Problem accessing DMZ Servers from inside LAN

Robbert Tol — Fri, 21 Feb 2020 14:18:33 GMT

Hi there,

I'm an newbie on the ASA5512 and cannot find the correct answer.

I've setup an ASA5512X with an WAN with public subnet, LAN (inside) and DMZ (used for camera's)

I can reach the camera's from the internet, but i cannot see the camera's or ping the camera nas from the LAN (inside)

Please advise how to make it work

Config:

: Saved

:
: Serial Number: FCH210676AV
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
: Written by enable_15 at 12:57:15.871 CEDT Fri Sep 15 2017
!
ASA Version 9.6(3)1
!
hostname ASA5512X-Company
domain-name company.local
enable password rkFxeLNX6Jlr4Q/9 encrypted
names
ip local pool DHCP-VPN-Clients 10.0.12.210-10.0.12.229 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 10.99.50.134 255.255.255.248
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 10.0.12.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.0.20.254 255.255.255.0
!
interface GigabitEthernet0/3
nameif WLAN
security-level 20
ip address 10.0.100.254 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.1.1 255.255.255.0
!
boot system disk0:/asa963-1-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup WAN
dns domain-lookup LAN
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ASA5512X-company
host 10.99.50.134
description WAN Address Cisco ASA 5512-X company
object network mailserver_Server_LAN
host 10.0.12.44
description company Microsoft Exchange 2010 Server LAN
object network mailserver_Server_WAN
host 10.99.50.130
description company Microsoft Exchange 2010 Server WAN
object network VLAN20-Subnet
subnet 10.0.20.0 255.255.255.0
description VLAN 20 Subnet company Camera LAN
object network mailserver_Server_LAN_SMTP
host 10.0.12.44
description company Microsoft Exchange 2010 Server LAN SMTP
object network mailserver_Server_LAN_HTTPS
host 10.0.12.44
description company Microsoft Exchange 2010 Server LAN HTTPS
object network Outside_CAM_WAN
host 10.99.50.132
object network CameraNAS_HTTP_LAN
host 10.0.20.200
description company Camera NAS DMZ
object network CameraNAS_LAN
host 10.0.20.200
description company Camera NAS DMZ
object network company_Network
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.12.192_26
subnet 10.0.12.192 255.255.255.192
object network WLAN_WAN
subnet 10.0.100.0 255.255.255.0
object network VLAN14_Gateway
host 10.0.14.201
object network Location1
subnet 10.0.10.0 255.255.255.0
object network Luna_Server_LAN
host 10.0.12.42
object network Luna_Server_WAN
host 10.99.50.131
object service FTP_60510
service tcp source eq 60510 destination eq 60510
description FTP Service Luna 60510
object network Luna_Server_LAN_FTP
host 10.0.12.42
description company Luna FTP
object network Luna_Server_LAN_FTP-DATA
host 10.0.12.42
description company Luna FTP-DATA
object network Luna_Server_LAN_FTP60510
host 10.0.12.42
description company Luna FTP60510
object network Luna_Server_LAN_FTP_DATA
object network Inside-Camera
host 10.0.20.200
object network DMZ-Network
subnet 10.0.20.0 255.255.255.0
object-group service mailserver-Services
service-object tcp destination eq smtp
service-object tcp destination eq https
object-group network INTERNAL-NETWORKS
description All Internal Networks
network-object 10.0.10.0 255.255.255.0
network-object 10.0.12.0 255.255.255.0
network-object 10.0.14.0 255.255.255.0
network-object 10.0.15.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
object-group service Camera-Services
service-object tcp destination eq www
object-group network Location2_Subnet
network-object 10.0.12.0 255.255.255.0
network-object 10.0.14.0 255.255.255.0
object-group service Luna-Services
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object object FTP_60510
access-list outside_inside extended permit icmp any any echo
access-list outside_inside extended permit udp any any range 33434 33523
access-list outside_inside extended permit icmp any any time-exceeded
access-list outside_inside extended permit icmp any any source-quench
access-list outside_inside extended permit icmp any any echo-reply
access-list outside_inside extended permit icmp any any unreachable
