topic Re: Issue with routing Inside and outside traffic to DMZ in Network Security

Issue with routing Inside and outside traffic to DMZ

kiran kumar Chamakura — Mon, 11 Mar 2019 20:24:56 GMT

Hi Experts,

I have configured DMZ on cisco ASA 5510 with an subnet 10.10.10.x, I need all the Inside users i.e. all the VLAN Users behind the firewall who are connected to L3 switch need an access to DMZ Servers and also Outeside user to connect the server in DMZ.I have assigned one of the public IP to the server in DMZ and created the access list that allow only 80 port.

I am having problem with routing the Inside and Outside user to connect an test server using port 80.Please find the configuration as bellow.

When i execute sh route on the ASA i could see any routes for DMZ.

Please help me ..............

interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
description UP-Link to L3 Switch
nameif inside
security-level 100
ip address 172.16.40.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.252 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone IST 5 30
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 61.12.21.34
name-server 203.196.128.4
name-server 192.168.6.22
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network group-inside-vpnclient
description all inside accessible network
network-object 192.168.15.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
access-list outside_mpc remark testing
access-list outside_mpc extended permit tcp x.x.x.x 255.255.255.x any object-group DM_INLINE_TCP_1
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any any eq www
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient 192.168.20.0 255.255.255.0
access-list acl-vpnclient extended permit tcp object-group group-inside-vpnclient object-group DM_INLINE_TCP_3 192.168.20.0 255.255.255.0
access-list Split_Tunnelspecified_List standard permit 192.168.6.0 255.255.255.0
access-list Split_Tunnelspecified_List standard permit 192.168.15.0 255.255.255.0
access-list Split_Tunnelspecified_List standard permit 192.168.8.0 255.255.255.0
access-list OUTSIDE_TO_DMZ_SERVER extended permit tcp any host x.x.x.x eq www log
access-list IN_TO_DMZ_SERVER extended permit tcp any host 10.10.10.2 eq www log

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
mtu management 1500
ip local pool testpool 192.168.20.10-192.168.20.15 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl-vpnclient
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) x.x.x.x 10.10.10.2 netmask 255.255.255.255
static (inside,DMZ) 172.16.40.0 172.16.40.0 netmask 255.255.255.0

access-group OUTSIDE_TO_DMZ_SERVER in interface outside
access-group IN_TO_DMZ_SERVER in interface DMZ
!
router rip
network 10.0.0.0
network 172.16.0.0
default-information originate
version 2
!
route outside 0.0.0.0 0.0.0.0 203.196.150.161 1
route inside 192.168.6.0 255.255.255.0 172.16.40.2 1
route inside 192.168.8.0 255.255.255.0 172.16.40.2 1
route inside 192.168.15.0 255.255.255.0 172.16.40.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.40.1 255.255.255.255 inside
http 192.168.15.0 255.255.255.0 inside
http 192.168.11.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 172.16.40.0 255.255.255.0 inside
ssh 192.168.15.0 255.255.255.0 inside
ssh 192.168.11.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access inside
dhcpd ping_timeout 750
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
class-map outside-class
match access-list outside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
policy-map outside-policy
class outside-class
csc fail-close
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy IM_P2P interface inside
group-policy group-policy-default internal
group-policy group-policy-default attributes
banner value Welcome to the Nisum Corporate Network
dns-server value 192.168.6.22 61.12.21.34
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnelspecified_List
nac-settings none
username ssagi password itaVYlZs.BGqDowM encrypted
username ssagi attributes
vpn-group-policy group-policy-default
username nisumit password phchH3wy6GkeWo0r encrypted privilege 15
username kchamakura password K6LxuUPUCV9A/lHE encrypted
username kchamakura attributes
vpn-group-policy group-policy-default
service-type remote-access
username mvadlamudi password qgC7ZYk1bSqttIFD encrypted
username mvadlamudi attributes
vpn-group-policy group-policy-default
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
authorization-server-group (inside) LOCAL
default-group-policy group-policy-default
tunnel-group testgroup ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a40c65d743e80128799b090f8d671193

Nisum-ASA5510# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 203.196.150.161 to network 0.0.0.0

