topic ASA 5510 DMZ Nat question in Network Security

ASA 5510 DMZ Nat question

gtorresjr77 — Tue, 12 Mar 2019 02:55:26 GMT

Hi All,

first time posting.

so my goal is to have an FTP Server on the DMZ and be able to access it using the outside interface (which is currently just configured as 10.2.2.2) I tried adding the NAT rule using asdm and CLI but it won't take. What am I missing that i can't NAT

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

here is the current config

Thanks

ASA Version 8.2(1)

interface Ethernet0/0

nameif outside

security-level 0

no ip address

interface Ethernet0/1

nameif inside

security-level 100

no ip address

interface Ethernet0/1.1

vlan 1

nameif inside1

security-level 100

ip address 10.20.10.1 255.255.255.0

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 100

ip address 10.40.20.1 255.255.255.0

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

object-group network FTPServer-External

network-object 10.2.2.2 255.255.255.255

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu dmz 1500

mtu inside1 1500

mtu inside3 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (dmz) 1 172.20.10.0 255.255.255.0

nat (inside1) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

Re: ASA 5510 DMZ Nat question

Jouni Forss — Wed, 23 Oct 2013 16:18:51 GMT

Hi,

The Static PAT (Port Forward) configuration seems valid

Though you dont have any IP address in the visible configuration for the "outside" interface.

interface Ethernet0/0

nameif outside

security-level 0

no ip address

You should add

interface Ethernet0/0

ip address

- Jouni

Re: ASA 5510 DMZ Nat question

Jouni Forss — Wed, 23 Oct 2013 16:21:13 GMT

Also,

Seems that one of your interfaces is configured as Trunk

interface Ethernet0/1

nameif inside

security-level 100

no ip address

The actual physical interfaces configurations seems unneeded if you are not planning to add IP address to it. If you are not going to add one you could configure

interface Ethernet0/1

no nameif

no security-level

Just to avoid any future missunderstanding with the interface in question.

- Jouni

Re: ASA 5510 DMZ Nat question

gtorresjr77 — Wed, 23 Oct 2013 16:25:46 GMT

thanks for that quick response. the interface not having an IP was an oversight for not having the correct IP's from the ISP yet.

I'll add the temp IP and test again. also, i will remove those configs from eth0/1.

i'll let you know if all is good.

Re: ASA 5510 DMZ Nat question

Jouni Forss — Wed, 23 Oct 2013 16:30:12 GMT

Hi,

I cant see any other reason for not accepting the command atleast if you did it through ASDM

The "static" command itself refers to the "outside" interface with the parameter "interface" and if the interface has no IP address configured I would imagine it wont accept the NAT configuration as there is no IP address to use for the NAT configuration you are trying to insert.

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

- Jouni

Re: ASA 5510 DMZ Nat question

gtorresjr77 — Wed, 23 Oct 2013 17:13:49 GMT

ok so i removed the security-level and nameif on eth0/1 and now i cannot ping the 10.20.10.1 from a server with IP 10.20.10.5 connected to the same switch.

from the asa i can ping 10.40.20.2 (int vlan 3 IP on switch) but i can't ping 10.20.10.254 (int vlan 1 on switch)

I have the switch connected to eth 0/1 on port 48 on switch. here's my truncated version of my switch.

ip routing

ip dhcp excluded-address 10.40.20.1 10.40.20.10

ip dhcp pool guestwifi

network 10.40.20.0 255.255.255.0

dns-server 8.8.8.8 4.2.2.2

default-router 10.40.20.1

interface GigabitEthernet0/40

interface GigabitEthernet0/41

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3

switchport mode trunk

interface GigabitEthernet0/42

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3

switchport mode trunk

interface GigabitEthernet0/43

interface GigabitEthernet0/44

interface GigabitEthernet0/45

interface GigabitEthernet0/46

interface GigabitEthernet0/47

interface GigabitEthernet0/48

uplink to Firewall

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3

switchport mode trunk

interface GigabitEthernet0/49

interface GigabitEthernet0/50

interface GigabitEthernet0/51

interface GigabitEthernet0/52

interface Vlan1

ip address 10.20.10.254 255.255.255.0

interface Vlan2

description Voice Vlan

no ip address

interface Vlan3

description Guest Vlan

ip address 10.40.20.2 255.255.255.0

ASA 5510 DMZ Nat question

Jouni Forss — Wed, 23 Oct 2013 17:19:50 GMT

Hi,

If removing those commads created some problems you could always revert back to the original configuration.

Though I didnt see that there was any IP address configured for the physical interface so I am not sure how it would affect the setup.

If it did it must be related to you using the Vlan1 in the configurations.

I am wondering would you need to change the Native Vlan to something else than the default vlan for the suggested configurations to not cause any problems.

But probably better to revert to the original configuration though it still leaves the ASA configuration looking pretty strange.

