topic PIX to ASA migration some services aren't working in Network Security

PIX to ASA migration some services aren't working

aacefeqbal — Tue, 12 Mar 2019 01:46:32 GMT

Hello,

I've recently migrated a PIX 525 to ASA 5520, but for some reason (through ASA) the users from OUTSIDE aren't able access services published in DMZ as well as some DMZ servers aren't able to communicate to some OUTSIDE services.

INSIDE to DMZ is working fine. (through ASA)

INSIDE to OUTSIDE is working fine. (through ASA)

Below is the configuration from my PIX (where everything works just fine) as well as the one on the ASA (where there is a problem), can you please suggest what could be the cause?

In the below case the DMZ hosts from 11.1.10.0 aren't able to access SMTP services (through ASA) and the OUTSIDE users aren't able to access DMZ web server (11.1.10.40) through ASA, this all just works fine with PIX.

----------------
PIX 6.3(3)
----------------

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 rsa security5
nameif ethernet3 dmz security10

ip address outside 10.1.10.20 255.255.255.0
ip address inside 192.168.1.20 255.255.255.0
ip address rsa 120.0.0.1 255.255.255.0
ip address dmz 11.1.10.20 255.255.255.0

global (outside) 1 interface
global (rsa) 1 interface
global (dmz) 1 interface

nat (inside) 1 192.166.1.0 255.255.255.0 0 0
nat (inside) 1 192.166.10.0 255.255.255.0 0 0
nat (inside) 1 192.167.1.0 255.255.255.0 0 0
nat (inside) 1 192.167.10.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 10.20.5.0 255.255.255.0 0 0
nat (inside) 1 198.10.10.0 255.255.0.0 0 0

nat (rsa) 1 120.0.0.0 255.255.255.0 0 0
nat (dmz) 1 11.1.10.0 255.255.255.0 0 0

static (dmz,outside) 10.1.10.40 11.1.10.40 netmask 255.255.255.255 0 0

access-list outside permit tcp any host 10.1.10.40 eq www
access-list outside permit tcp any host 10.1.10.40 eq https

access-list dmz permit tcp 11.1.10.0 255.255.255.0 any eq smtp

access-list inside permit ip any any

access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 10.1.10.1 1

route inside 192.166.1.0 255.255.255.0 192.168.10.1 1
route inside 192.166.10.0 255.255.255.0 192.168.10.1 1
route inside 192.167.1.0 255.255.255.0 192.168.10.1 1
route inside 192.168.1.0 255.255.255.0 192.168.10.1 1
route inside 192.168.10.0 255.255.255.0 192.168.10.1 1
route inside 10.20.5.0 255.255.255.0 192.168.10.1 1
route inside 198.10.10.0 255.255.255.0 192.168.10.1 1

----------------
ASA 8.4(5)
----------------

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.1.10.20 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.20 255.255.255.0
!
interface GigabitEthernet0/2
nameif rsa
security-level 5
ip address 120.0.0.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz
security-level 10
ip address 11.1.10.20 255.255.255.0

object network inside_subnet_a
subnet 192.166.1.0 255.255.255.0

object network inside_subnet_b
subnet 192.166.10.0 255.255.255.0

object network inside_subnet_c
subnet 192.167.1.0 255.255.255.0

object network inside_subnet_d
subnet 192.167.10.0 255.255.255.0

object network inside_subnet_e
subnet 192.168.1.0 255.255.255.0

object network inside_subnet_f
subnet 192.168.10.0 255.255.255.0

object network inside_subnet_g
subnet 10.20.5.0 255.255.255.0

object network inside_subnet_h
subnet 198.10.10.0 255.255.255.0

object network rsa_subnet
subnet 120.0.0.0 255.255.255.0

object network dmz_subnet
subnet 11.1.10.0 255.255.255.0

object network host-11.1.10.40
host 11.1.10.40

object-group service WWW-HTTPS tcp
port-object eq www
port-object eq https

object service SMTP
service tcp destination eq smtp

object-group network inside_subnet_all
   network-object object inside_subnet_a
   network-object object inside_subnet_b
   network-object object inside_subnet_c
   network-object object inside_subnet_d
   network-object object inside_subnet_e
   network-object object inside_subnet_f
   network-object object inside_subnet_g
   network-object object inside_subnet_h

access-list OUTSIDE extended permit tcp any object host-11.1.10.40 object-group WWW-HTTPS
access-list DMZ extended permit object SMTP object dmz_subnet any
access-list INSIDE extended permit ip any any

nat (inside,outside) source dynamic inside_subnet_all interface

nat (inside,rsa) source dynamic inside_subnet_all interface

nat (inside,dmz) source dynamic inside_subnet_all interface

object network rsa_subnet
nat (rsa,outside) dynamic interface

object network dmz_subnet
nat (dmz,outside) dynamic interface

object network host-11.1.10.40
nat (dmz,outside) static 10.1.10.40

access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
access-group DMZ in interface dmz

route outside 0.0.0.0 0.0.0.0 10.1.10.1 1

Thank you;

PIX to ASA migration some services aren't working

Jouni Forss — Tue, 21 May 2013 07:08:51 GMT

Hi,

Your problems are probably due to NAT ordering. Specifically the first Dynamic NAT configurations are probably overiding some DMZ related NAT configurations.

One important question I need to ask is that do you really want to do Dynamic PAT from the "inside" towards all the other local interfaces which are "rsa" and "dmz"? I personally always leave out all NAT configurations between local interfaces and let them communicate with eachother with their original IP address.

Though if this is a requirement for you then its no problem for me.

I would suggest the following NAT configurations in your case

Remove some current NAT configurations

The purpose of removing the below configurations is to replace them with new NAT configurations that wont override any of the other NAT configurations. In a way we are rearranging the NAT configurations

no nat (inside,outside) source dynamic inside_subnet_all interface

no nat (inside,rsa) source dynamic inside_subnet_all interface

no nat (inside,dmz) source dynamic inside_subnet_all interface

no object network rsa_subnet

no object network dmz_subnet

Add new NAT configurations

The purpose of the below configurations is to first create a Default Dynamic PAT configuration. What I mean by this is that every network, whatever their source interface, will have some Dynamic PAT rule towards the "outside" networks
The 2 "nat" configurations lines that use your "inside_subnet_all" object-group are something that you can either configure or NOT configure. This depends totally on the fact that I mentioned earlier in the reply. If you specifically need to PAT the traffic from "inside" to "rsa" or "dmz" then you use them. IF you dont want to NAT traffic between these interfaces then you can leave them out of your configurations.
The below configuration assumes that the single Static NAT for "dmz" server is left into the configuration also.

object-group network DEFAULT-PAT-SOURCE

description Source Network for Default Dynamic PAT

network-object 192.166.1.0 255.255.255.0

network-object 192.166.10.0 255.255.255.0

network-object 192.167.1.0 255.255.255.0

network-object 192.167.10.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 10.20.5.0 255.255.255.0

network-object 198.10.10.0 255.255.0.0

network-object 120.0.0.0 255.255.255.0

network-object 11.1.10.0 255.255.255.0

nat (inside,rsa) after-auto source dynamic inside_subnet_all interface

nat (inside,dmz) after-auto source dynamic inside_subnet_all interface

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Naturally if you are going to try the above NAT configuration suggested, then be sure to backup your NAT configuration if you want to change back. Also naturally changing the NAT configuration will cause small outage to the connections to "outside" while you are doing the changes.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Please ask more if this didnt yet solve the problem

- Jouni