topic Cannot get out to internet nor manage ASA from DMZ in Network Security

Cannot get out to internet nor manage ASA from DMZ

kpoon — Mon, 11 Mar 2019 22:57:14 GMT

Hello,

I've created a DMZ on ASA5510, it can access anything internal but cannot get out to internet. I cannot manage the ASA from the DMZ subnet neither. Could you please help?

Thanks in advance.

Cannot get out to internet nor manage ASA from DMZ

Patrick0711 — Tue, 24 Apr 2012 02:06:47 GMT

Your management issue is likely due to a missing http or ssh command

http x.x.x.x

ssh x.x.x.x

Can't download the file from my iPad but it's probably a NAT or ACL issue that's preventing traffic from exiting

Re: Cannot get out to internet nor manage ASA from DMZ

Marvin Rhoads — Tue, 24 Apr 2012 03:08:23 GMT

You have:

interface Ethernet0/2

description XXX DMZ

speed 100

duplex full

nameif DMZ

security-level 100

ip address 172.10.1.1 255.255.255.0

Relevant management commands are:

http server enable

http 192.168.0.0 255.255.0.0 inside

http 0.0.0.0 0.0.0.0 outside

http 172.10.1.0 255.255.255.0 DMZ

http redirect outside 80

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet 172.10.1.0 255.255.255.0 DMZ

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 10

With the above you should be able to use ASDM or telnet (but not ssh) from the DMZ. However you do not specify an "asdm image" command anywhere in the script your provided so ASDM would not work. You need to both ahve it on the ASA's disk and point to it, e.g.:

adsm image disk0:/asdm-647.bin

(I'd lock down the outside telnet access and in fact not allow insecure telnet at all.)

Your access-lists look OK (albeit ineffectual since you allow everything)

access-group DMZ_access_in_1 in interface DMZ control-plane

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

access-list DMZ_access_out extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in_1 extended permit ip any any

However you don't have any NAT statements for traffic leaving the DMZ. I'd expect something beginning like:

object network obj_any-07

nat (outside,DMZ) dynamic obj-0.0.0.0

Cannot get out to internet nor manage ASA from DMZ

kpoon — Tue, 24 Apr 2012 12:59:08 GMT

Thank you for the pointers, I am going to try them shortly. I also do have the asdm image configured, I simply filtered out lines that are not necessary for the problem I'm having to shorten the config file. As for the DMZ, I was just trying to figure out what was causing the problem, I'll remove the allow all once it's working.

Thanks again and I'll post result.

Cannot get out to internet nor manage ASA from DMZ

kpoon — Tue, 24 Apr 2012 13:30:19 GMT

What could be the reason to prevent me from telnet or asdm to the ASA from 172.10.1.0/24 ? It seems that it's not responding at all. Could it be this line?

management-access inside

Cannot get out to internet nor manage ASA from DMZ

kpoon — Tue, 24 Apr 2012 17:51:02 GMT

I've added

object network obj_any-08

nat (DMZ,outside) dynamic obj-0.0.0.0

but I still can't get out to the net.

Any other idea?

Re: Cannot get out to internet nor manage ASA from DMZ

kpoon — Tue, 24 Apr 2012 18:40:39 GMT

here's the config in the zip file

dns-guard

interface Ethernet0/0

description XXX Cogent Internet Connection

speed 100

duplex full

nameif outside

security-level 0

ip address 99.99.99.130 255.255.255.224

ospf cost 10

interface Ethernet0/1

description XXX internal connection from firewall to switch

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

ospf cost 10

interface Ethernet0/2

description XXX DMZ

speed 100

duplex full

nameif DMZ

security-level 100

ip address 172.10.1.1 255.255.255.0

interface Ethernet0/3

description Management Service-ENLARGE-40

speed 100

duplex full

nameif E-40

security-level 0

ip address 10.40.86.248 255.255.255.0

interface Management0/0

speed 100

duplex full

shutdown

nameif management

security-level 100

no ip address

ospf cost 10

management-only

boot system disk0:/asa842-8-k8.bin

boot system disk0:/asa824-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

name-server 208.67.222.222

name-server 208.67.220.220

name-server 66.28.0.45

name-server 66.28.0.61

domain-name XXXtelecom.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-172.30.1.0

