaces as long as access lists are established for each interface.
I checked to see if Access Groups were in place for each interface using the "show run | include access-group" command, which said ...
access-group aclOthers in interface Others
access-group aclDMZ in interface DMZ
... then I checked the ACL lists configured for the DMZ access-group ...
access-list aclDMZ extended permit tcp host DMZserver any eq www
access-list aclDMZ extended permit tcp host DMZserver any eq https
... and the Others access-group ...
access-list aclOthers extended permit tcp host DMZserver host TargetRouter object-group DM_INLINE_TCP_1
- object-group service DM_INLINE_TCP_1 tcp
- port-object eq www
- port-object eq https
I used the Cisco ASDM Packet Tracer to send some simulated packets between the DMZserver and the TargetRouter IP addresses and verified that that the Access List, Flow Lookup, and Route Lookup are all Allowed. However, the packet ends up being dropped at the end of the exchange with an "(rpf-violated) Reverse-path verify failed" message in either direction. I checked the ASA 5510 configuration, and yes the IP Verify is enabled ...
ip verify reverse-path interface Others
ip verify reverse-path interface DMZ
... so I temporarily disabled the IP Verify interface configurations (using the "no ip verify ..." command for both interfaces), then re-sent the packets using the Packet Tracer. The packets still dropped with the "Reverse-path verify failed" info message.
At this point, I am open to any suggestions you may offer to figure out if I missed a configuration step, or if my diagnostics are faulty, or if there is anything I can do to verify my routing and connection setup - or if the problem lies outside the ASA 5510 entirely.
Thanks in advance!
Raoul