topic Thanks josh but its not in Network Security

Internet access for LAN user through inside to outside

Navaz Wattoo — Tue, 12 Mar 2019 05:01:53 GMT

Here are i want o access internet of my lan users having subnet 172.16.20.0/24

and inside firewall ip is 192.168.11.249/24

outside ip is 125.209.70.88/24
and i also attached a diagram with the ip,s

Hi, Below is the required

Prashant Joshi — Wed, 05 Nov 2014 11:25:57 GMT

Hi,

Below is the required configuration on ASA:-

route inside 172.16.20.0 255.255.255.0 192.168.11.254

Nat 8.2

===========

nat(inside) 1 0 0

global(outside) 1 interface

Nat 8.3 +

object network internal_net
subnet 172.16.20.0 255.255.255.0

object network internal_net
nat (inside,outside) dynamic interface

Thanks,

Prashant Joshi

I have Cisco Adaptive

Navaz Wattoo — Wed, 05 Nov 2014 12:38:33 GMT

I have Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

But its not working. Below is my configuration and I only now need my LAN user to allow internet through Inside to Outside. One thing is that 172.16.20.0/24 users gateway is 172.16.20.254 similarly 172.16.30.X/24 users gateway is 172.16.30.254 and 172.16.40.X/24 users gateway is 172.16.40.254, 172.16.50.X/24 users gateway is 172.16.50.254. Thanks for the reply.

Version of ASA

ASA Version 8.2(5)

hostname ACTIVE

domain-name dhalahore.org

enable password vXH3rdHwVuRbxQ3j encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

INTERFACE DETAILS

interface Ethernet0/0

description Inside to the Core Switches 1

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/1

description Inside to the Core Switches 2

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/2

description Public Server - DMZ

duplex full

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

interface Ethernet0/3

description Outside to the Internet via router

duplex full

nameif Outside

security-leLvel 0

ip address 117.102.8.90 255.255.255.248 standby 117.102.8.91

interface Management0/0

description LAN/STATE Failover Interface

interface Redundant1

member-interface Ethernet0/0

member-interface Ethernet0/1

INSIDE INTERFACE

nameif inside

security-level 100

ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

CREATE OBJECT FOR LAN NETWORKS

object-group network DMZ-BLOCKED-LAN-NETWORKS

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 172.16.30.0 255.255.255.0

network-object 172.16.40.0 255.255.255.0

network-object 172.16.50.0 255.255.255.0

CREATE ACL FOR OUTSIDE TO INSIDE

access-list 102 extended permit tcp any host 117.102.8.90 eq www

access-list 102 extended permit tcp any host 117.102.8.90 eq 8888

access-list 102 extended permit tcp any host 117.102.8.90 eq https

access-list 102 extended permit tcp any host 117.102.8.90 eq telnet

access-list 102 extended permit tcp any host 117.102.8.90 eq pop3

access-list 102 extended permit tcp any host 117.102.8.90 eq smtp

CREATE ACL FOR THE LAN NETWORK TO ACCESS DMZ SERVERS

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.255.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0

access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0

CREATE ACL FOR THE DB SERVERS TO DMZ MEMBER AREA SERVER

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any

access-list ICMP extended permit icmp any any

access-list SPLIT standard permit 192.168.0.0 255.255.0.0

NAT CONFIGURATION

nat-control

CREATE NAT FOR THE INSIDE USER TO ACCESS

nat (inside) 0 access-list no-nat

CREATE NAT FROM OUTSIDE TO DMZ SERVER(FOR SPECIFIC PORTS OPEN)

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.255

static (DMZ,Outside) tcp interface 8888 10.1.1.245 8888 netmask 255.255.255.255

static (DMZ,Outside) tcp interface pop3 10.1.1.254 pop3 netmask 255.255.255.255

CREATE NAT DMZ TO INSIDE(TO ACCESS THE LAN SPECIFIC USERS)

static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

ALLOW THE ACL 102 TO OUTSIDE INTERFACE

access-group 102 in interface Outside

CREATE ROUTE TO THE ACCESS FROM THE OUTSIDE INTERFACE

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1

CREATE ROUTE TO ACCESS FROM THE INSIDE INTERFACE (ALL VLAN,S INCLUDING APPLICATION,DB,LAN)

