topic Access problem from Inside to DMZ and outside to DMZ in Network Security

Access problem from Inside to DMZ and outside to DMZ

El Rondo — Tue, 12 Mar 2019 09:35:15 GMT

hi ,

I know this question may have been asked before but I could not find the best solution for my problem.

I have been assigned a task of maintaining a Cisco ASA 5510 couples days ago. My knowledge is very limited on firewalling kind of rules.
Recently I need to create DMZ zone for hosting one of my webserver. I have configure and connect another L3 cisco C3750 to that ASA DMZ port and my webserver was ported onto that switch. Original config was ok whereby (inside) can access internet as usual by using pooling static public ip.

My webserver can access internet (outside) and (inside) including ping, remote desktop but however (inside) cannot access webserver (DMZ) including ping, https or http. And (outside) Internet also cannot access my webserver too. I,ve been doing review a lot of references from the Internet, try and error since then but unfortunately my problem remain unchanged.

Really appreciate any experts guide me how to solve my problem here. Sorry for my bad english here.

My ASA Version is 7.2(3) and Hardware is 5510. This platform has a Base license.

Attached is my configuration to what I think was only related to my subject matter. All my public ip has been masked in the config.

Inside is 172.31.1.0/24
webserver private ip is 172.31.2.3
webserver public ip (NAT) is 20.20.20.49
DMZ Subnet is 172.31.2.0/24
DMZ Switch is 172.31.2.10

Try adding these NAT entries:

cofee — Wed, 14 Jun 2017 19:09:32 GMT

I think this is what you are missing. Try adding these NAT statements:

static (Inside,dmz) 172.31.1.0 172.31.1.0 netmask 255.255.255.0

static (dmz,inside) 172.31.2.3 172.31.2.3 netmask 255.255.255.255

static (Outside,dmz) 172.31.2.3 20.20.20.49 netmask 255.255.255.255

If this doesn't fix the issue, then please provide the packet tracer output this should tell you what's wrong.

packet-tracer input inside tcp 172.31.1.10 23456 172.31.2.3 80

- This packet tracer command is simulating traffic originating from inside and target address is the private address of webserver. I just picked a random address (172.31.1.10) from the inside subnet. If you want to simulate traffic from outside to dmz then replace "inside" to "outside" and just pick any outside address as the source like 4.4.4.4 and replace webserver private ip to its global address 20.20.20.49.

I hope you find this useful.

I have tried with these 3

El Rondo — Thu, 15 Jun 2017 03:44:00 GMT

I have tried with these 3 lines but with no success.

static (Inside,dmz) 172.31.1.0 172.31.1.0 netmask 255.255.255.0

static (dmz,inside) 172.31.2.3 172.31.2.3 netmask 255.255.255.255

static (Outside,dmz) 172.31.2.3 20.20.20.49 netmask 255.255.255.255

I attached with 2 packet tracer result one from inside int and another from outside int. from the packet tracer result shows that everything seems ok with allowed sign. But really weird when inside host can access remote desktop to the webserver except ping and http. I have bypass icmp and port 80 into the webserver and eventually simulated the webserver into the same inside subnet and found ping as well as http was working well. It show that webserver icmp and port 80 is working fine but not working when I port into DMZ switch. Another thing I found that inside host can ping the DMZ switch 172.31.2.10 itself.

Same goes to outside where internet still unable to access port 80 or ping of the webserver.

Thanks in advance for anyone who trying to assist me resolve this problem. I,ve been digging this issue since few days and my head getting explode

I am curious if you have

cofee — Thu, 15 Jun 2017 10:24:04 GMT

I am curious if you have attempted to access the webserver on port 80 from a host inside the DMZ?

You can also run this command on DMZ sswitch to make sure that port 80 is accessible:

telnet 172.31.2.3 80

- If above tests are successful. Could there be an acl on the DMZ switch that's blocking port 80 to webserver? Also when you initiate the connection from inside to DMZ web server, did you check the firewall logs?

No. I access the webserver

El Rondo — Fri, 16 Jun 2017 01:42:22 GMT

No. I access the webserver from a host inside my internal network 172.31.1.0/24 subnet. my host IP is 172.31.1.3.

