topic Need a hand with DMZ in Network Security

Need a hand with DMZ

rwharris13 — Mon, 11 Mar 2019 23:21:26 GMT

I can't seem to get this going for thie life of me, maybe a little fuzzy on the concepts but I've done this before without problems. I need the DMZ hosts to be able to ping anything we have inside and outside our network. I will lock down anything else after, right now I can't get anything in the DMZ to access anything outside or inside.

interface Ethernet0/0
description Public
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface Ethernet0/1
description Private
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
description DMZ
nameif dmz
security-level 50
ip address 192.168.41.1 255.255.255.0

access-list dmz-allowed-in extended permit ip any any

access-group dmz-allowed-in in interface dmz

access-list allowed-in extended permit icmp any host 1.1.1.2

access-group allowed-in in interface outside

access-list allow-out extended permit ip 192.168.40.0 255.255.255.0 any

access-group allow-out in interface inside

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (dmz) 1 0.0.0.0 0.0.0.0 dns

static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0

static (dmz,outside) 1.1.1.2 192.168.41.10 netmask 255.255.255.255

Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules

Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Packet tracer from outside to dmz host's public address says its allowed

Packet tracer from dmz to outside address says its allowed

It would see at least ping to the outside from DMZ should work but it doesn't.

Need a hand with DMZ

Jennifer Halim — Wed, 20 Jun 2012 14:33:55 GMT

Do you have "inspect icmp" configured?

Need a hand with DMZ

rwharris13 — Wed, 20 Jun 2012 14:40:22 GMT

Yes at the moment but I have tested with it disabled and same results.

Need a hand with DMZ

Jennifer Halim — Wed, 20 Jun 2012 14:42:11 GMT

It should be enabled, not disabled.

Need a hand with DMZ

rwharris13 — Wed, 20 Jun 2012 14:43:19 GMT

And it is.

Need a hand with DMZ

Jennifer Halim — Wed, 20 Jun 2012 14:45:23 GMT

This sounds wrong:

Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules

Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules

Both addresses are assigned to your ASA firewall interfaces, so you can't have host with that IP Address.

Need a hand with DMZ

rwharris13 — Wed, 20 Jun 2012 14:49:41 GMT

Ah yes, bad examples, so I redid them with .10 addresses and they say they are supposed to be passed on.

Need a hand with DMZ

Jennifer Halim — Wed, 20 Jun 2012 14:51:14 GMT

Great, that means nothing wrong with the ASA config.

You might want to check the host itself, correct subnet mask? correct default gateway? connected to the correct VLAN/etc?

Re: Need a hand with DMZ

rwharris13 — Wed, 20 Jun 2012 14:53:43 GMT

So, host in the dmz, connected to vlan 6, DMZ interface in vlan 6.

Public side connected to vlan 3

Host inside connected to vlan 1, inside interface in vlan 1.

Both use the ASA as their default gateway.

Need a hand with DMZ

Jennifer Halim — Wed, 20 Jun 2012 14:57:17 GMT

Run "debug icmp trace" and see if you are getting the echo and/or echo-reply on the ASA

OR/ do packet capture on the ASA and see if echo is reaching and leaving the ASA, and if echo-reply is reaching and leaving the ASA.

Re: Need a hand with DMZ

rwharris13 — Wed, 20 Jun 2012 15:01:18 GMT

Yes I get the echo request and reply

Re: Need a hand with DMZ

Jennifer Halim — Wed, 20 Jun 2012 15:02:56 GMT

Is the echo reply leaving the firewall?

Re: Need a hand with DMZ

rwharris13 — Wed, 20 Jun 2012 15:05:54 GMT

I didn't do an actual packet capture on the host yet but it would seem it is from the debug.

Sending 5, 100-byte ICMP Echos to 192.168.41.10, timeout is 2 seconds:

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

!ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Re: Need a hand with DMZ

Jennifer Halim — Wed, 20 Jun 2012 15:09:18 GMT

?? Are you just pinging from ASA towards your DMZ host?

I thought you are having issue with ping through the firewall from DMZ host??

Re: Need a hand with DMZ

rwharris13 — Wed, 20 Jun 2012 15:15:23 GMT

Yes through the firewall. From the DMZ to internal hosts, from the DMZ to the internet.

Re: Need a hand with DMZ

rwharris13 — Wed, 20 Jun 2012 15:17:49 GMT

I just restarted the ASA, and it's working now without any changes done....