access-list outside_inside extended permit object-group mailserver-Services any object mailserver_Server_LAN
access-list outside_inside extended permit object-group Camera-Services any object CameraNAS_LAN
access-list outside_inside extended permit object-group Luna-Services any object Luna_Server_LAN
access-list outside_inside extended deny ip any any
access-list ICMPACL extended permit icmp any any
access-list outbound extended permit tcp host 10.0.12.44 any eq smtp
access-list outbound extended deny tcp any any eq smtp
access-list outbound extended permit ip any any
access-list Internal-LAN standard permit 10.0.12.0 255.255.255.0
access-list Internal-LAN standard permit 10.0.10.0 255.255.255.0
access-list Internal-LAN standard permit 10.0.15.0 255.255.255.0
access-list Internal-LAN standard permit 10.0.14.0 255.255.255.0
access-list Internal-LAN standard permit 10.0.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
mtu WLAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
arp rate-limit 8192
nat (LAN,WAN) source static any any destination static NETWORK_OBJ_10.0.12.192_26 NETWORK_OBJ_10.0.12.192_26 no-proxy-arp route-lookup
!
object network mailserver_Server_LAN
nat (LAN,WAN) static mailserver_Server_WAN
object network mailserver_Server_LAN_SMTP
nat (LAN,WAN) static mailserver_Server_WAN service tcp smtp smtp
object network mailserver_Server_LAN_HTTPS
nat (LAN,WAN) static mailserver_Server_WAN service tcp https https
object network CameraNAS_HTTP_LAN
nat (DMZ,WAN) static Outside_CAM_WAN service tcp www www
object network company_Network
nat (LAN,WAN) dynamic interface
object network WLAN_WAN
nat (WLAN,WAN) dynamic interface
object network Luna_Server_LAN_FTP
nat (LAN,WAN) static Luna_Server_WAN service tcp ftp ftp
object network Luna_Server_LAN_FTP-DATA
nat (LAN,WAN) static Luna_Server_WAN service tcp ftp-data ftp-data
object network Luna_Server_LAN_FTP60510
nat (LAN,WAN) static Luna_Server_WAN service tcp 60510 60510
access-group outside_inside in interface WAN
route WAN 0.0.0.0 0.0.0.0 10.99.50.129 1
route LAN 10.0.10.0 255.255.255.0 10.0.14.201 1
route LAN 10.0.14.0 255.255.255.0 10.0.14.201 1
route LAN 10.0.15.0 255.255.255.0 10.0.14.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
aaa-server Company-Radius protocol radius
aaa-server Company-Radius (LAN) host 10.0.12.43
key *****
radius-common-pw Company***********
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 LAN
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint vpn.company.com
enrollment terminal
subject-name CN=vpn.company.com,OU=ICT,O=company en Kroon BV,C=NL,St=Zuid-Holland
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn.company.com
certificate 776dbc8a918b3823c4c3b68eb379a36f
    3082055d 30820445 a0030201 02021077 6dbc8a91 8b3823c4 c3b68eb3 79a36f30
    0d06092a 864886f7 0d01010b 05003081 90310b30 09060355 04061302 4742311b
    30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
    03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
    41204c69 6d697465 64313630 34060355 0403132d 434f4d4f 444f2052 53412044
    6f6d6169 6e205661 6c696461 74696f6e 20536563 75726520 53657276 65722043
    41301e17 0d313730 37313030 30303030 305a170d 32303037 30393233 35393539
    5a305731 21301f06 0355040b 1318446f 6d61696e 20436f6e 74726f6c 2056616c
    69646174 65643114 30120603 55040b13 0b506f73 69746976 6553534c 311c301a
    06035504 03131376 706e2e62 656d6d65 6c2d6b72 6f6f6e2e 6e6c3082 0122300d
    06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a4 e56f46d8
    a5002fdd 2498943e 53076e8c e4953dcc 2d0ac1fe cbdd2a47 90bbd154 e5787660
    50e3c261 31a7c7d1 58f3a7cb ddc16989 5248aa16 d2e71c32 f88b30ee 2f432e5e
    3b542ad4 1413f360 bc8e3fe2 6bd53344 4e8035bb 039e9f56 41909343 f0f88a5e
    06ebb4f3 e41ae8e4 1b540089 8de5ba6f 94d3fa17 d3c4689c 5c41069a 4fb861e4
    5be736de 9f45ff69 cd410c86 1f6c7f82 f862f408 5a514194 6cd740ac 7fc38d60
    2eb0a3fd dda3ce2d d1e42830 d4e6633b 07360f44 ae85c2a2 81592f28 6d5b6663
    eadf51c4 98b3b59b d7d3bc33 e8f9726f 6870352a d19ed052 66428988 5a8e952d
    7866731e 4bf2aeb5 c49b1b0d 8d09249c 778702ab 8a0ae988 e0269f02 03010001
    a38201e9 308201e5 301f0603 551d2304 18301680 1490af6a 3a945a0b d890ea12