Also I have run the telnet command in the DMZ switch as you suggested and found that port 80 is open. I believe my DMZ switch was configured default setting with no ACL on it. How come that happen?

Is there any method that I can see the firewall logs during my run test?

You can try the following at

cofee — Fri, 16 Jun 2017 02:12:57 GMT

You can try the following at the firewall:

sh log | inc 172.31.2.3

or using source address when you run the test

sh log | inc 172.31.1.3

But again that doesn't make

cofee — Fri, 16 Jun 2017 02:32:05 GMT

But again that doesn't make any sense that inside hosts are able to RDP into the webserver and traffic over port 80 fails.

Can you run the same packet tracer command for inside hosts and just change the port from 80 to 3389 (RDP) and share the output?

herewith the result of RDP

El Rondo — Fri, 16 Jun 2017 02:50:26 GMT

herewith the result of RDP

my internal host attached with cisco catalyst C4507 core switch. however I try to ping the DMZ switch from the core but fails. I think something went wrong with the routing from the core switch to the DMZ switch.

But didn't you say that hosts

cofee — Fri, 16 Jun 2017 03:05:12 GMT

But didn't you say that hosts on the inside network are able to ping and rdp into the webserver. So it can't be a routing issue.

Is my understanding incorrect?

Also, did you try checking the logs while attempting to access webserver over port 80 from an inside host?

Sorry for my bad explanation

El Rondo — Fri, 16 Jun 2017 03:26:40 GMT

Sorry for my bad explanation on this. inside networks are unable to ping the webserver but able to rdp to the webserver.

here is what I have after run the logs from the firewall

BktPanchorASA# sh log | inc 172.31.2.3
BktPanchorASA# sh log | inc 172.31.1.3
        Logging to Inside 172.31.1.36
BktPanchorASA# sh log | inc 172.31.1.3
        Logging to Inside 172.31.1.36
BktPanchorASA# ping 172.31.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to WEBSVR, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
BktPanchorASA# ping 172.31.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
BktPanchorASA# sh log | inc 172.31.2.3
BktPanchorASA# sh log | inc 172.31.1.3
        Logging to Inside 172.31.1.36
dynamic UDP translation from Inside:172.31.1.3/57432 to Outside:210.187.71.46/52947 duration 0:00:30

** 172.31.1.3 is my dns server.

-telnet port 80 of websvr passed

-rdp to webserver passed

-ping webserver failed

-ping DMZ switch passed

** 172.31.1.7 is just a normal host.

- telnet port 80 websvr failed

- rdp to webserver passed

- ping webserver failed

- ping DMZ switch passed

I hope provided you some clear explanation on my run test.

another finding my cisco core

El Rondo — Fri, 16 Jun 2017 03:50:27 GMT

another finding my cisco core switch cannot ping the DMZ switch too. its really weird whereby internal host can rdp to websvr but other protocol failed

ASA configuration looks fine

cofee — Fri, 16 Jun 2017 16:22:47 GMT

ASA configuration looks fine and it should allow http traffic destined for DMZ server sourced from inside network. At this point we haven't found any logs that proves that ASA is blocking this traffic.

Please create this access list on the dmz switch for debugging:

ip access-list extended 100 (I am using access list number 100 just as an example if you already have an existing access list with this number then please choose some other number and then use that number for debugging)

permit tcp host 172.31.1.3 host 172.31.2.3 eq 80

permit tcp host 172.31.2.3 host 172.31.1.3

permit tcp host 172.31.1.3 host 172.31.2.3 eq 3389

- to debug this access list, go to privileged mode and enter this command:

debug ip packet 100

- then initiate traffic from inside host 172.31.1.3 to 172.31.2.3 over port 80. If the traffic is reaching the DMZ switch then you should see hit counters on this access list, then at least we will know that traffic is going through the firewall. At the DMZ switch you can enter "show log" to see debug results and also look at the access list for any hit counters. Initiate traffic to both port 80 and 3389 (rdp) and then compare the results.

