topic ASA 9.1 Inside To DMZ Access in Network Security

ASA 9.1 Inside To DMZ Access

mthomas1999 — Tue, 12 Mar 2019 01:06:59 GMT

Hello, I recently upgraded my asa from 8.2 to 9.1 (reconfigured from scratch - didnot convert old config) and everything seems to be working fine except for communication between my INTERNAL network and my DMZ. Any help would be greatly appreciated. Here's my config below -

ASA Version 9.1(1)

hostname ZEPPELIN

domain-name MIWEBPORTAL.com

enable password XXXXX

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd FClk4V74ruL1dFGo encrypted

names

interface Ethernet0/0

description ISP-MODEM

switchport access vlan 20

interface Ethernet0/1

shutdown

interface Ethernet0/2

description INTERNAL-NET

switchport access vlan 19

interface Ethernet0/3

description INTERNAL-NET

switchport access vlan 19

interface Ethernet0/4

description INTERNAL-NET

switchport access vlan 19

interface Ethernet0/5

description INTERNAL-NET

switchport access vlan 19

interface Ethernet0/6

description DMZ

switchport access vlan 99

interface Ethernet0/7

description DMZ

switchport access vlan 99

interface Vlan1

shutdown

no nameif

no security-level

no ip address

interface Vlan19

description INTERNAL-NET

nameif MYNETWORK

security-level 100

ip address 172.19.19.1 255.255.255.0

interface Vlan20

description DHCP-MODEM-INTERNET

mac-address XXX

nameif INTERNET

security-level 0

ip address dhcp setroute

interface Vlan99

description DMZ-NET

no forward interface Vlan19

nameif MYDMZ

security-level 50

ip address 192.168.99.1 255.255.255.0

ftp mode passive

dns server-group DefaultDNS

domain-name MIWEBPORTAL.com

object network MYNETWORK

subnet 172.19.19.0 255.255.255.0

object network MYDMZ

subnet 192.168.99.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu MYNETWORK 1500

mtu INTERNET 1500

mtu MYDMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network MYNETWORK

nat (MYNETWORK,INTERNET) dynamic interface

object network MYDMZ

nat (MYDMZ,INTERNET) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable 1999

http 172.19.19.0 255.255.255.0 MYNETWORK

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 172.19.19.0 255.255.255.0 MYNETWORK

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 691200

dhcpd ping_timeout 750

dhcpd address 172.19.19.18-172.19.19.28 MYNETWORK

dhcpd enable MYNETWORK

dhcpd address 192.168.99.9-192.168.99.19 MYDMZ

dhcpd enable MYDMZ

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username XXXX password xxxxxx

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5c772fc57a4aaf9546d3a28527c1ca06

: end

Re: ASA 9.1 Inside To DMZ Access

Jouni Forss — Wed, 27 Feb 2013 19:22:10 GMT

Hi,

Which direction are we talking about? Who is initiating the connection?

For the other direction there is an obvious reason (bolded command)

no forward interface Vlan19

interface Vlan99

description DMZ-NET

no forward interface Vlan19

nameif MYDMZ

security-level 50

ip address 192.168.99.1 255.255.255.0

No host from DMZ can initiate connections to INTERNAL.

INTERNAL however should be able to initiate connections to DMZ.

I guess you have a Base License ASA5505 since it has the limitation that if you want to configure a 3rd interface it will be a DMZ interface from which you have to limit traffic to one of the other two Vlan interfaces.

- Jouni

ASA 9.1 Inside To DMZ Access

Jouni Forss — Wed, 27 Feb 2013 19:28:05 GMT

Bah,

Your topic says its "inside" to "dmz"

However I cant see a reason why INTERNAL to DMZ initiated connections wouldnt work.

You can use the "packet-tracer" command to simulate some connection though and see what firewall rules it hits and if the connection will pass

For example

packet-tracer input MYNETWORK tcp 172.19.19.100 1234 192.168.99.100 80

- Jouni

ASA 9.1 Inside To DMZ Access

mthomas1999 — Wed, 27 Feb 2013 19:35:10 GMT

okay thanks, couldn't see why it wouldn't work either. I will try a packet trace when i get home and post the results.