subnet 172.30.1.0 255.255.255.0

object network obj-10.40.86.0

subnet 10.40.86.0 255.255.255.0

object network obj-192.168.99.0

subnet 192.168.99.0 255.255.255.0

object network obj-192.168.1.13

host 192.168.1.13

object network obj-192.168.1.13-01

host 192.168.1.13

object network obj-192.168.1.13-02

host 192.168.1.13

object network obj-172.30.1.70

host 172.30.1.70

object network obj-192.168.106.144

host 192.168.106.144

object network obj-192.168.106.144-01

host 192.168.106.144

object network obj-192.168.106.144-02

host 192.168.106.144

object network obj-192.168.10.2

host 192.168.10.2

object network obj-172.30.1.50

host 172.30.1.50

object network obj-172.30.1.40

host 172.30.1.40

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.106.99

host 192.168.106.99

object network obj-172.30.1.102

host 172.30.1.102

object network obj-172.30.1.31

host 172.30.1.31

object network obj-172.30.1.40-01

host 172.30.1.40

object network obj-172.30.1.50-01

host 172.30.1.50

object network obj-172.30.1.101

host 172.30.1.101

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj_any-03

subnet 0.0.0.0 0.0.0.0

object network obj_any-04

subnet 0.0.0.0 0.0.0.0

object network obj_any-05

subnet 0.0.0.0 0.0.0.0

object network obj_any-06

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.0.0

subnet 192.168.0.0 255.255.0.0

object service ftp

service tcp source range ftp-data ftp destination range ftp-data ftp

object network obj-192.168.1.15

host 192.168.1.15

object network obj-192.168.1.15-01

host 192.168.1.15

object network NETWORK_OBJ_172.30.1.0_24

subnet 172.30.1.0 255.255.255.0

object network NETWORK_OBJ_172.31.2.0_24

subnet 172.31.2.0 255.255.255.0

object network obj-172.10.1.136

host 172.10.1.136

description VCS Express 01 NIC 01

object network obj-172.10.1.0

subnet 172.10.1.0 255.255.255.0

description DMZ

object-group service ExchangeOWA tcp

description Exchange Web and Mobile Access

port-object eq smtp

port-object eq https

port-object eq www

object-group network admin-ip

access-list inside_nat0_outbound_1 extended permit ip 172.30.1.0 255.255.255.0 10.40.86.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.99.0 255.255.255.0

access-list dzm extended permit ip any any

access-list dzm extended permit icmp any any

access-list ouside extended permit ip any any

access-list cont_in extended permit ip host 99.99.99.135 any

access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0

access-list Split_tunnel_ACL standard permit 172.30.1.0 255.255.255.0

access-list inside extended permit tcp host 192.168.1.13 any eq smtp

access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_9 eq smtp

access-list inside extended deny tcp any any eq smtp

access-list inside extended deny tcp any any eq pop3

access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_5 eq pptp

access-list inside extended deny tcp any any eq pptp

access-list inside extended permit tcp object-group BypassFacebook object-group Facebook eq https

access-list inside extended deny tcp any object-group Facebook eq https

access-list inside extended permit ip any any

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.99.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 172.19.4.50

access-list E-40_access_out extended permit ip any any

access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0

access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_4 host 192.168.1.18 inactive

access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_6 host 192.168.1.19 inactive

access-list inside-out-acl extended deny ip object-group DM_INLINE_NETWORK_7 any inactive

access-list inside-out-acl extended permit ip any any

access-list throttle_frontline extended permit ip host 74.213.162.33 any inactive

access-list throttle_frontline extended permit ip any host 74.213.162.33 inactive