I run test the access list as

El Rondo — Mon, 19 Jun 2017 08:32:03 GMT

I run test the access list as u suggested and result shows no hit counter at the DMZ switch. I don't think firewall have any issue with it since many forums also mention the same rules.

I now simulating the issue with replacing the DMZ switch with another one. Not sure what would happen but I think something blocking the packet from the DMZ switch to my core switch through firewall.

Please run tracert from your

cofee — Mon, 19 Jun 2017 10:49:16 GMT

Please run tracert from your machine to webserver and provide results.

tracert 172.31.2.3

Can you also provide a drawing your network?

my tracert only pass over

El Rondo — Tue, 20 Jun 2017 01:54:32 GMT

my tracert only pass over core switch and the rest are request time out.

here with my network drawing.

herewith attached a piece my

El Rondo — Tue, 20 Jun 2017 07:35:54 GMT

herewith attached a piece my DMZ switch config. I not configuring any ip address to the port connected to ASA. just config for L2 and no any VLAN has been assigned. Is that ok ?

interface FastEthernet1/0/1
description # connect to WEBSVR
switchport mode access
spanning-tree portfast

interface FastEthernet1/0/23
description # trunk to ASA
switchport mode access
switchport nonegotiate

interface Vlan1
ip address 172.31.2.10 255.255.255.0
no ip route-cache
!
ip default-gateway 172.31.2.1
no ip classless
ip http server
!

Technically it should work

cofee — Tue, 20 Jun 2017 14:35:26 GMT

Technically it should work the way you have it configured. But it may not be the best design, you are using default vlan 1 for server access port and usually that should be avoided.

my ASA configured with no nat

El Rondo — Wed, 21 Jun 2017 03:55:31 GMT

my ASA configured with no nat control. is there something that I should care about?

"no nat control" should not

cofee — Wed, 21 Jun 2017 09:25:01 GMT

"no nat control" should not affect anything since you have nat commands present in your configuration and that supersedes disabling nat control. If NAT was completely disabled your inside users wouldn't have able to access internet.

Please read this thread for better understanding:

https://supportforums.cisco.com/discussion/11018091/disabling-nat-control-live-firewall

https://supportforums.cisco.com/document/11936941/lets-briefly-talk-about-what-nat-control

Hi coffee,

El Rondo — Tue, 04 Jul 2017 05:43:30 GMT

Hi coffee,

thanks a lot for your helps. really appreciate for the assiatance. finally I found the root cause of my problems. there were 4 workarounds I had done to overcome my case.

1. below static net will just do the tricks to allow traffic from inside to dmz.

static (Inside,dmz) 172.31.1.0 172.31.1.0 netmask 255.255.255.0

2. below is to allow outside to access our web server in DMZ.

static (DMZ,Outside) WEBSVR-P WEBSVR netmask 255.255.255.255

3. enable svi on my L3 C3750 to enable my DMZ-SW route traffic to my ASA 5510 and vice versa.

vlan 2
name DMZ

interface FastEthernet1/0/1
description # connect to WEBSVR
switchport access vlan 2
switchport mode access
spanning-tree portfast

interface FastEthernet1/0/24
description #connect to ASA
switchport access vlan 2
switchport mode access
duplex full
spanning-tree portfast

interface Vlan2
ip address 172.31.2.10 255.255.255.0
no ip proxy-arp
no ip route-cache

ip default-gateway 172.31.2.1
ip classless
ip http server

4. And this last one really explode my head since I had done many testing to eliminate any irrelevant that cause why inside cannot ping or access web server.

Originally my web server was just a notebook (fujitsu) for testing purposes. Then I changed that notebook and replace with mine notebook. All ping echo, request reply were remain unchanged in the inbound traffic firewall as usual. As a result, my ping and traffic finally went through the web server. I really surprise with changing notebook then traffic suddenly allowed. I had no idea what fujitsu had done into that notebook even I had manually bypass the echo, request and reply.

I consider this issue can be closed since it took me few weeks to overcome this.

Thanks coffee you are really good problem solver in this discussion and put me into many ways of tracing the root cause. really appreciate that.

cheers