topic Hi, in Network Security

Help with DMZ Interface

dougken444 — Tue, 12 Mar 2019 07:43:15 GMT

I am fairly new to the ASA world. I ran out options, and turning to experts here for help. I have an ASA 5506-X with 4 interfaces. ASA is running OS 9.4(2) and I am using ASDM to configure everything. ASDM is version 7.6

Interface 1: Outside Network 1 Verizon

Interface 2: Inside Network

Interface 3: Outside Network Comcast

Interface 4: DMZ 192.168.1.0/24

There are two outside networks, in case one goes down, it fails over to the second one.

Aside from these interfaces, ASA is also used for VPN connectivity.

My Problem: I have an Skype for Business Edge Server that I would like people to access from outside. The server is connected to the DMZ and has 3 Private IPs Nated to Public IPs. I have created the NAT rules and the server is connected to the internet (meaning i can go on the server and surf the web). I can't for some reason ping the server or connect to it from outside using any of the 3 public IPs. I have opened the necessary ports using ACL, but still no luck. Any idea on how I could get this up and running? I really appreciate any help with this. Like I said, I have researched this a lot and I couldn't find any solutions. I apologize if this question has already been asked.

Config attached

Hi,

Rishabh Seth — Fri, 06 May 2016 20:59:11 GMT

Hi,

Based on your configuration the acl applied on the Comcast interface will allow only RDP to specific hosts from the outside. You should check the Comcast_access_in all and permit traffic for Skype server.

You have mentioned that you have dual ISP and one ISP act as backup for the other, so you should add nat for backup ISP as well or else servers won't be accessible if one of the ISP is down.

Hope it helps.

Thanks,

Rate if this helps in resolving your query.

As far as I know, access from

David_Che — Mon, 09 May 2016 05:00:35 GMT

As far as I know, access from lower security level interface(outside) to higher interface(inside) is denied by default unless ACL explicitly permission is defined.

You need to configure ACLs to permit any service which DMZ server would provide, including ICMP message to troubleshooting.

Hi Rishabh,

dougken444 — Mon, 09 May 2016 16:00:10 GMT

Hi Rishabh,

I tried adding the DMZ_subnet network object to the Comcast_access_in acl and allowed any traffic. it still didn't work. The Comcast interface that is setup only includes one of the IP addresses I have. How do I add the other 4 IP addresses to the interface?

Hi Doug,

Rishabh Seth — Mon, 09 May 2016 17:03:42 GMT

Hi Doug,

You can create nat rules using different public IP addresses. ASA allows only one up address on an interface. So you can identify the type of nat(static/dynamic) that is required for your network and configure it with public IP addresses.

I hope this will help you in right direction, in case my understanding of you requirement is wrong then feel free to correct me.

Thanks,

Rate if the post helps.

I did create static NATs

dougken444 — Mon, 09 May 2016 17:18:22 GMT

I did create static NATs where I nated the private IPs to public IPs. For example, I created a network object called DMZ-Edge-Access-INT that has a private IP of 192.168.x.x then I nated that to another network object called DMZ-Edge-Access-EXT that has a public IP address.

So the configuration was created this way:

ASA-5506-ASA(config)# object network DMZ-Edge-Access-INT
ASA-5506-ASA(config-network-object)# host 192.168.x.x
PASA-5506-ASA(config-network-object)# nat (DMZ,COMCAST) static DMZ-Edge-Access-EXT

So in the ACL list should I create a rule like the one below?

ASA-5506-ASA(config)# access-list COMCAST_access_in extended permit tcp any object DMZ-Edge-Access-EXT eq https

Hi Doug,

Rishabh Seth — Mon, 09 May 2016 17:32:18 GMT

Hi Doug,

Ensure that you are using real IP in the acl as the nat translation will happen before acl evaluation.

Thanks,

Thank you very much for your

dougken444 — Mon, 09 May 2016 17:38:05 GMT

Thank you very much for your prompt response. Should I create the same rules on the DMZ interface acl, or the comcast one will suffice?

Hi Doug,

Rishabh Seth — Mon, 09 May 2016 18:16:14 GMT

Hi Doug,

ACLs are evaluated only once while creation of the connection. So while creating acls keep in mind the direction in which they are applied and evaluate packet flow based on the direction of traffic from source to destination and create appropriate acls to allow traffic.

For example; assume there are two interfaces Inside and Outside. There is an acl acess_in on inside interface in IN direction and there is a acess_out acl on outside interface in OUT direction. If traffic from in to out needs to be allowed then access_in and acess_out both should allow traffic.

So basically evaluate how your ASA is configured and accordingly allow traffic. You can also use packet tracer utility to check the cause of drop and rectify configuration.

Thanks,

Thanks for your help sir!

dougken444 — Fri, 13 May 2016 14:28:24 GMT

Thanks for your help sir!