topic DMZ ASA 5505 in Network Security

DMZ ASA 5505

Ben McGuire — Tue, 12 Mar 2019 06:43:03 GMT

HI There,

We are setting up a DMZ for our VPS Virtual Machines.

We have our esxi host behind the firewall on 192.168.1.101

Our VMs internally are all working fine.

Our issue is we want to create VPS VMs with a static public IP address on the DMZ. We have a public ip address assigned on the DMZ ( 12.12.12.13 ) and on our VM we have assigned another IP address ( 12.12.12.14 with a Gateway of 12.12.12.13 ).

We have setup acl for the DMZ to allow any as we want to use IPtables on the VPS machines.

We cannot seem to get this to work so what are we doing wrong?

We want to setup a number of VPS machines with static ip addresses and use the DMZ interface for this type of traffic.

Are we on the right track or have we missed something??

Thank you in advance

Hi,- Are you able to ping the

Akshay Rastogi — Thu, 08 Oct 2015 13:24:25 GMT

Hi,

- Are you able to ping the ASA DMZ interface (12.12.12.13) IP from your host?

- Also what kind of traffic you are testing?(what is the traffic flow - from where you are initiating)

- As i could understand that you are now using the third vlan (one is inside, one is outside and this is DMZ) , could you please check the output of 'show activation-key' and see if it says 3 vlans, DMZ restricted?

- If you are testing with icmp traffic, have you permitted the return traffic on outside interface or run the command in global mode 'fixup protocol icmp'

- Also if all are set then could you please provide the output of :

"packet-tracer input DMZ tcp 12.12.12.14 12345 4.2.2.2 80 detail"

Regards,

Akshay Rastogi

OK. I will provide these

Ben McGuire — Thu, 08 Oct 2015 13:28:44 GMT

OK. I will provide these outputs now

fw-001# packet-tracer input

Ben McGuire — Thu, 08 Oct 2015 13:30:53 GMT

fw-001# packet-tracer input DMZ tcp 69.162.90.50 12345 4.2.2.2 80 detail

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x415d038, priority=11, domain=permit, deny=true
hits=1671, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: dmz-VPS
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Licensed features for this

Ben McGuire — Thu, 08 Oct 2015 13:31:27 GMT

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

The flash activation key is the SAME as the running key.

Oh and I also have different

Ben McGuire — Thu, 08 Oct 2015 13:34:46 GMT

Oh and I also have different public ip address on the outside interface.

So I have one public ip on the DMZ and one on the outside interface.

I want VPS machines to use the DMZ IP interface and have the VPS machines to use iptables and not the rules of the ASA.

I hope I am making sense. I thank you for taking a look

We have tried ping the DMZ IP

Ben McGuire — Thu, 08 Oct 2015 13:39:13 GMT

We have tried ping the DMZ IP from the VPS machine and its says destination ureachable

Hi,Thanks for the output

Akshay Rastogi — Thu, 08 Oct 2015 13:44:00 GMT

Hi,

Thanks for the output.

First thing here is that you have only two fully functional Vlans. To enable the third vlan which would be able to initiate only in one direction.

"With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. You limit the third VLAN using the no forward interface command".

This means if you want to have communication between DMZ and Outside then you need to configure 'no forward interface <inside-vlan>'. Please configure this and test.

Also provide the access-list you have configure and placed on DMZ interface and Outside Interface

Also provide the output of 'show run policy-map'.

Regards,

Akshay Rastogi

Hi, Thanks for the response.

Ben McGuire — Thu, 08 Oct 2015 13:48:06 GMT

Hi,

Thanks for the response.

The no forward interface command needs to be run on vlan2 yes?

Hi,If you want to have

Akshay Rastogi — Thu, 08 Oct 2015 13:50:32 GMT

Hi,

If you want to have communication of DMZ host to only Outside host (not Inside) then 'no forward interface <inside-interface vlan>.

Regards,

Akshay Rastogi

I run the show run policy-map

Ben McGuire — Thu, 08 Oct 2015 13:50:44 GMT

I run the show run policy-map and it brings back now output - it just takes me back to the command prompt.

fw-001# conf tfw-001(config)#

Ben McGuire — Thu, 08 Oct 2015 13:54:46 GMT

fw-001# conf t
fw-001(config)# no forward interface vlan11
^
ERROR: % Invalid input detected at '^' marker.

