topic Cisco 501 ASA/PIX configuration in Network Security

Cisco 501 ASA/PIX configuration

Famous_20 — Tue, 12 Mar 2019 00:00:15 GMT

I'm having trouble configuring an ASA into a network solution. We have a 501 with the outside interface on 10.24.10.1, the inside interface as 172.18.10.1, and a DMZ on 192.168.1.1. in the DMZ there is a HTTP/FTP/TFTP server connected to 192.168.1.2 on a virtual machine. When on a machine configured to 172.18.10.10 I can ping to the outside interface but not the DMZ. When I am in the DMZ the PIX does block traffic to the inside, but I can't reach the outside interface. When on the outside I am blocked from the inside, but also blocked from the DMZ. I will post the config file below. Any thoughts?

Group10(config)# sh run

: Saved

PIX Version 8.0(4)

hostname Group10

enable password 8zN2iKai1VxwjKWN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0

description OUTSIDE

nameif OUTSIDE

security-level 0

ip address 10.24.10.2 255.255.255.0

interface Ethernet1

no nameif

security-level 0

no ip address

interface Ethernet1.1

description DMZ

vlan 100

nameif DMZ

security-level 50

ip address 192.168.1.1 255.255.255.0

interface Ethernet1.2

description INSIDE

vlan 200

nameif INSIDE

security-level 100

ip address 172.18.10.1 255.255.255.0

interface Ethernet2

no nameif

security-level 50

no ip address

ftp mode passive

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

access-list external extended permit tcp 10.0.0.0 255.0.0.0 any eq ftp

access-list external extended permit tcp 10.0.0.0 255.0.0.0 any eq www

access-list internal extended permit ip any any

access-list internal extended permit udp host 172.18.10.1 any eq tftp

access-list dmz extended permit ip any any

no pager

mtu OUTSIDE 1500

mtu DMZ 1500

mtu INSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OUTSIDE

icmp permit any DMZ

icmp permit any INSIDE

no asdm history enable

arp timeout 14400

static (DMZ,OUTSIDE) 10.24.10.3 192.168.1.2 netmask 255.255.255.255

access-group external in interface OUTSIDE

access-group internal out interface OUTSIDE

access-group dmz in interface DMZ

access-group internal in interface INSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 10.24.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

management-access INSIDE

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:774c3a24ef1b4127f4c630cc8fee1c1c

: end

Cisco 501 ASA/PIX configuration

Harish Balakrishnan — Thu, 27 Sep 2012 19:34:59 GMT

Hello Eric

In PIX, you need to have NAT to communicate with interface to interface, Let us starts trouble shooting from inside to DMZ communication

can you do the following and let me know the result

static (INSIDE,DMZ) 10.24.10.0 10.24.10.0 netmask 255.255.255.0

static (DMZ,INSIDE) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

regards

Harish

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 19:40:43 GMT

Thanks for replying Harish. I added those two lines to the config, but I still can't ping 192.168.1.1. I can still get to the outside (10.24.10.1), but not the DMZ

Cisco 501 ASA/PIX configuration

Harish Balakrishnan — Fri, 28 Sep 2012 20:04:46 GMT

Hello Eric,

By design you will not be able to ping 192.168.1.1 but you should be able to ping any dmz servers based on the above nat and proper permission from dmz back to inside

Harish.

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 20:14:09 GMT

Ok, I tried pinging from the 172.18.10.10 to the CentOS server at 192.168.1.2, but the request timed out. Should I remove anything from the original config after adding those two lines?

Cisco 501 ASA/PIX configuration

Harish Balakrishnan — Fri, 28 Sep 2012 20:22:17 GMT

Hello Eric

Sorry My mistake

Please remove the below and add the new nat line as follows

no static (INSIDE,DMZ) 10.24.10.0 10.24.10.0 netmask 255.255.255.0

static (INSIDE,DMZ) 172.18.10.0 172.18.10.0 netmask 255.255.255.0

regards

Harish.

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 20:28:09 GMT

ok, that was done, but the ping request still time out.

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 20:30:49 GMT

Oh, I was also looking at the routing table; am I correct to assume that the 192.168.1.0/24 network will not appear here?

Cisco 501 ASA/PIX configuration

Harish Balakrishnan — Fri, 28 Sep 2012 20:33:21 GMT

Hello Eric,

it should apprear in the routing as connected . see whether the interface DMZ is up and running.. if yes.. also please see

'show conn' while you are pinging the server

Regards

Harish.

