topic Figured it out, so I am in Network Security

ASA 5505 - DMZ

itlklubos6 — Tue, 12 Mar 2019 08:58:21 GMT

Hi,

I followed examples from Internet to configure DMZ on ASA 5505 (version 9.*). The result is, I have traffic to a web server, it is accessible from outside, but the inside network has no access to Internet. I am posting here the relevant part of the config file (with fake IP).

The rules:

- no connection allowed between DMZ and inside

Config:

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 5
!
interface Ethernet0/2
switchport access vlan 1
!
interface Ethernet0/3
switchport access vlan 1
!
interface Ethernet0/4
switchport access vlan 1
!
interface Ethernet0/5
switchport access vlan 1
!
interface Ethernet0/6
switchport access vlan 1
!
interface Ethernet0/7
switchport access vlan 1
!
interface Vlan1
nameif inside
security-level 100
ip address 198.168.0.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 191.51.100.100 255.255.255.252
!
interface Vlan5
description Interface for WebServer, DMZ level 50
no forward interface Vlan1
nameif DMZ50
security-level 50
ip address 192.168.1.1 255.255.255.0
!
dns server-group DefaultDNS
domain-name SomeName
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network WebServer
host 192.168.1.100
!
object-group network DMZ-DEFAULT-PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit tcp any object WebServer eq www
!
object network obj_any
nat (inside,outside) dynamic interface
!
object network WebServer
nat (DMZ50,outside) static interface no-proxy-arp service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ50,outside) after-auto source dynamic DMZ-DEFAULT-PAT-SOURCE interface
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 198.51.100.101 1

The address 198.51.100.101 should represent the real public IP address of the server.

Obviously, I am missing something.

----------

Also I would like to ask about the syntax: in the config above there is vlan named as "vlan 1" and Vlan1. Is the config script case sensitive? Also, why there is a space in the string "vlan 1" when we refer to this LAN with no space "Vlan1"

Thank you for help.

You should not need this line

Philip D'Ath — Thu, 23 Feb 2017 00:28:34 GMT

You should not need this line, as you already have an object NAT doing it.

nat (inside,outside) after-auto source dynamic any interface

On top of what Philip added,

Pablo — Thu, 23 Feb 2017 00:54:07 GMT

On top of what Philip added, there's no good reason to have "no-proxy-arp" in the port forwarding configuration.

This should be enough:

object network WebServer
nat (DMZ50,outside) static interface service tcp www www

In regards to your syntax question it, the configuration is not case sensitive (at least not for this). The string with the space is just the switchport configuration syntax, it attaches a physical port to a particular vlan (L2 config). The vlan with no space is the SVI; this is your layer 3 interface used to route packets out or between the vlans.

HTH

__ __

Pablo

hanks for answer. I have

itlklubos6 — Thu, 23 Feb 2017 04:20:49 GMT

hanks for answer. I have removed the line. However, the inside cannot reach the Internet still.

The DMZ is working.

Do you have any suggestions?

Also, I notice when running

itlklubos6 — Thu, 23 Feb 2017 20:41:08 GMT

Also, I notice when running the command (using ASDM) "show running-config" that the switchport access is missing for inside ports:

!
interface Ethernet0/0
switchport access vlan 2

!
interface Ethernet0/1
switchport access vlan 5
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

Is this significant or is it just filtered out for display? I have checked that all ports are enabled. The startup-config has the switchport definition in place for all interfaces, as shown in my sample when I created these discussion. The startup and running confit are identical except those missing switchports.

Could this be the root of a problem that is causing that I am not able to connect to Internet from the Inside network?

That just means they belong

Pablo — Thu, 23 Feb 2017 20:59:55 GMT

That just means they belong to the default vlan 1.

Are you able to ping the ASA's Inside IP from one of the internal hosts?

Run a packet tracer and see if it's being stopped for some reason:

packet-tracer input inside icmp <inside host IP> 8 0 8.8.8.8

__ __

Pablo

he response is "Flow is

itlklubos6 — Thu, 23 Feb 2017 21:25:09 GMT

he response is "Flow is denied by configured rule" Using ASDM it navigates me to Configuration>Firewall>Access rules

There is a Global implicit rule: any any ip Deny

If I do packet tracer from inside to outside interface, I get result "No route to host". The Trace route to ISP Gateway is "NAT cluster unassigned pool"

From the ASA are you able to

Pablo — Thu, 23 Feb 2017 22:27:19 GMT

From the ASA are you able to ping the gateway IP or something outside such as 8.8.8.8

Can you post the result of a show route?

I have tried it both from ASA

itlklubos6 — Thu, 23 Feb 2017 22:53:14 GMT

I have tried it both from ASA and Windows command line.

On ASA I get the response:

RRRRR

Success rate is 0% (0/5)

From command line I get "Request timed out". Interestingly I get the same message when I run ping from command line on the web server, which has no problem with reaching Internet. Maybe the ping service is disabled?

Figured it out, so I am

itlklubos6 — Tue, 28 Feb 2017 23:45:53 GMT

Figured it out, so I am posting the solution here just in case if somebody else would need it.

If connection to Internet from inside is not working, despite that the DMZ is fine and all ASA configuration file looks OK, double check the information about DNS in your config, or in the host's TCP/IP settings.