route inside 0.0.0.0 0.0.0.0 192.168.11.254 2

route inside 0.0.0.0 0.0.0.0 192.168.10.254 2

route inside 172.16.10.0 255.255.255.0 192.168.11.254 1

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1

route inside 172.16.30.0 255.255.255.0 192.168.11.254 1

route inside 172.16.40.0 255.255.255.0 192.168.11.254 1

route inside 172.16.50.0 255.255.255.0 192.168.11.254 1

route inside 192.168.10.0 255.255.255.0 192.168.11.254 1

TO ACCESS INSIDE THROUGH ASDM

http server enable

http 192.168.11.0 255.255.255.0 inside

http 192.168.11.249 255.255.255.255 inside

TO TELNET INSIDE

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.11.254 255.255.255.255 inside

telnet 192.168.10.254 255.255.255.255 inside

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 10

You need to configure a PAT

Prashant Joshi — Wed, 05 Nov 2014 13:09:13 GMT

You need to configure a PAT policy

General PAT and will be used by all inside users.

nat(inside) 1 0 0

global(outside) 1 interface

However, if you need to be specific

nat(inside) 1 72.16.20.0 255.255.255.0

global(outside) 1 interface

nat(inside) 1 72.16.30.0 255.255.255.0

global(outside) 1 interface

nat(inside) 1 72.16.40.0 255.255.255.0

global(outside) 1 interface

If still it didn't work, provide me below output :

packet-tracer input inside tcp 172.16.20.10 5656 4.2.2.2 80 det

Thanks

Prashant Joshi

Its didnt work. I attached a

Navaz Wattoo — Wed, 05 Nov 2014 13:41:09 GMT

Its didnt work. I attached a files that you are required.

thanks

configuration seems to be

Prashant Joshi — Wed, 05 Nov 2014 13:47:28 GMT

configuration seems to be fine with ASA, packet tracer showing correct outputs.I

believe packets are not reaching the ASA.

Kindly provide me below captures.

cap capin interface inside match tcp ho <host ip> any

cap capout interface outside match tcp any any

sh cap capout

sh cap capin

Thanks,

Prashant Joshi

Please find the attached file

Navaz Wattoo — Wed, 05 Nov 2014 13:57:09 GMT

Please find the attached file . But in Inside interface of ASA a core switch 3750 exist and after that layer 2 switch 2960 exist where the LAN exist.

As expected internet traffic

Prashant Joshi — Wed, 05 Nov 2014 14:57:29 GMT

As expected internet traffic is not reaching the ASA, we can see only telnet traffic
( to ASA inside interface).

Have you configured a default route pointing to ASA on your 3750 switch ?

Thanks

Prashant Joshi

These are the routs add for

Navaz Wattoo — Thu, 06 Nov 2014 03:56:06 GMT

These are the routs add for at the core switch 3750

ip classless
ip route 0.0.0.0 0.0.0.0 221.120.216.153
ip route 5.5.5.0 255.255.255.0 192.168.11.249
ip route 10.1.1.0 255.255.255.0 192.168.10.249
ip route 10.1.1.0 255.255.255.0 192.168.11.249
ip route 172.16.20.0 255.255.255.0 192.168.10.249
ip http server

DC-Core1(config)# do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

5.0.0.0/24 is subnetted, 1 subnets
S 5.5.5.0 [1/0] via 192.168.11.249
C 192.168.10.0/24 is directly connected, Vlan10
172.16.0.0/24 is subnetted, 5 subnets
C 172.16.50.0 is directly connected, Vlan80
C 172.16.40.0 is directly connected, Vlan70
C 172.16.30.0 is directly connected, Vlan60
C 172.16.20.0 is directly connected, Vlan50
C 172.16.10.0 is directly connected, Vlan10
C 192.168.11.0/24 is directly connected, Vlan11
10.0.0.0/24 is subnetted, 1 subnets
S 10.1.1.0 [1/0] via 192.168.11.249
[1/0] via 192.168.10.249

Below route is punting all

Prashant Joshi — Thu, 06 Nov 2014 04:58:35 GMT

Below route is punting all the traffic to 221.120.216.153 , so we need to delete this route ip route 0.0.0.0 0.0.0.0 221.120.216.153

no ip route 0.0.0.0 0.0.0.0 221.120.216.153

We need to punt all the default traffic to ASA, so add below route.

ip route 0.0.0.0 0.0.0.0 192.168.11.249

in addition, if 172.16.20.0/24 is a directly connected network on 3750 we don't need below route

ip route 172.16.20.0 255.255.255.0 192.168.10.249

Thanks,

Prashant Joshi

Thanks its working. but now

Navaz Wattoo — Thu, 06 Nov 2014 05:29:02 GMT

Thanks its working. but now next step is to only allow outlook traffic from inside LAN to outside.

