topic Re: Cisco ASA 5506 DMZ setup in Network Security

Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Fri, 20 Sep 2019 14:57:37 GMT

Hello,

Am trying to setup a DMZ for a ASA 5506. At the moment we have 3 interfaces active on the ASA which are:

gi1/1 outside

gi1/2 inside

gi1/3 Voice

Voice has an internal ip with a pat on the outside interface with a public ip address from our range.

Now I want to setup the DMZ on gi1/4 also with a pat on the outside interface with a public ip address.

Have setup the interface with a internal ip address and connected a test pc on that interface with an ip address on the same range and as gateway the gi1/4 interface on the ASA. That should at least give me internet access. But that is not the case. Have followed a lot of configuration examples on the internet with google but all have failed to give me even internet access.

Hope you guys can help me out.

Re: Cisco ASA 5506 DMZ setup

balaji.bandi — Fri, 20 Sep 2019 15:27:41 GMT

2 example threads help you here :

https://community.cisco.com/t5/firewalls/asa-nat-for-dmz-public-ip/m-p/3875511

https://community.cisco.com/t5/firewalls/cisco-asa-5505-dmz-setup/m-p/2202705

Still you have issue, we would like to see your configuration to asists better.

Re: Cisco ASA 5506 DMZ setup

bhargavdesai — Fri, 20 Sep 2019 16:11:25 GMT

I totally agree with expert BB.
I would like to know few things.
Have you configured interface withe necessary nameif and security level.
Have you configured NAT rule to allow DMZ internet access
Have you configured PAT to allow server access from outside.

HTH

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Fri, 20 Sep 2019 18:38:21 GMT

Thanks for the links BB, I did follow those links but still not working.

I included our config in this post

Re: Cisco ASA 5506 DMZ setup

bhargavdesai — Sat, 21 Sep 2019 04:18:50 GMT

The configuration looks good to allow internet for DMZ host. Few points.

Please double check your DMZ host configuration like IP, Subnet, Default Gateway, DNS.
Run packet tracer to see if ASA is dropping the packet, and for what reason. (ref: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html)
packet-tracer input Dmz tcp 192.168.17.10 80 8.8.8.8 80 detailed (You can run from ASDM)
If Packet tracer is fine. See your request from DMZ host is reaching the ASA by looking at the logging. (ASDM Monitor Live Logs)
If you see requests are coming in and ASA is allowing the traffic also look for the return traffic hitting the ASA.
Try the NAT rule for DMZ on the OUTSIDE interface rather than particular IP, This is just to test out as sometime ARP can cause issue. (ARP for your DMZ MAPPED IP 188.202.95.227)

Please revert with the output of above. which will be helpful for us to visualise it better.

HTH

Re: Cisco ASA 5506 DMZ setup

Chris Mickle — Sun, 22 Sep 2019 01:03:02 GMT

I’m no expert but I do have several ASAs in production and looking at your config it looks to me like your NAT statement is incomplete.

You’re missing

object network DMZ

subnet 192.168.17.0 255.355.255.0

nat (dmz,outside) dynamic interface

or wherever you’re trying to PAT the DMZ traffic to.

Hope that helps.

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Mon, 23 Sep 2019 14:17:14 GMT

Hello bhargavdesia,

Here is the output for you questions:

- DMZ host configuration is:
IP: 192.168.17.1 255.255.255.0

GW: 192.168.17.254 (interface Gi1/4 on the ASA)

DNS: 8.8.8.8

- output from ASA packet tracer:

fw01# packet-tracer input Dmz tcp 192.168.17.10 80 8.8.8.8 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 188.202.95.225 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-dmz in interface Dmz
access-list ACL-dmz extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac36d7220, priority=13, domain=permit, deny=false
hits=0, user_data=0x2aaabb803580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Dmz,outside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.17.10/80 to 188.202.95.230/80
Forward Flow based lookup yields rule:
in id=0x2aaac36d9e60, priority=6, domain=nat, deny=false
hits=0, user_data=0x2aaac34df320, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1c94360, priority=0, domain=nat-per-session, deny=false
hits=63322227, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac31ba780, priority=0, domain=inspect-ip-options, deny=true
hits=590, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map global-traffic-shaping-class
description *** Default KPN traffic-shaping policy (90% of the capacity)
match any
policy-map global_policy
class global-traffic-shaping-class
police input 28311500 15728
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac36d3090, priority=70, domain=qos-per-class, deny=false
hits=591, user_data=0x2aaac36d2be0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Dmz,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac33cf0e0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x2aaac18a38d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Dmz, output_ifc=outside

Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map global-traffic-shaping-class
description *** Default KPN traffic-shaping policy (90% of the capacity)
match any
policy-map global_policy
class global-traffic-shaping-class
police input 28311500 15728
service-policy global_policy global
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac3413be0, priority=70, domain=qos-per-class, deny=false
hits=52095847, user_data=0x2aaac33d0560, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac1c94360, priority=0, domain=nat-per-session, deny=false
hits=63322229, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac2676330, priority=0, domain=inspect-ip-options, deny=true
hits=40789894, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 43812321, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

- Request from host is not reaching the ASA, link is up and the DMZ host is directly connected to the ASA on interface 1/4, also checked all cables and these are fine.

Re: Cisco ASA 5506 DMZ setup

Network Keith — Mon, 23 Sep 2019 12:33:58 GMT

I may have overlooked it, but I did not see an access-group for DMZ, can you confirm?

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Mon, 23 Sep 2019 14:21:03 GMT

Hello Keith,

Yes Access-group is configured:

fw01# sh run access-group
access-group ACL-outside in interface outside
access-group ACL-inside in interface inside
access-group ACL-voice in interface Voice
access-group ACL-dmz in interface Dmz
fw01#

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Mon, 23 Sep 2019 14:15:02 GMT

Cleaned the config a bit up and have made some changes.

Re: Cisco ASA 5506 DMZ setup

bhargavdesai — Mon, 23 Sep 2019 14:20:39 GMT

This means that we have issue at layer 1 or 2.
Packet tracer shows packet is allowed. So internet will be available once we solve the issue at below layers.
Can you check that ASA can ping Host and Host can ping ASA.
You can check arp entry as well.
Sometimes arp cache can also be a problem.
See if proxy arp is not creating problem.

I would say you should get the reachability to ASA and then think about issue with ASA NAT and ACL configuration.

Can you look all this and confirm.
HTH

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Mon, 23 Sep 2019 19:00:14 GMT

Host can not ping ASA and ASA can not ping host. In Arp table no entry for the host. Checked the cabels and host with a connection on a L2 Switch and that is working. Host could ping the Switch and the Switch could ping the host. Arp proxy is enabled on the interface but after setting it to no proxy-arp it still did not show up in the arp table and the host still could not ping the ASA. Am a little stumped at this. Normaly putting a device directly on an interface it shows up in the arp table of the ASA. Routing table on the ASA is showing the interface as a connected route.

Re: Cisco ASA 5506 DMZ setup

Network Keith — Mon, 23 Sep 2019 19:45:21 GMT

Are the other interfaces (voice) and (INTERNAL) linked to this same switch?

Can a host on those ^^ networks ping the ASA interface?

Is there a Default-gateway set on the switch?

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Mon, 23 Sep 2019 20:05:36 GMT

No, the inside is on a L3 switch and has their GW on vlan1 which is 192.168.16.200, that switch has a route to his interface on the ASA which is 192.168.16.254 as default route. The voice network is connected on a unmanaged 1 GB switch and all devices have their GW on the ASA which is 192.168.15.254. On the L3 switch I can ping the interface on the ASA for the inside network. The voice network have only VOIP devices which connect to the cloud Phone solution and they are all working normaly. For the DMZ I was planning to connect the inside switch with a seperate vlan but from that vlan I can not ping the ASA interface which is on 192.168.17.254 so for troubleshooting I put the server straight on the ASA interface and had the server GW point to 192.168.17.254 but that is not working also.

