topic asa internal to dmz in Network Security

asa internal to dmz

mafarah123 — Mon, 11 Mar 2019 23:55:38 GMT

i want to allow a server on my Internal to communicate with a server on my dmz over a specific port (i.e 5555) and vice versa, from outside i can connect to the dmz server over https. here is my config, i have only replaced the ips with dumy ip's. i use different vlans in my internal network i can connect to the server using a pc on the same internal vlan as the ASA but not from my other routed vlans.

ASA Version 8.4(2)

hostname Cisco-FW

enable password otJaxP2LrPGCkYkU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0/0

nameif Ext

security-level 0

ip address 212.1.1.2 255.255.255.240

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.2.10 255.255.255.248

interface GigabitEthernet0/3

nameif Int

security-level 100

ip address 10.168.1.1 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 10.168.1.15 252 255.255.255.0

management-only

ftp mode passive

dns domain-lookup Ext

dns server-group DefaultDNS

name-server 2.2.2.2

name-server 3.3.3.3

object network Dmz_outside

subnet 0.0.0.0 0.0.0.0

object network Traveler-from-outside

host 192.168.2.1

object network Traveler-from-inside

host 192.168.2.1

access-list OutsidetoDMZ extended permit tcp any host 192.168.2.1 eq https

access-list DMZ_access_in extended permit tcp object Int-Mail host 192.168.2.1 eq lotusnotes

pager lines 24

logging asdm informational

mtu Ext 1500

mtu DMZ 1500

mtu Int 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Int

no asdm history enable

arp timeout 14400

object network Dmz_outside

nat (DMZ,Ext) dynamic interface

object network Traveler-from-outside

nat (DMZ,Ext) static 212.1.1.3 service tcp https https

object network Traveler-from-inside

nat (DMZ,Int) static 212.1.1.3 service tcp https https

nat (any,Ext) after-auto source dynamic any interface

access-group OutsidetoDMZ in interface Ext

access-group DMZ_access_in in interface DMZ

route Ext 0.0.0.0 0.0.0.0 212.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6afc555ee13fa87dd87a61a1f774beed

: end

asa internal to dmz

Jennifer Halim — Tue, 18 Sep 2012 11:16:17 GMT

You can configure the following:

object network obj-10.168.1.0

subnet 10.168.1.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.248

nat (Int,DMZ) source static obj-10.168.1.0 obj-10.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

Then "clear xlate"

asa internal to dmz

mafarah123 — Tue, 18 Sep 2012 14:08:45 GMT

i'm sorry we have tried the recomended but it did not work

asa internal to dmz

Jennifer Halim — Tue, 18 Sep 2012 14:11:11 GMT

Can you pls advise what you have tried?

What is the source and destination IP that you have tested and also what protocol/ports?

Can you ping between the 2 hosts?

asa internal to dmz

mafarah123 — Tue, 18 Sep 2012 16:15:55 GMT

object network obj-10.168.1.0

subnet 10.168.1.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.248

nat (Int,DMZ) source static

object network obj-10.168.1.0 object network obj-10.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

access-list OutsidetoDMZ extended permit tcp any host 192.168.2.1 eq https

access-list DMZ_access_in extended permit tcp object Int-Mail host 192.168.2.1 eq lotusnotes

i have made the unbolded changes, the acl is listed above no changes it remains the same. The internal mail host is on another subnet on my internal network, i can access the dmz server from the directly connected internal subnet using https but not from my other routed vlans inside my network. i need the internal mail server to communicate with the dmz server using port 1352.

asa internal to dmz

Julio Carvajal — Tue, 18 Sep 2012 17:07:43 GMT

Hello,

Try the following:

no nat (Int,DMZ) source static obj-10.168.1.0 obj-10.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (Int,DMZ) 1 source static obj-10.168.1.0 obj-10.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

If you want to innitiate the connections from the DMZ to the inside you will need to set the following ACL

access-list DMZ_access_in permit tcp 192.168.2.x x.x.x.x 10.168.1.0 255.255.255.0

Regards,

Any other question..Sure.. Just remember to rate all of my answers.

Julio

asa internal to dmz

mafarah123 — Fri, 21 Sep 2012 09:33:14 GMT

HI Adding the above worked but it had a counter effect now we can not access internet we are using the below nat for internet. we have also limited the above static nats to a host instead of a network we only want to communicate with one server from our internal to dmz. The command worked but we can't access internet now.

nat (any,Ext) after-auto source dynamic any interface

asa internal to dmz

Jennifer Halim — Fri, 21 Sep 2012 10:56:39 GMT

For internet from the internal network, pls configure the following:

object network Int_outside

subnet 10.168.1.0 255.255.255.0

nat (Int,Ext) dynamic interface

asa internal to dmz

mafarah123 — Fri, 21 Sep 2012 20:53:53 GMT

guys thanks for your inputs, i don't think there is anything wrong with the nats but i have a routing problem, i can't ping or connect to any vlan on my distribution switch from asa i can only ping the internal interface but no other ip inside my network, the server i need my dmz host to connect to in sitting inside my service vlan all vlans are routed but yet i can't reach any of them from asa. i need to create a static route any assistance on how.