topic Re: Configuring a5505 setup public server + DMZ in Network Security

Configuring a5505 setup public server + DMZ

bottulf12 — Tue, 12 Mar 2019 00:06:36 GMT

Please bear with me, as am I utter new to the a5505 and Cisco products in general.

Setup:

LAN (192.168.1.X, with .3 as gateway)

DMZ (192.168.2.X with .1 as gateway)

WAN (X.X.X.146 as primary public IP, .145 as gateway and .147-150 as additional public IPs)

I want to set it up so that X.146 is where all my outbound traffic appears to originate.

I want tcp HTTPS and SMTP to be allowed from the WAN (via the X.147 IP) to a specific server (192.168.1.11) on the LAN.

Also, HTTP traffic to X.148, X.149 and X.150 should go to DMZ and 192.168.2.8, 192.168.2.15 and 192.168.2.18 respectively, but I haven't added that to my config yet. Looking to get the HTTPS and SMTP ones working first, then I'll fix the others (one step at a time)

I've got contact with the outside world when I've configured it using the ASDMs "Public Server" interface, but it refuses to properly establish the connection, I get a "SYN timeout".

I'm sure it is a simple mistake I've made someplace, but some of this stuff is greek to me sofar, I must admit..

My config:

: Saved
:
ASA Version 8.2(5) 
!
hostname kcisco
enable password X encrypted
passwd X encrypted
names
name X.X.X.144 outside-network
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 5
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.146 255.255.255.248 
!
interface Vlan5
 description DMZ interface
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0 
!
ftp mode passive
clock timezone GMT 0
object-group service DM_INLINE_SERVICE_0
 service-object gre 
 service-object tcp eq pptp 
 service-object udp eq isakmp 
 service-object udp eq 1701 
 service-object udp eq 1723 
 service-object udp eq 4500 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq https
 port-object eq smtp
access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1  
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 
static (inside,outside) X.X.X.147 192.168.1.11 netmask 255.255.255.255 
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:cc8458013e545e2e7ba1e2c0caa3dd6a
: end
no asdm history enable

Configuring a5505 setup public server + DMZ

Jennifer Halim — Tue, 09 Oct 2012 13:13:26 GMT

Yup, just a small mistake...

The following ACL:

access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1

should be:

access-list outside_access extended permit tcp any host X.X.X.147 object-group DM_INLINE_TCP_1

Re: Configuring a5505 setup public server + DMZ

bottulf12 — Tue, 09 Oct 2012 13:35:16 GMT

Thanks, fixed that at least.

But still no further in getting the connection to be established.

I see this in my logs:

6 Oct 09 2012 15:29:22 Z.Z.Z.Z 42061 192.168.1.11 443 Built inbound TCP connection 1064 for outside:Z.Z.Z.Z/42061 (Z.Z.Z.Z/42061) to inside:192.168.1.11/443 (X.X.X.147/443)

6 Oct 09 2012 15:29:52 Z.Z.Z.Z 42061 192.168.1.11 443 Teardown TCP connection 1064 for outside:Z.Z.Z.Z/42061 to inside:192.168.1.11/443 duration 0:00:30 bytes 0 SYN Timeout

(Z.Z.Z.Z is the outside host I am testing from)

(I've connected the mailserver to the firewall and configured it to use the FW gateway (192.168.1.3)

Re: Configuring a5505 setup public server + DMZ

Jennifer Halim — Tue, 09 Oct 2012 13:41:56 GMT

SYN timeout, means the mail server is not responding.

Do you have any firewall on the mail server that might be preventing inbound access from the internet?

Re: Configuring a5505 setup public server + DMZ

bottulf12 — Tue, 09 Oct 2012 13:59:52 GMT

Not while it's connected to the A5505, no.

I reconnect it to the old firewall and I get access just fine (old firewall is a linux box with IpCop).

Neither SMTP or telnet port 25 goes through, both times out. The machine can access the world, so connectivity to the server is working at least outgoing..

Re: Configuring a5505 setup public server + DMZ

Jennifer Halim — Wed, 10 Oct 2012 02:16:36 GMT

I would suggest that you clear the ARP cache on the upstream device because it might still have the ARP entry with the IpCop MAC address hence it's not working when you connect it to the ASA.

Or alternatively just reload the next hop device which connect to the outside interface of the ASA/IpCop. Also assuming that you unplug the IpCop from the network once you have the ASA connected.

Re: Configuring a5505 setup public server + DMZ

bottulf12 — Wed, 10 Oct 2012 09:45:02 GMT

Got it working now. Is on a new unused connection, so ARPs and such upstream was not a problem.

What I did was change the internal addy to the same as the old firewall (192.168.1.4) and then things just worked, instead of trying to set it up as a new gateway addy (I had changed the IP settings on the test server to use the .3 addy, but for some reason once I put the a5505 to .4 it just worked.).

Thanks for the help

Re: Configuring a5505 setup public server + DMZ

Jennifer Halim — Wed, 10 Oct 2012 10:26:46 GMT

Great to hear it's now working. Thanks for the update.