Help with firewall rules

support — Tue, 12 Mar 2019 00:00:10 GMT

This is my 1st time working with post 8.3 IOS and I am having trouble with the configuration. I would like all computers in the inside network to access lower security zones (data and dmz) via all protocols. I would have done this with a nat 0 and global command in previous versions. Below is my config

ASA Version 8.6(1)2

hostname TOR1PLXSD01

enable password sxZETAvnsVuPSnUc encrypted

passwd FomDbcd6ujnk.spR encrypted

names

interface GigabitEthernet0/0

description Management

speed 1000

duplex full

nameif Inside

security-level 100

ip address 172.21.20.1 255.255.255.0 standby 172.21.20.2

interface GigabitEthernet0/1

speed 1000

duplex full

no nameif

no security-level

no ip address

interface GigabitEthernet0/1.20

description Plexxus Data

vlan 20

nameif data

security-level 50

ip address 172.16.18.1 255.255.255.0 standby 172.16.18.2

interface GigabitEthernet0/1.25

description DMZ

vlan 25

nameif DMZ

security-level 25

no ip address

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

nameif Outside

security-level 0

ip address yyyyyyyy 255.255.255.224 standby xxxxxx

interface GigabitEthernet0/5

description LAN/STATE Failover Interface

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

dns domain-lookup data

dns server-group DefaultDNS

name-server 172.16.18.21

name-server 172.16.18.22

object network OBJ_INSIDE-HOSTS_172.21.20.0

subnet 172.21.20.0 255.255.255.0

object network OBJ_DATA-HOSTS_172.16.18.0

subnet 172.16.18.0 255.255.255.0

object network OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255

range 172.16.22.0 172.16.23.255

object network OBJ_TOR1PLXEX01_172.16.18.26

host 172.16.18.26

object network OBJ_TOR1PLXFTP01_172.16.18.28

host 172.16.18.28

access-list acl_outside extended permit icmp any any

access-list acl_SplitTunnel_VPN standard permit 172.21.20.0 255.255.255.0

access-list acl_SplitTunnel_VPN standard permit 172.16.18.0 255.255.255.0

access-list acl_dmz extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu data 1500

mtu DMZ 1500

mtu Outside 1500

mtu management 1500

ip local pool vpn_pool1 172.16.22.5-172.16.22.250 mask 255.255.255.0

ip local pool vpn_pool2 172.16.23.5-172.16.23.250 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/5

failover link Failover GigabitEthernet0/5

failover interface ip Failover 4.4.4.1 255.255.255.0 standby 4.4.4.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any data

icmp permit any DMZ

icmp permit any Outside

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (data,Outside) source static OBJ_DATA-HOSTS_172.16.18.0 OBJ_DATA-HOSTS_172.16.18.0 destination static OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255 OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255

nat (Inside,Outside) source static OBJ_INSIDE-HOSTS_172.21.20.0 OBJ_INSIDE-HOSTS_172.21.20.0 destination static OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255 OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255 route-lookup

object network OBJ_INSIDE-HOSTS_172.21.20.0

nat (Inside,Outside) dynamic 68.71.198.102

object network OBJ_DATA-HOSTS_172.16.18.0

nat (data,Outside) dynamic 68.71.198.102

access-group acl_dmz in interface DMZ

access-group acl_outside in interface Outside

route Outside 0.0.0.0 0.0.0.0 68.71.198.97 1

route data 10.1.1.0 255.255.255.0 172.16.18.3 1

route data 172.16.1.0 255.255.255.0 172.16.18.3 1

route data 172.16.5.0 255.255.255.0 172.16.18.3 1

route data 172.16.10.0 255.255.255.0 172.16.18.3 1

route data 172.16.13.0 255.255.255.0 172.16.18.3 1

route data 172.16.14.0 255.255.255.0 172.16.18.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 172.21.20.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 172.21.20.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable Outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy AnyConnectClientPolicy internal

group-policy AnyConnectClientPolicy attributes

wins-server none

dns-server value 172.16.18.21 172.16.18.22

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acl_SplitTunnel_VPN

default-domain value plexxus.ca

address-pools value vpn_pool1 vpn_pool2

username dmradmin password 1ZwOzoVS5TWIvR0h encrypted

tunnel-group AnyConnectClientProfile type remote-access

tunnel-group AnyConnectClientProfile general-attributes

address-pool vpn_pool1

address-pool vpn_pool2

default-group-policy AnyConnectClientPolicy

tunnel-group AnyConnectClientProfile webvpn-attributes

group-alias AnyConnect enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8539b4736e97023e17a76de6284a537a

: end

Re: Help with firewall rules

support — Thu, 27 Sep 2012 16:16:00 GMT

It seems I can remote desktop to a server in the data network but not ping it..

Help with firewall rules

Jennifer Halim — Fri, 28 Sep 2012 05:51:06 GMT

OK, slightly more complicated in 8.3.

Here you go:

object network obj-172.21.20.0

subnet 172.21.20.0 255.255.255.0

object network obj-172.16.0.0

subnet 172.16.0.0 255.255.0.0

static (Inside,data) source static obj-172.21.20.0 obj-172.21.20.0 destination static obj-172.16.0.0 obj-172.16.0.0

policy-map global_policy

class inspection_default

inspect icmp

Then "clear xlate" after the above changes. The inside hosts would be able to access the hosts in data network.

BTW, your dmz doesn't have any ip address yet, so i am not sure what subnet it is. But the configuration would be similar to the above with the correct dmz subnet.

Hope that helps.

topic Help with firewall rules in Network Security

Help with firewall rules

Re: Help with firewall rules

Help with firewall rules