- Jouni

ASA 5510 DMZ Nat question

gtorresjr77 — Fri, 25 Oct 2013 19:48:02 GMT

So after removing it still didn't work. what i did was configure the eth0/1 interface with the vlan 1 IP and just kept the eth0/1.3 vlan 3 sub interface. communication is ok now. My next issue\question is, I am trying to get the vlan 1 network 10.20.10.0/24 to see the FTP server on the DMZ (172.20.10.5). here's the asa config so far. What am I missing in access list to be able to hit\ping the FTP Server from vlan 1 server. The switch is configured for DMZ vlan 4. I have the eth0/2 int and FTP server connected to port 43/44 trunked with vlan1, 4.

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.2.2.1 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.10.1 255.255.255.0

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 100

ip address 10.40.20.1 255.255.255.0

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 10.30.10.1 255.255.255.0

management-only

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

access-list dmz_access_in extended permit ip 10.20.10.0 255.255.255.0 host 172.2

0.10.5

access-list dmz_access_in extended permit icmp 10.20.10.0 255.255.255.0 host 172

.20.10.5

access-list outside_access_in extended permit tcp any object-group FTPServer eq

ftp

access-list inside_access_in extended permit icmp host 172.20.10.5 10.20.10.0 25

5.255.255.0 timestamp-reply

access-list inside_access_in extended permit tcp host 172.20.10.5 10.20.10.0 255

.255.255.0 inactive

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu inside3 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (inside) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

nat (dmz) 1 172.20.10.0 255.255.255.0

static (dmz,outside) tcp interface ftp 172.20.10.5 ftp netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

: end

hofasa#

ASA 5510 DMZ Nat question

Julio Carvajal — Fri, 25 Oct 2013 23:28:03 GMT

Hello,

The problem you had before was that you were using incorrectly the native VLAN interface.

You changed the setup so we will start from here now:

First of all remove this:

no access-group inside_access_in

Add the following

policy-map global_policy

class class-default

inspect FTP

Just in case you do not have it

static (dmz,inside)172.20.10.5 172.20.10.5

static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

Let me know how it goes.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

ASA 5510 DMZ Nat question

gtorresjr77 — Mon, 28 Oct 2013 16:56:56 GMT

so I removed and added the statements you stated. From the switch i can ping the DMZ interface on asa 172.20.10.1 but not the FTP server 172.20.10.5. From the ASA i can ping the vlan 4 interface on the switch 172.20.10.2 but cannot ping the FTP server 172.20.10.5.

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.2.2.1 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.10.1 255.255.255.0

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 50

ip address 10.40.20.1 255.255.255.0

<--- More --->

interface Ethernet0/2

nameif dmz

security-level 100

ip address 172.20.10.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 10.30.10.1 255.255.255.0

management-only

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

<--- More --->

network-object 172.20.10.5 255.255.255.255

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp timestamp-reply

access-list dmz_access_in extended permit ip 10.20.10.0 255.255.255.0 172.20.10.0 255.255.255.0

access-list dmz_access_in extended permit icmp 10.20.10.0 255.255.255.0 172.20.10.0 255.255.255.0

access-list outside_access_in extended permit tcp any object-group FTPServer eq ftp

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu inside3 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (inside) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

nat (dmz) 1 172.20.10.0 255.255.255.0

static (dmz,outside) tcp interface ftp 172.20.10.5 ftp netmask 255.255.255.255

static (dmz,inside) 172.20.10.5 172.20.10.5 netmask 255.255.255.255

<--- More --->

static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.20.10.0 255.255.255.0 management

http 10.20.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.20.10.0 255.255.255.0 inside

telnet 192.168.1.1 255.255.255.255 management

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

<--- More --->

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

<--- More --->

inspect netbios

inspect tftp

class class-default

inspect ftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:6bcfb01a635982dcd4020570173ae95f

: end

Switch config

interface GigabitEthernet0/43

FTP Server

switchport access vlan 4

switchport mode access

interface GigabitEthernet0/44

Uplink to ASA DMZ Eth0/2

switchport access vlan 4

switchport mode access

interface GigabitEthernet0/45

interface GigabitEthernet0/46

interface GigabitEthernet0/47

interface GigabitEthernet0/48

UPLink to ASA Eth0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3,4

switchport mode trunk

interface Vlan2

description Voice Vlan

no ip address

no ip route-cache

interface Vlan3

description Guest Vlan

ip address 10.40.20.2 255.255.255.0

no ip route-cache

interface Vlan4

description DMZ Vlan

ip address 172.20.10.2 255.255.255.0

no ip route-cache

Re: ASA 5510 DMZ Nat question

gtorresjr77 — Mon, 28 Oct 2013 17:13:24 GMT

Ok I'm narrowing this down slowly. I rebooted the switch and i'm able to ping 172.20.10.5 (FTPServer) from switch (when i source the ping from vlan 4) and the ASA. How do i get 10.20.10.0 network able to access dmz (just FTPServer)?

Could it be because Eth0/2 on asa is native vlan and not vlan 4? i don't see an option to change it.