ASA 9.1 Inside To DMZ Access

mthomas1999 — Wed, 27 Feb 2013 19:42:03 GMT

Do you think this config would allow DMZ access from Internal (suggested from another site)

object network INTERNAL2DMZ
subnet 172.19.19.0 255.255.255.0

object network INDMZ

172.19.19.0 255.255.255.0

nat (MYNETWORK,MYDMZ) static INTERNAL2DMZ

ASA 9.1 Inside To DMZ Access

Jouni Forss — Wed, 27 Feb 2013 20:18:39 GMT

Hi,

You dont need to configure NAT between 2 local interfaces/networks of the ASA if you specifically dont want any translations

Both of your existing NAT configurations are for both INTERNAL and DMZ to INTERNET so they shouldnt affect the traffic between INTERNAL and DMZ

- Jouni

ASA 9.1 Inside To DMZ Access

mthomas1999 — Thu, 28 Feb 2013 19:39:16 GMT

Here is the results of the packet trace from my asa 5505 (9.1)

ZEPPELIN# packet-tracer input MYNETWORK tcp 172.19.19.29 1234 192.168.99.9 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.99.0 255.255.255.0 MYDMZ

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group MYNETWORK_access_in in interface MYNETWORK

access-list MYNETWORK_access_in extended deny ip object Media-PC any

Additional Information:

Result:

input-interface: MYNETWORK

input-status: up

input-line-status: up

output-interface: MYDMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ZEPPELIN#

ASA 9.1 Inside To DMZ Access

Jouni Forss — Thu, 28 Feb 2013 19:44:10 GMT

Hi,

The configuration you copy/pasted in the original post doesnt have any mention of ACL.

The "packet-tracer" in this case says clearly that this traffic is blocked by an interface ACL

Specifically a ACL rule:

access-list MYNETWORK_access_in extended deny ip object Media-PC any - See more at: https://supportforums.cisco.com/thread/2202200?tstart=0#sthash.UoROadCV.dpuf

access-list MYNETWORK_access_in extended deny ip object Media-PC any

And its attached to the MYNETWORK interface with command

access-group MYNETWORK_access_in in interface MYNETWORK

- Jouni

ASA 9.1 Inside To DMZ Access

mthomas1999 — Thu, 28 Feb 2013 20:23:49 GMT

Okay i added that ACL to block internet from my Media-PC. If i remove that rule it should allow access to MYDMZ? I pretty sure i tested access to my dmz before i added that rule.

ASA 9.1 Inside To DMZ Access

Jouni Forss — Thu, 28 Feb 2013 20:29:23 GMT

Hi,

If you block traffic with "deny ip object any" it will block any TCP/UDP traffic to anywhere no matter what the destination IP address.

So if you dont have any rule before that rule to allow traffic from MYNETWORK to MYDMZ then that rule will block any traffic the host initiates.

You would need to have the following rule to first allow traffic to DMZ and then block all other traffic

access-list MYNETWORK_access_in remark Allow traffic from Media-PC to MYDMZ

access-list MYNETWORK_access_in extended deny ip object Media-PC any - See more at: https://supportforums.cisco.com/thread/2202200?tstart=0#sthash.OwNkb23t.dpuf

access-list MYNETWORK_access_in extended permit ip object Media-PC 192.168.99.0 255.255.255.0

access-list MYNETWORK_access_in remark Deny all other traffic from Media-PC

access-list MYNETWORK_access_in extended deny ip object Media-PC any

- Jouni

ASA 9.1 Inside To DMZ Access

mthomas1999 — Thu, 28 Feb 2013 20:29:40 GMT

How do i keep that ACL in place and allow access to the DMZ?

ASA 9.1 Inside To DMZ Access

Jouni Forss — Thu, 28 Feb 2013 20:31:34 GMT

Hi,

If you add the rules I mentioned in the earlier reply to the top of the ACL mentioned then Media-PC could access DMZ but nothing else past the ASA.

- Jouni

ASA 9.1 Inside To DMZ Access

mthomas1999 — Thu, 28 Feb 2013 20:33:45 GMT

Okay thank you very much, i will give it a try when i get home and post the results.

ASA 9.1 Inside To DMZ Access

mthomas1999 — Fri, 01 Mar 2013 16:36:49 GMT

So i tryied adding the rules mentioned above and managed to lock myself out of the asa and it started acting very weird. Sometimes i could ping the asa gateway and sometimes i couldn't. Also, ASDM would not load anymore so I consoled in and did a write erase. I redid the config with NO ACLS and the config is now back to what is posted. I still have NO DMZ access from internal network.

ASA 9.1 Inside To DMZ Access

Jouni Forss — Fri, 01 Mar 2013 16:45:35 GMT

Hi,

If you have the configuration from the original post with no ACLs configured to the interfaces then you should be able to connect from MYNETWORK hosts to MYDMZ hosts.

If you are using ICMP/PING to test traffic between hosts I would suggest configuring the following setting

policy-map global_policy

class inspection_default

inspect icmp

Specifically the "inspect icmp" which allows ICMP Echo replys back automatically.

- Jouni

ASA 9.1 Inside To DMZ Access

mthomas1999 — Fri, 01 Mar 2013 16:48:54 GMT

okay will do. I was testing it via ping to the only computer i have in the DMZ (192.168.99.9) but have also tried disabling the local firewall on the PC and accessing it through a share.