access-list outside remark Migration, ACE (line 3) expanded: permit tcp any object-group DM_INLINE_NETWORK_8

access-list outside extended permit tcp any host 99.99.99.141 eq 8129

access-list outside extended permit tcp any host 172.30.1.70 eq www

access-list outside extended permit tcp any host 99.99.99.141 eq https

access-list outside extended permit tcp any host 192.168.106.144 eq 8129

access-list outside extended permit tcp any host 192.168.106.144 eq www

access-list outside extended permit tcp any host 192.168.106.144 eq https

access-list outside remark Migration: End of expansion

access-list outside remark Migration, ACE (line 4) expanded: permit tcp any host 99.99.99.133 object-group ExchangeOWA

access-list outside extended permit tcp any host 192.168.1.13 eq smtp

access-list outside extended permit tcp any host 192.168.1.13 eq https

access-list outside extended permit tcp any host 192.168.1.13 eq www

access-list outside extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.1.15 object-group DM_INLINE_TCP_3

access-list outside remark Migration: End of expansion

access-list outside extended permit ip any host 192.168.106.99

access-list outside extended permit tcp any host 192.168.1.10 eq pptp

access-list outside extended permit gre any host 192.168.1.10

access-list outside extended permit tcp any host 192.168.10.2 eq telnet inactive

access-list outside extended permit tcp any host 172.30.1.40 object-group DM_INLINE_TCP_1

access-list outside extended permit ip object-group tms-ip host 172.30.1.50

access-list outside extended permit icmp any any echo-reply

access-list ENLARGE-40_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_1_2

access-list cscTraffic remark Migration: End of expansion

access-list cscTraffic extended permit tcp any any eq www

access-list cscTraffic extended permit tcp any any eq smtp

access-list cscTraffic extended permit tcp any any eq ftp inactive

access-list cscTraffic extended deny ip any 172.10.1.0 255.255.255.0 inactive

access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.0 172.31.2.0 255.255.255.0

access-list DMZ_access_out extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in_1 extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging trap debugging

logging asdm informational

logging facility 19

logging host inside 192.168.1.15 format emblem

logging permit-hostdown

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu E-40 1500

mtu management 1500

ip local pool XXX-pool 192.168.99.1-192.168.99.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

nat (inside,any) source static obj-172.30.1.0 obj-172.30.1.0 destination static obj-10.40.86.0 obj-10.40.86.0 no-proxy-arp

nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.99.0 obj-192.168.99.0 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_172.30.1.0_24 NETWORK_OBJ_172.30.1.0_24 destination static NETWORK_OBJ_172.31.2.0_24 NETWORK_OBJ_172.31.2.0_24 no-proxy-arp route-lookup

