topic Re: How can we allow Internal Network to access DMZ network? in Network Security

How can we allow Internal Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 12:11:40 GMT

I am trying to configure the ASA to allow the Internal Network to access web service provided by DMZ web server which is on the DMZ network. Above is my network diagram.

In My ASA configuration.

interface e0/0

nameif inside

security-level 100

192.168.20.5 255.255.255.0

interface e0/1

nameif dmz

security-level 70

192.168.30.6 255.255.255.0

object network internal-network

subnet 192.168.20.0 255.255.255.0

object network dmz-server

host 192.168.30.200

access-list internal_web_in extended permit ip object internal-network object dmz-server eq www

access-group internal_web_in in interface inside

I am unable to access web service on the DMZ server from the Internal PC

Please kindly assist.

Thank you

Re: How can we allow Internal Network to access DMZ network?

Rob Ingram — Tue, 21 Nov 2023 11:55:42 GMT

@Beginnerrr my initial guess is traffic is being NAT translated, do you have an NAT exemption rule in place to ensure traffic from the LAN to the DMZ is not unintentially translated?

You can run packet-tracer from the CLI to simulate the traffic flow from the LAN to the DMZ, provide the full output as this might provide a clue to the problem.

Re: How can we allow Internal Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 11:59:59 GMT

@Rob Ingram , I have not configured any NAT commands on this. How do I achieve this?
Could you please advise on how to run packet-tracer?

Can I ask if it is like this?
packet-tracer input internal tcp 192.168.20.4 1025 192.168.30.200 80?

Re: How can we allow Internal Network to access DMZ network?

MHM Cisco World — Tue, 21 Nov 2023 12:04:12 GMT

Remove the access list you use and check again.

The security level of inside is 100 and it higher than dmz 70 so the traffic will allow without acl.

How internal dns the ip of web?

If you can use IP instead of web name in access.

Re: How can we allow Internal Network to access DMZ network?

Rob Ingram — Tue, 21 Nov 2023 12:03:59 GMT

@Beginnerrr try this:-

packet-tracer input inside tcp 192.168.20.4 1025 192.168.30.200 80

Re: How can we allow Internal Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 12:16:04 GMT

@Rob Ingram, here is the output.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.30.200 using egress ifc dmz

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internal_web_in in interface inside
access-list internal_web_in extended permit tcp object internal-network object dmz-server eq www
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Re: How can we allow Internal Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 12:17:06 GMT

@MHM Cisco World ,

but the Internal network is classified as 100 while DMZ is classified as 70 or 50. I refer to this number in Cisco Academy.

Re: How can we allow Internal Network to access DMZ network?

Rob Ingram — Tue, 21 Nov 2023 12:24:06 GMT

@Beginnerrr the packet-tracer output looks ok, it confirms no NAT and the ACL is working. Do the devices in the LAN and DMZ have the ASA IP address configured as the default gateway? Is there a local firewall enabled on the device in the DMZ?

How are you testing communication, by using a web browser to the IP address of the DMZ server or ping? If ping, then you need to explictly allow icmp replies or run the command fixup protocol icmp to enable icmp inspection.

Re: How can we allow Internal Network to access DMZ network?

Marvin Rhoads — Tue, 21 Nov 2023 12:25:49 GMT

Are you trying to access the server via its IP address or via a FQDN?

Re: How can we allow Internal Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 12:27:33 GMT

I am accessing the server via IP address.

Re: How can we allow Internal Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 12:35:56 GMT

@Rob Ingram ,

Thank to your solution, I was able to find that the firewall is enabled on DMZ web server. I have disabled the firewall and the local LAN is able to access the DMZ.

May I kindly ask on how to configure NAT for this internal and DMZ?
Please advise.

Re: How can we allow Internal Network to access DMZ network?

Marvin Rhoads — Tue, 21 Nov 2023 12:40:07 GMT

And you confirmed the items mentioned by @Rob Ingram in his most recent reply?

Have you verified the DMZ server is listening on tcp/80? (use the following command as admin from the server cli: netstat -a | find ":80")

Re: How can we allow Internal Network to access DMZ network?

Rob Ingram — Tue, 21 Nov 2023 12:41:34 GMT

@Beginnerrr what kind of NAT? Refer to this guide - http://www.practicalnetworking.net/stand-alone/cisco-asa-nat/

Re: How can we allow Internal Network to access DMZ network?

MHM Cisco World — Tue, 21 Nov 2023 13:23:45 GMT

Yes that why I suggest removing acl.

Re: How can we allow Internal Network to access DMZ network?

MHM Cisco World — Tue, 21 Nov 2023 14:12:08 GMT

MHM

Re: How can we allow Internal Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 14:16:13 GMT

@Rob Ingram ,

I am configuring dynamic NAT but as far as I know that there is no need to configure NAT between DMZ and Internal.

but for external network to access DMZ there is a need to configure NAT? How to achieve this? Would it be something like this?

nat (dmz,outside) after-auto source dynamic any interface

Re: How can we allow Internal Network to access DMZ network?

Marvin Rhoads — Tue, 21 Nov 2023 14:43:52 GMT

@Beginnerrr for external network to access DMZ you would need a static NAT. (1-1 mapping). Typically, we use an address in the same subnet as the outside interface and translate the DMZ server IP to that address. You then also use an ACL to allow inbound traffic from outside to reach the DMZ server on the necessary listening port(s).