It seems that command does not work

I believe it is already

Ben McGuire — Thu, 08 Oct 2015 13:58:39 GMT

I believe it is already configured looking at the asdm.

I provide a screenshot

Hi,I am sorry. I forgot to

Akshay Rastogi — Thu, 08 Oct 2015 13:59:25 GMT

Hi,

I am sorry. I forgot to mention that it is an interface based command.

You need to configure this command under the DMZ vlan interface.

For clear understanding, use the link below:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.html#wp1051819

Regards,

Akshay Rastogi

hi,If it is already

Akshay Rastogi — Thu, 08 Oct 2015 14:02:10 GMT

hi,

If it is already configured then remove access-group from DMZ vlan interface(bydefault it allows all the traffic from High Security level to low).

It is the access-list issue then(it has not given any license error in packet-tracer).

Regards,

Akshay Rastogi

Hi, Yes the command will work

Ben McGuire — Thu, 08 Oct 2015 14:07:01 GMT

Hi,

Yes the command will work but I provided a screen shot of the DMZ interface which is set to prevent traffic to the inside interface already as without this setting the licence restricts any other setting. The packet tracer states when traffic hit the outside interface it gets blocked.

My understanding is we want all traffic generatedfrom the DMZ to go out via the DMZ as this has its own gateway and public ip. Traffic should not be touching the outside interface like the packet tracer states

Hi, I do not know what you

Ben McGuire — Thu, 08 Oct 2015 14:12:25 GMT

Hi,

I do not know what you mean by "remove access-group from DMZ vlan interface"

I have attached our ACL via ADSM and the network object in the DMZ ( VPS-Customers ) has a public ip of the VPS Machine.

I believe we do not need to setup anything in inside or outside interfaces so why is traffic trying to go out the outside interface?

Yes it seems to be an ACL issue but where??

Hi,I think there is a

Akshay Rastogi — Thu, 08 Oct 2015 14:42:25 GMT

Hi,

I think there is a misunderstanding. I had asked in the starting what is the communication flow(from where it is initiating and to what destination(behind which interface of ASA) it is going.

From the snapshot, i could see that you have configured destination as VPC-customer. So where is this VPC-customer subnet?

Packet-tracer is a way to create a dumy packet and sent through ASA. The example was for host coming from the subnet of DMZ to 4.2.2.2(it is a google server ip) which lies behind Outside Interface.

Please explain in detail what is the communication flow.

Regards,

Akshay Rastogi

The traffic flow should be

Ben McGuire — Thu, 08 Oct 2015 14:54:08 GMT

The traffic flow should be from the internet to the DMZ interface which has an IP of 69.162.90.49. The VPS-Customer object in the DMZ has a public IP of 69.162.90.50.

The DMZ subnet VPS customer is a VM on an ESXi host that I want to be able to bypass the access rules on the ASA and manage the VPS-customer VM firewall via iptables.

To explain further:-

I have an ESXi Host

An ASA Firewall

There are three VMs on the ESXi Host

Two VMs are setup with NAT and are working fine on the inside interface

The third VM has a public IP address and is also on the ESXi Host but this VM needs to use the DMZ ( VPS-customer) and not use the firewall rules of the other VMs. I want to allow 'Any" on the DMZ and also come in and out via the DMZ. Is this how it works or does it still need to go out via the outside interface?

I have made a quick net diagram.

Hi,Thanks for the detailed

Akshay Rastogi — Thu, 08 Oct 2015 15:08:21 GMT

Hi,

Thanks for the detailed explanation.

We need to understand that traffic is by default allowed from High security zone interface to low(return traffic is allowed). Vice versa is not allowed(initiated from lower security zone until there is an access-list configured on the lower interface to allow the traffic).

- Now in your case traffic is initiated form Outside (which is a lower security zone) then you need to allow traffic with access-list source from outside host(any) to your server IP for TCP or IP traffic(whatever is your profile) and apply it on Outside interface(you have already configured access-list on Outside, you can just add one more entry to allow the traffic as mentioned above).

- Also your access-list on DMZ is wrong as VPC-customer is already behind DMZ so this network object should be source not destination(you have configured) and destination should be any(configure specific destination IP on Internet if you are aware of).

Please let me know if you have any query.

Regards,

Akshay Rastogi