R    192.168.12.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
R    192.168.13.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
R    192.168.14.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
S    192.168.15.0 255.255.255.0 [1/0] via 172.16.40.2, inside
S    192.168.8.0 255.255.255.0 [1/0] via 172.16.40.2, inside
R    192.168.9.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
R    192.168.10.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
C    172.16.40.0 255.255.255.0 is directly connected, inside
R    172.16.30.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
R    172.16.20.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
R    192.168.11.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
C    203.196.150.160 255.255.255.224 is directly connected, outside
R    192.168.4.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:18, inside
C    127.0.0.0 255.255.0.0 is directly connected, cplane
<--- More --->

R    192.168.5.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:19, inside
S    192.168.6.0 255.255.255.0 [1/0] via 172.16.40.2, inside
R    192.168.7.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:19, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 203.196.150.161, outside

Re: Issue with routing Inside and outside traffic to DMZ

mirober2 — Sat, 23 Apr 2011 13:33:11 GMT

Hi Kiran,

If you look at the output of 'show interface', does your DMZ interface (eth0/1) show as up/up?

Typically, if the interface is fully up, you should at least have a connected route for 10.10.10.x/24 in the output of 'show route'.

-Mike

Re: Issue with routing Inside and outside traffic to DMZ

kiran kumar Chamakura — Sat, 23 Apr 2011 13:36:47 GMT

Hi Mike,

It was an mistake, now we can see the route for DMZwhen i execute ip route.

R    192.168.12.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
R    192.168.13.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
R    192.168.14.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
S    192.168.15.0 255.255.255.0 [1/0] via 172.16.40.2, inside
S    192.168.8.0 255.255.255.0 [1/0] via 172.16.40.2, inside
R    192.168.9.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
R    192.168.10.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
C    172.16.40.0 255.255.255.0 is directly connected, inside
R    172.16.30.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
R    172.16.20.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
R    192.168.11.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
C    203.196.150.160 255.255.255.224 is directly connected, outside
R    192.168.4.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:16, inside
C    127.0.0.0 255.255.0.0 is directly connected, cplane
R    192.168.5.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:17, inside
C    10.10.10.0 255.255.255.0 is directly connected, DMZ
S    192.168.6.0 255.255.255.0 [1/0] via 172.16.40.2, inside
R    192.168.7.0 255.255.255.0 [120/1] via 172.16.40.2, 0:00:17, inside
S*   0.0.0.0 0.0.0.0 [1/0] via

Thnaks

Kiran Kumatr CH

Re: Issue with routing Inside to DMZ

kiran kumar Chamakura — Wed, 27 Apr 2011 12:29:20 GMT

Hi Experts,

I have configured DMZ and I am able access the Web Server in the DMZ from Outside and I am able to access Inside Network from DMZ.

Issue is , i am not able to access Web Server in DMZ from Inside. When i am trying to access i am encountering with an Error as follows.

Error: No translation group found for icmp src inside dst DMZ

access-list outside_DMZ extended permit tcp any host x.x.x.x eq www
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient 192.168.x.0 255.255.255.0
access-list acl-vpnclient extended permit tcp object-group group-inside-vpnclient object-group DM_INLINE_TCP_3 192.168.x.0 255.255.255.0
access-list acl-vpnclient extended permit ip host 192.168.15.177 host 10.10.10.2

access-list dmz_int extended permit tcp host 10.10.10.2 any eq www

access-list inside_outside extended permit tcp host 192.168.x.177 host 10.10.10.2 eq www log
access-list inside_outside extended permit icmp host 192.168.x.177 host 10.10.10.2

global (outside) 1 interface
nat (inside) 0 access-list acl-vpnclient
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) x.x.x.x 10.10.10.2 netmask 255.255.255.255
static (DMZ,inside) x.x.x.x 10.10.10.2 netmask 255.255.255.255
access-group outside_DMZ in interface outside
access-group dmz_int in interface DMZ
access-group inside_outside in interface inside

Regards

Kiran Kumar CH

Re: Issue with routing Inside and outside traffic to DMZ

kiran kumar Chamakura — Thu, 28 Apr 2011 10:37:49 GMT

Hi Experts,

Problem got resolved after i implimented the PAT to DMZ Interface.

Thanks for your help.

Regards

Kiran Kumar CH