topic Re: How can we allow External Network to access DMZ network? in Network Security

How can we allow External Network to access DMZ network?

Beginnerrr — Wed, 22 Nov 2023 20:35:44 GMT

I am trying to configure the ASA to allow the External Network to access web service provided by DMZ web server which is on the DMZ network. Above is my network diagram.

In My ASA configuration.

route 0.0.0.0 0.0.0.0 next hop router
interface e0/0
nameif outside
security-level 0
192.168.20.1 255.255.255.252

interface e0/1
nameif dmz
security-level 70
192.168.30.6 255.255.255.0

object network external-network
subnet 192.168.50.0 255.255.255.252

object network dmz-server
host 192.168.30.200

nat (dmz,outside) static interface

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

access-list external_web_in extended permit tcp object external-network object dmz-server eq www
access-group external_web_in in interface outside

I am unable to access web service on the DMZ server from the External network.

I performed packet tracer and do not see any errors and failures.

The command is packet-tracer input outside tcp 192.168.50.5 1025 192.168.30.200 80 and the output is shown below

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.30.200 using egress ifc dmz

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group external_web_in in interface outside
access-list external_web_in extended permit tcp object external-network object dmz-server eq www
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module

Result:
output-interface: dmz

Please kindly assist.

Thank you

Re: How can we allow External Network to access DMZ network?

MHM Cisco World — Tue, 21 Nov 2023 18:00:31 GMT

Router know the subnet of dmz?

You need static route in router toward ASA for dmz server.

Re: How can we allow External Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 18:04:28 GMT

@MHM Cisco World , External Router cant know the subnet and the route of DMZ as DMZ is supposed to be hidden..

Re: How can we allow External Network to access DMZ network?

MHM Cisco World — Tue, 21 Nov 2023 18:06:49 GMT

Yes if you use NAT

Your config without NAT so router need to know subnet of server.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

Check this.

Re: How can we allow External Network to access DMZ network?

Beginnerrr — Tue, 21 Nov 2023 18:08:28 GMT

@MHM Cisco World ,so if I want to use NAT, how do I configure for this situation? Can I use dynamic NAT or static NAT?

Re: How can we allow External Network to access DMZ network?

MHM Cisco World — Tue, 21 Nov 2023 18:31:31 GMT

Static not dynamic NAT what you need.

Static is bidirectional NAT'

We config as

Nat(dmz'out)

And the external can access server in dmz using outside IP (mapped) not real IP' this way we hide server IP from external.

Re: How can we allow External Network to access DMZ network?

Rob Ingram — Wed, 22 Nov 2023 18:54:39 GMT

@Beginnerrr you can use static NAT or PAT, either NAT behind the outside interface IP or specify another "public" IP address local to your ASA outside interface network. Example:

Static PAT:

object nat dmz-server-tcp80
host 192.168.30.200
nat (dmz,outside) static interface service tcp 80 80

Static NAT:

object nat dmz-server
host 192.168.30.200
nat (dmz,outside) static interface

** or replace "interface" with an IP address routed to the outside interface of the ASA.

Re: How can we allow External Network to access DMZ network?

Beginnerrr — Wed, 22 Nov 2023 18:45:44 GMT

@Rob Ingram , I configure the NAT under the dmz-server. I configure the interface to be the same as the External device IP.

It did not work.

route 0.0.0.0 0.0.0.0 next hop router
interface e0/0
nameif outside
security-level 0
192.168.20.5 255.255.255.0

interface e0/1
nameif dmz
security-level 70
192.168.30.6 255.255.255.0

object network external-network
subnet 192.168.50.0 255.255.255.0

object network dmz-server
host 192.168.30.200

nat (dmz,outside) static 192.168.50.5

Re: How can we allow External Network to access DMZ network?

Rob Ingram — Wed, 22 Nov 2023 18:54:04 GMT

@Beginnerrr the NAT IP address is either "interface" which uses the IP address of your outside interface (192.168.20.5) or you specify another IP address within that 192.168.20.0/24 range - you don't specify a network that is not routable to your ASA's outside interface.

object network dmz-server
 host 192.168.30.200
 nat (dmz,outside) static interface

Change the NAT above and then connect to 192.168.20.5 from the outside network. Obviously 192.168.20.0/24 needs to be routable from the outside network (I assume this is a lab or private WAN environment).

Re: How can we allow External Network to access DMZ network?

MHM Cisco World — Wed, 22 Nov 2023 18:54:29 GMT

Hi again

Check the subnet your Object for NAT different than dmz and out subnet

Re: How can we allow External Network to access DMZ network?

Beginnerrr — Wed, 22 Nov 2023 19:16:18 GMT

@Rob Ingram , yes this is my lab and I have updated the diagram for a more clearer explanation. Assuming if you mention that the IP need to be a public ip in order to be routable from the outside network. Then the interface should be 209.150.150.225.

Is that correct?

Re: How can we allow External Network to access DMZ network?

Rob Ingram — Wed, 22 Nov 2023 19:19:35 GMT

@Beginnerrr you just need to define the NAT rule as per the example provided above and traffic to your outside interface IP address will be translated to 192.168.30.200. As it's a lab try the commands for yourself to understand how it works.