ASA 5510 DMZ Nat question

jumora — Tue, 29 Oct 2013 01:58:19 GMT

This is the correct configuration:

How do I get 10.20.10.0 network able to access just the FTP Server via its translated IP?

Step 1:

Lower the security level of the interface where the FTP server resides:

enable

config t

Interface Ethernet0/2

security-level 90

Why would you do this? Because you are playing with same-security-traffic feature which if you really don't know for what it is used just don't use it as it is not necessary on your setup.

enable

config t

static (dmz,inside) tcp 10.2.2.1 21 172.20.10.5 211 netmask 255.255.255.255

Then add the next line:

enable

config t

global (dmz) 1 interface

You might ask yourself, why am I adding this last line? Because you have the next configuration line that obligates it to PAT when going to the DMZ.

nat (inside) 1 10.20.10.0 255.255.255.0

Now, my question to you? When you access your FTP server from the outside interface, do you do it over domain or IP? See, it is completely another thing to be on the external world and some other device doing a NAT for you and then another thing to try to connect from the internal network to the DMZ FTP server and mapping it to what would see to be the correct IP that would be 10.2.2.1.

Plus your code should be updated, really old version, maybe a 8.2.5 code would be OK.

ASA 5510 DMZ Nat question

jumora — Thu, 31 Oct 2013 17:52:44 GMT

Please update the ticket as resolved or answered so we can close out followup.

ASA 5510 DMZ Nat question

gtorresjr77 — Thu, 31 Oct 2013 18:17:28 GMT

I don't know how to mark it as resolved without hitting correct answer?

ASA 5510 DMZ Nat question

jumora — Thu, 31 Oct 2013 18:23:14 GMT

Yeah, with correct answer is the right way, if you believe that the solution was not given you just rate it but the idea is if you post question we continue the conversation until we resolve.

Question, did you get the information that you needed or do you still have doubts?

ASA 5510 DMZ Nat question

gtorresjr77 — Thu, 31 Oct 2013 18:28:46 GMT

ok thanks for that info.

Re: ASA 5510 DMZ Nat question

Jouni Forss — Thu, 31 Oct 2013 18:37:30 GMT

Hi,

I atleast find it a bit missleading when the Correct Answers marked in the discussion actually have nothing to do with the actual solution to the problem.

Usually you would mark the replys that answer your question/solve your problem with the "Correct Answer" which in this case would have been some earlier replys of Julio or Jumora probably. That is if you got everything working?

- Jouni

ASA 5510 DMZ Nat question

gtorresjr77 — Wed, 06 Nov 2013 18:37:35 GMT

So the issue came up again where i cannot access the ftp server 172.20.10.5 on DMZ from 10.20.10.0 network. It was working, then moved equipment and did not come up again once powere back on. Outside network will only access FTP port on IP of outside interface.

interfaceinterface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.10.1 255.255.255.0

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 50

ip address 10.40.20.1 255.255.255.0

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp timestamp-reply

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object icmp echo-reply

access-list outside_access_in extended permit tcp any object-group FTPServer eq

ftp

access-list outside_access_in extended permit icmp any 10.20.10.0 255.255.255.0

echo-reply

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 17

2.20.10.0 255.255.255.0 10.20.10.0 255.255.255.0

global (outside) 1

nat (inside) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

nat (dmz) 1 172.20.10.0 255.255.255.0

static (dmz,outside) tcp interface ftp 172.20.10.5 ftp netmask 255.255.255.255

static (dmz,inside) 172.20.10.5 172.20.10.5 netmask 255.255.255.255

static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

ASA 5510 DMZ Nat question

jumora — Wed, 06 Nov 2013 18:46:08 GMT

Quick question... The switch, is it a layer 3 device, meaning, is it routing traffic and do these two VLANs have interfaces configured on the switch.

ASA 5510 DMZ Nat question

gtorresjr77 — Wed, 06 Nov 2013 18:55:12 GMT

routing is turned off on the switch. I have the FTP Tera station plugged into port 43 and ASA eth0/2 plugged into port 44

interface GigabitEthernet0/43

switchport access vlan 4

switchport mode access

interface GigabitEthernet0/44

switchport access vlan 4

switchport mode access

interface GigabitEthernet0/45

interface GigabitEthernet0/46

interface GigabitEthernet0/47

interface GigabitEthernet0/48

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3

switchport mode trunk

interface GigabitEthernet0/49

interface GigabitEthernet0/50

interface GigabitEthernet0/51

interface GigabitEthernet0/52

interface Vlan1

ip address 10.20.10.254 255.255.255.0

no ip route-cache

interface Vlan2

description Voice Vlan

no ip address

no ip route-cache

interface Vlan3

description Guest Vlan

ip address 10.40.20.2 255.255.255.0

no ip route-cache

interface Vlan4

description DMZ Vlan

ip address 172.20.10.2 255.255.255.0

no ip route-cache