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 20:54:54 GMT

Ok, the DMZ interface shows as up. I set continuous ping and did the show conn and the reply was : 0 in use, 310 most . This is the routing table for the 172.18.10.10 machine:

Cisco 501 ASA/PIX configuration

Harish Balakrishnan — Fri, 28 Sep 2012 21:04:35 GMT

Hello Eric,

can you take show xlate and show route from the PIX and post

regards

Harish

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 21:11:35 GMT

ok, this is the xlate:

Group10(config)# show xlate

3 in use, 321 most used

Global 192.168.1.0 Local 192.168.1.0

Global 172.18.10.0 Local 172.18.10.0

Global 10.24.10.3 Local 192.168.1.2

and this is the show route:

Group10(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 10.24.10.2 to network 0.0.0.0

C 172.18.10.0 255.255.255.0 is directly connected, INSIDE

C 10.24.10.0 255.255.255.0 is directly connected, OUTSIDE

C 192.168.1.0 255.255.255.0 is directly connected, DMZ

S* 0.0.0.0 0.0.0.0 [1/0] via 10.24.10.2, OUTSIDE

Cisco 501 ASA/PIX configuration

Harish Balakrishnan — Fri, 28 Sep 2012 21:23:18 GMT

Hello Eric,

Everything looks good now

as a last try, can you try to remove

no static (DMZ,INSIDE) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

also.. did you try to access any other port other that pinging.

regards

Harish.

Cisco 501 ASA/PIX configuration

varrao — Fri, 28 Sep 2012 21:30:58 GMT

Hi Eric,

You would need these nat configuration to make it working:

For Inside to DMZ ping:

nat (inside) 1 172.18.10.0 255.255.255.0

global (DMZ) 1 interface

For DMZ to inside ping:

Static (inside,DMZ) 172.18.10.0 172.18.10.0 netmask 255.255.255.0

For DMZ to outside:

nat (DMZ) 2 192.168.1.0 255.255.255.0

global (outside) 2 interface

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 21:44:25 GMT

Varun, thanks for your reply. I made the changes as you suggested, but the echo request timed out. I can try putting the 172.18.10.10 machine on another network to see if that might help. I cannot ping from the CentOS server (192.168.1.2) to the outside, eventhough there is a static NAT associated.

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 21:57:04 GMT

Harish,

I'm not sure what else to try as far as protocols. HTTP is not getting to the DMZ, because when I did give the test machine a 192.168.1.10 address I cannot get to the internet.

Cisco 501 ASA/PIX configuration

varrao — Fri, 28 Sep 2012 22:00:03 GMT

If you add this nat, then all your DMZ should b able to access internet:

nat (DMZ) 2 192.168.1.0 255.255.255.0

global (outside) 2 interface

N also please remove the access-group:

access-group internal out interface OUTSIDE

It doesn't make sense to me.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 22:11:31 GMT

Varun,

I removed the line as you instructed, but still no connectivity. As I explained below I gave the client an address of 192.168.1.10/24 with a gateway of 192.168.1.1. This should put me on the DMZ interface of the PIX, or should the gateway be 192.168.1.2, since that is where the SNAT is from the outside?

Cisco 501 ASA/PIX configuration

Famous_20 — Fri, 28 Sep 2012 22:27:57 GMT

Just for a logical analysis: I configured a test machine at 172.18.10.10, with a default gateway of 172.18.10.1 (the inside of the ASA) Since I have internet connectivity on this machine HTTP is going through the DMZ, since it is not coming directly from the outside interface; however, when I connect a device in the DMZ and give it an IP of 192.168.1.10 and a gateway of 192.168.1.1 I have no internet connectivity. Am I missing something?

Cisco 501 ASA/PIX configuration

Harish Balakrishnan — Sat, 29 Sep 2012 07:01:40 GMT

Hello Eric,

I have just simulated your scenario, and please find the following working configuration

Please remove all other acls and NAT

I am able to access

1. Inside to DMZ

2. DMZ-Inside

3.Inside- internet (pc connected outside)

4.DMZ-internet (pc connected outside)

------------------------------------------------
fixup protocol icmp

interface Ethernet1.2
description INSIDE
vlan 200
nameif INSIDE
security-level 100
ip address 172.18.10.1 255.255.255.0

!
interface Ethernet1.1
description DMZ
vlan 100
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0

!
interface Ethernet0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 10.24.10.2 255.255.255.0

global (outside) 1 interface
nat (inside) 1 172.18.10.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,dmz) 172.18.10.0 172.18.10.0 netmask 255.255.255.0

access-list dmz-in extended permit ip any any
access-group dmz-in in interface DMZ

--------------------------------------------------------------

regards

Harish.