Re: Cisco ASA 5506 DMZ setup

Network Keith — Mon, 23 Sep 2019 20:43:18 GMT

OK, Setup a constant ping to the asa from the host,

On the asa run debug icmp trace 7...... See if you see the host listed.

Also check the following:

sho logging asdm

Show conn address (Host IP)

See if any of this can help you pinpoint.

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Mon, 23 Sep 2019 21:17:23 GMT

Host is not coming up on the debug icmp trace 7. Also on the logging he is not showing up. show conn address 192.168.17.1 gives no repons. Seems like there is no network connection at all.

Re: Cisco ASA 5506 DMZ setup

bhargavdesai — Tue, 24 Sep 2019 05:00:09 GMT

Although, I have not looked at your updated configuration, the first configuration you post was fine as we are able to run the packet tracer successfully.

I clearly told you that you need to solve the problem at Layer 1, Layer 2 as our DMZ host is not able to reach DMZ interface on ASA. Just think about this, How could ASA do anything with the packet without receiving it.

With all due respect, to clarify some points discussed here.

By default, ASA will allow all communication (TCP/UDP) from high security level (in your case DMZ with security level 20) going out to low security level (in your case OUTSIDE with security level 0). So There is no access-list or access-group configuration required.

You already had NAT statement. This is Manual NAT statement.

nat (DMZ,outside) source dynamic any OBJ-NET-188.202.95.227

So you don't need AUTO NAT configuration.

object network DMZ
subnet 192.168.17.0 255.355.255.0
nat (dmz,outside) dynamic interface

Now back to your issue.

I would say please check if ASA can ping its own DMZ interface IP 192.168.17.254 to make sure the interface is up up.
Have you checked with a Laptop by direct connecting to DMZ. (not the server, just to check out.)
When you connected DMZ Server and DMZ interface to a managed switch, did you see MAC address entry on the port and arp entry if in layer 3 mode.
Change the Cable (MIDI and MIDI-X the old concept consideration)and also try to check speed duplex.

I would urge you to not change any ASA configuration other than DMZ interface level configuration to establish layer 1, layer 2 connectivity to ASA. Our first target should be to establish communication between DMZ host and DMZ interface on ASA.

HTH
### RATE ALL HELPFUL RESPONSES ###

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Tue, 24 Sep 2019 08:05:12 GMT

Thanks for the reply bhargavdesai,

I will remove the auto NAT statement.

About your questions:

- Yes the ASA can ping the dmz interface

- Checked it with a server and a laptop connected directly on the interface both give the same result

- Yes on the layer 3 switch I see a mac entry for the server/laptop but the ASA interface is not visible on the switch port or in the arp table.

- Change out the cables and set the speed duplex from auto to 1000 full still no result.

Re: Cisco ASA 5506 DMZ setup

bhargavdesai — Tue, 24 Sep 2019 10:35:41 GMT

So to conclude on your setup, you have a connection as below.

DMZ HOST/LAPTOP >>>> L2/L3 SWITCH >>>> Cisco ASA DMZ Interface

Connection between Switch and ASA is focus point.

Do you see light on Switch and ASA DMZ interface?
Do ports on ASA and Switch show UP?
Do Cisco ASA DMZ interface and DMZ host/Laptop connect to same VLAN?

I am ready to help your remotely, if you are ready for the same personal message me, this will reduce time and effort in troubleshooting.

HTH
### RATE ALL HELPFUL RESPONSES ###

Re: Cisco ASA 5506 DMZ setup

HarrydenOuden7643 — Tue, 24 Sep 2019 11:32:13 GMT

Hello bhargavdesai,

No at the moment the setup is DMZ HOST/LAPTOP >>> Cisco ASA DMZ Interface

I see light on the ASA interface and on the network card of the DMZ host

The interface on the ASA is showing up and the network Card on the DMZ host is showing connected

Host and ASA share the same network without a switch between them.

At the moment I am not on location but I will be tomorrow, if you could assist remotely that would be great.