    5673df43 b43a28da e7301d06 03551d0e 04160414 848ea047 78747a13 40c52e5c
    82543cb5 c448e14b 300e0603 551d0f01 01ff0404 030205a0 300c0603 551d1301
    01ff0402 3000301d 0603551d 25041630 1406082b 06010505 07030106 082b0601
    05050703 02304f06 03551d20 04483046 303a060b 2b060104 01b23101 02020730
    2b302906 082b0601 05050702 01161d68 74747073 3a2f2f73 65637572 652e636f
    6d6f646f 2e636f6d 2f435053 30080606 67810c01 02013054 0603551d 1f044d30
    4b3049a0 47a04586 43687474 703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d
    2f434f4d 4f444f52 5341446f 6d61696e 56616c69 64617469 6f6e5365 63757265
    53657276 65724341 2e63726c 30818506 082b0601 05050701 01047930 77304f06
    082b0601 05050730 02864368 7474703a 2f2f6372 742e636f 6d6f646f 63612e63
    6f6d2f43 4f4d4f44 4f525341 446f6d61 696e5661 6c696461 74696f6e 53656375
    72655365 72766572 43412e63 72743024 06082b06 01050507 30018618 68747470
    3a2f2f6f 6373702e 636f6d6f 646f6361 2e636f6d 30370603 551d1104 30302e82
    1376706e 2e62656d 6d656c2d 6b726f6f 6e2e6e6c 82177777 772e7670 6e2e6265
    6d6d656c 2d6b726f 6f6e2e6e 6c300d06 092a8648 86f70d01 010b0500 03820101
    0085fa8d fa7f4006 43d4b5a0 c1876130 14b3e7f6 b637f477 99d95aaf 408a36a2
    97c37e6b 2dc08b8e 9605d650 6190d799 b8427472 69284993 238d0bd2 422db8ae
    ce1eddad 6e7b7de8 adbee03c 3dfaecc8 dcb973ff 4c4984c5 7b869514 ee1fd4af
    7120c457 7a1d658d 42748e94 beb87e2d 7c32a51d 030ad564 92f41f94 ad3b1f8a
    d7a6b602 aff948c9 5be324fa 3dfcb32b 77ade144 6173e2f9 3e5bac5c e1676d2c
    fce89762 5898610e 0a4d9eb5 c5526ee4 70cb4ea4 4cfa6094 ab94bec2 9c6e371b
    89531033 253e8f5e c7aa6de8 a3b62158 9b3c8d30 d6574cbe c01077de 62d40268
    ce471630 ea7321ab dbcdfa19 4bb0385a a9d7e685 032a2b68 de2d1a30 75178fb7
    8d
quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.0.0.0 255.255.0.0 LAN
ssh 10.0.1.0 255.255.255.0 management
ssh timeout 5
ssh cipher encryption all
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.0.100.1-10.0.100.200 WLAN
dhcpd dns 8.8.8.8 8.8.4.4 interface WLAN
dhcpd enable WLAN
!
dhcpd address 10.0.1.2-10.0.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.12.43 source LAN prefer
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point vpn.company.com WAN
ssl trust-point vpn.company.com LAN
ssl trust-point vpn.company.com DMZ
webvpn
enable WAN
anyconnect image disk0:/anyconnect-macos-4.5.00058-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.5.00058-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_vpn.company.com internal
group-policy GroupPolicy_vpn.company.com attributes
wins-server none
dns-server value 10.0.12.43 10.0.12.35
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal-LAN
default-domain value company.local
dynamic-access-policy-record DfltAccessPolicy
username admin password SepHHjScvkb8.RYh encrypted privilege 15
tunnel-group vpn.company.com type remote-access
tunnel-group vpn.company.com general-attributes
address-pool DHCP-VPN-Clients
authentication-server-group Company-Radius
default-group-policy GroupPolicy_vpn.company.com
tunnel-group vpn.company.com webvpn-attributes
group-alias vpn.company.com enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect tftp
inspect ftp
inspect skinny
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Re: Problem accessing DMZ Servers from inside LAN

Flavio Miranda — Fri, 15 Sep 2017 12:37:33 GMT

Hello,

For ping from Inside to DMZ you should add inspect:

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect tftp
inspect ftp
inspect skinny

inspect icmp

For camera access, I didnt see any access list:

access-group outside_inside in interface DMZ.

Re: Problem accessing DMZ Servers from inside LAN

Robbert Tol — Fri, 15 Sep 2017 14:29:38 GMT

Flavio thanks!

Re: Problem accessing DMZ Servers from inside LAN

Flavio Miranda — Fri, 15 Sep 2017 14:42:48 GMT

You´re welcome.

topic Re: Problem accessing DMZ Servers from inside LAN in Network Security

Problem accessing DMZ Servers from inside LAN

Re: Problem accessing DMZ Servers from inside LAN

Re: Problem accessing DMZ Servers from inside LAN

Re: Problem accessing DMZ Servers from inside LAN