topic DMZ traffice allowed in Network Security

DMZ traffice allowed

ronald.lawrimore — Mon, 11 Mar 2019 21:04:37 GMT

I have an ASA that we are using to allow guests access to the Internet via the Outside interface. What command can I issue to allow all traffice types from the DMZ where my guests sit, to the Internet. They use all sorts of things such as SMTP, IMAP, VOIP and so on, so I don't want to hinder there work.

DMZ traffice allowed

varrao — Wed, 27 Jul 2011 13:31:37 GMT

Well you would just need a nat global statement to be added:

nat (dmz) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

if you can provide the output of " show run nat" and "show run global" , we can provide the specif command for it.

Thanks,

Varun

DMZ traffice allowed

ronald.lawrimore — Wed, 27 Jul 2011 13:33:56 GMT

Here is what I currently have.

asa# sho run nat
nat (dmz) 101 0.0.0.0 0.0.0.0
asa# sho run global
global (outside) 101 interface
asa#

Re: DMZ traffice allowed

Jon Marshall — Wed, 27 Jul 2011 13:36:20 GMT

Ronald

Couple of things to check -

1) is the dmz interface set to a higher security level than the outside ie. > 0

2) do you have an acl applied to the dmz interface ?

if the answer to 1) is yes and 2) is no and you have the nat statements as in your last post it should work.

Jon

DMZ traffice allowed

varrao — Wed, 27 Jul 2011 13:36:46 GMT

I guess you have the correct configuration for it already.

Thanks,

Varun

DMZ traffice allowed

ronald.lawrimore — Wed, 27 Jul 2011 13:38:17 GMT

The DMZ is set at 50. Outide at 0

I have a couple of ACLs right now, but they can be removed if needed to allow what I need.

DMZ traffice allowed

Jon Marshall — Wed, 27 Jul 2011 13:39:37 GMT

If you have an acl applied in or out to the dmz interface then you either need to remove it or modify it to allow the traffic you need.

Jon

DMZ traffice allowed

varrao — Wed, 27 Jul 2011 13:41:14 GMT

you shoudl be good then, test it and if you afce any issue, do let me know.

include a default route as well:

route outside 0.0.0.0 0.0.0.0 1

Thanks,

Varun

DMZ traffice allowed

ronald.lawrimore — Wed, 27 Jul 2011 13:49:56 GMT

I have disabled the ACLs on the DMZ interface. Now, no traffic flows from the DMZ out to the Internet.

DMZ traffice allowed

varrao — Wed, 27 Jul 2011 13:53:28 GMT

Hi Roland,

What were those ACL's, can you provide the output of :

show access-list and show run access-group

Thanks,

Varun

DMZ traffice allowed

Jon Marshall — Wed, 27 Jul 2011 13:54:19 GMT

Ronald

Could you post config. Did you remove the acl from the interface ie.

no access-group in interface dmz

Jon

DMZ traffice allowed

varrao — Wed, 27 Jul 2011 13:58:36 GMT

Well I guess if you remove the complete ACL's access-group would automatically be disabled, since it is dependent on ACL, so that should be fine. We just need the output for ACL's and access-group.

Varun

DMZ traffice allowed

ronald.lawrimore — Wed, 27 Jul 2011 13:59:31 GMT

Here is my currnet config.

i want to allow all destination ports from users int the DMZ to any destination on the Outside interface.

interface Vlan1
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface Vlan8
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.31.10.1 255.255.255.0
!
interface Vlan11
nameif outside
security-level 0
ip address ww.www.ww.www 255.255.255.252
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 11
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 8
!
interface Ethernet0/4
switchport access vlan 8
!
interface Ethernet0/5
switchport access vlan 8
!
interface Ethernet0/6
switchport access vlan 8
!
interface Ethernet0/7
switchport access vlan 8
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name asa
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq domain
service-object tcp eq www
service-object tcp eq https
object-group service RDPGroup tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
object-group service IMAPS tcp
description IMAPS Port for IMAP EMails
port-object eq 993
port-object eq 465
access-list dmz extended permit ip any any
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list dmz_access_in extended permit tcp any any object-group IMAPS
access-list dmz_access_in extended permit tcp any any object-group RDPGroup
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any dmz
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (dmz) 101 0.0.0.0 0.0.0.0
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 yy.yyy.yy.yyy 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.31.10.10-172.31.10.254 dmz
dhcpd dns dd.dd.d.ddd ee.ee.e.eee interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
!
!
prompt hostname context
Cryptochecksum:b46035dd423c22d5c780e84b226ffa1e
: end

DMZ traffice allowed

varrao — Wed, 27 Jul 2011 14:02:40 GMT

Could you just add this acl, this shoudl work for you:

access-list dmz_access_in extended permit ip any any

and you should have access after that.

-Varun