You need to allow whatever

Prashant Joshi — Thu, 06 Nov 2014 06:55:29 GMT

You need to allow whatever subnets and respective ports you need...for example:-

access-list inside_out per tcp 172.16.20.0 255.255.255.0 any eq 25

access-list inside_out per tcp 172.16.20.0 255.255.255.0 any eq XY

access-list inside_out per tcp 172.16.20.0 255.255.255.0 any eq YZ

access-group inside_out in interface inside

Thanks,

Prashant Joshi

Thanks josh but its not

Navaz Wattoo — Thu, 06 Nov 2014 11:13:59 GMT

Thanks josh but its not working.

I also different acl. can u verfied that its not create the prob

bject-group network DMZ-BLOCKED-LAN-NETWORKS
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0
network-object 172.16.50.0 255.255.255.0
access-list 102 extended permit tcp any host 117.102.8.90 eq www
access-list 102 extended permit ip 5.5.5.0 255.255.255.0 any
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888
access-list 102 extended permit tcp any host 117.102.8.90 eq https
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp
access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 117.102.8.90 255.255.255.248
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any
access-list ICMP extended permit icmp any any
access-list SPLIT standard permit 192.168.0.0 255.255.0.0

access-list 102 extended

Prashant Joshi — Thu, 06 Nov 2014 11:40:48 GMT

access-list 102 extended permit tcp any host 117.102.8.90 eq www
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888
access-list 102 extended permit tcp any host 117.102.8.90 eq https
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp

Above access-lists are allowing any source to access destination 117.102.8.90 on specific ports, rest all other destinations are restricted.

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 117.102.8.90 255.255.255.248
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0

All these access-lists are used in NAT Exempt from specific source to destination.

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any

DMZ access-lists blocking connection to DMZ-BLOCKED and allowing 10.1.1.0 /24 to access anything.

You need to apply these access-lists on interface as well.

access-list <access-list name > in interface <interface name>

Prashant Joshi:-

After these applying, then i

Navaz Wattoo — Thu, 06 Nov 2014 11:45:19 GMT

After these applying, then i can allow only outlook traffic and my outlook port are configured at SSL port 995 and 465

Add below access lists with

Prashant Joshi — Thu, 06 Nov 2014 12:09:16 GMT

Add below access lists with whatever source and destination you need to restrict

access-list 102 extended permit tcp <source> <destination> eq 995

access-list 102 extended permit tcp <source> <destination> eq 465

access-list 102 extended

Navaz Wattoo — Thu, 06 Nov 2014 12:26:13 GMT

access-list 102 extended permit tcp 172.16.20.0 117.102.8.90 eq 995

access-list 102 extended permit tcp 172.16.20.0 117.102.8.90 eq 465

i need to run outlook of lan users having subnet 172.16.20.0/24 and after that is apply

access-group 102 in interface inside ?

access-list 102 extended

Prashant Joshi — Thu, 06 Nov 2014 14:08:10 GMT

access-list 102 extended permit tcp 172.16.20.0 255.255.255.0 117.102.8.90 eq 995

access-list 102 extended permit tcp 172.16.20.0 255.255.255.0 117.102.8.90 eq 465

access-group 102 in interface inside

Thanks JoshiI applied this

Navaz Wattoo — Fri, 07 Nov 2014 04:51:33 GMT

Thanks Joshi

I applied this but outlook is not working.

i attached outlook setting.

I can only see the ports in

Prashant Joshi — Sun, 09 Nov 2014 06:43:10 GMT

I can only see the ports in your configuration ,what is the incoming and outgoing mailserver name/IP configured in your outlook, If its name and not an IP then how the name resolution will happen, do you have an inside DNS server ?

Thanks,

Prashant Joshi