object network obj-192.168.1.13

nat (inside,outside) static 99.99.99.133 service tcp smtp smtp

object network obj-192.168.1.13-01

nat (inside,outside) static 99.99.99.133 service tcp www www

object network obj-192.168.1.13-02

nat (inside,outside) static 99.99.99.133 service tcp https https

object network obj-172.30.1.70

nat (inside,outside) static 99.99.99.141 service tcp www www

object network obj-192.168.106.144

nat (inside,outside) static 99.99.99.144 service tcp www www

object network obj-192.168.106.144-01

nat (inside,outside) static 99.99.99.144 service tcp https https

object network obj-192.168.106.144-02

nat (inside,outside) static 99.99.99.144 service tcp 8129 8129

object network obj-192.168.10.2

nat (inside,outside) static 99.99.99.132 service tcp telnet telnet

object network obj-172.30.1.50

nat (inside,outside) static 99.99.99.134

object network obj-172.30.1.40

nat (inside,outside) static 99.99.99.139

object network obj-192.168.1.10

nat (inside,outside) static 99.99.99.137

object network obj-192.168.106.99

nat (inside,outside) static 99.99.99.140

object network obj-172.30.1.102

nat (inside,E-40) static 10.40.86.102

object network obj-172.30.1.31

nat (inside,E-40) static 10.40.86.31

object network obj-172.30.1.40-01

nat (inside,E-40) static 10.40.86.40

object network obj-172.30.1.50-01

nat (inside,E-40) static 10.40.86.50

object network obj-172.30.1.101

nat (inside,E-40) static 10.40.86.101

object network obj_any

nat (inside,outside) dynamic interface

object network obj_any-01

nat (inside,outside) dynamic obj-0.0.0.0

object network obj_any-02

nat (inside,DMZ) dynamic obj-0.0.0.0

object network obj_any-03

nat (inside,E-40) dynamic obj-0.0.0.0

object network obj_any-04

nat (management,outside) dynamic obj-0.0.0.0

object network obj_any-05

nat (management,DMZ) dynamic obj-0.0.0.0

object network obj_any-06

nat (management,E-40) dynamic obj-0.0.0.0

object network obj-192.168.1.15

nat (inside,outside) static 99.99.99.138 service tcp ftp ftp

object network obj-192.168.1.15-01

nat (inside,outside) static 99.99.99.138 service tcp ftp-data ftp-data

access-group outside in interface outside

access-group inside in interface inside

access-group inside-out-acl out interface inside

access-group DMZ_access_in_1 in interface DMZ control-plane

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

access-group ENLARGE-40_access_in in interface E-40

access-group E-40_access_out out interface E-40

route outside 0.0.0.0 0.0.0.0 99.99.99.129 1

route E-40 10.4.86.0 255.255.255.0 10.40.86.249 1

route E-40 10.70.86.0 255.255.255.0 10.40.86.249 1

route E-40 10.96.86.0 255.255.255.0 10.40.86.249 1

route DMZ 172.10.1.0 255.255.255.0 192.168.10.2 1

route inside 172.20.20.0 255.255.255.0 192.168.10.2 1

route inside 172.30.1.0 255.255.255.0 192.168.10.2 1

route inside 192.168.1.0 255.255.255.0 192.168.10.2 1

route inside 192.168.2.0 255.255.255.0 192.168.10.2 1

route inside 192.168.3.0 255.255.255.0 192.168.10.2 1

route inside 192.168.6.0 255.255.255.0 192.168.10.2 1

route inside 192.168.99.0 255.255.255.0 192.168.10.2 255

route inside 192.168.101.0 255.255.255.0 192.168.10.2 1

route inside 192.168.102.0 255.255.255.0 192.168.10.2 1

route inside 192.168.103.0 255.255.255.0 192.168.10.2 1

route inside 192.168.106.0 255.255.255.0 192.168.10.2 1

route inside 192.168.201.0 255.255.255.0 192.168.10.2 1

route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

http server enable

http 192.168.0.0 255.255.0.0 inside

http 0.0.0.0 0.0.0.0 outside

http 172.10.1.0 255.255.255.0 DMZ

http redirect outside 80

no snmp-server location

no snmp-server contact

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet 172.10.1.0 255.255.255.0 DMZ

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 10

console timeout 0

management-access inside

priority-queue outside

priority-queue inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.1.10 source inside

ntp server 129.6.15.29 source outside prefer

ntp server 129.6.15.28 source outside prefer

webvpn

enable outside

cache

disable

class-map global-class

match default-inspection-traffic

class-map csc-class

match access-list cscTraffic

class-map throttle_frontline

match access-list throttle_frontline

policy-map type inspect sip DefaultSIP

parameters

max-forwards-validation action drop log

policy-map throttle-policy

class throttle_frontline

police input 600000 2000

police output 600000 2000

policy-map global-policy

class global-class

inspect pptp

inspect ftp

inspect ipsec-pass-thru

inspect xdmcp

inspect h323 h225

inspect h323 ras

inspect sip

class csc-class

csc fail-open

policy-map type inspect h323 DefaultH323

parameters

service-policy global-policy global

service-policy throttle-policy interface outside

prompt hostname context

ciscoasa#