topic Re: Accessing shared folder on member server from DMZ in Network Security

Accessing shared folder on member server from DMZ

mark.a.coleman — Mon, 11 Mar 2019 20:33:48 GMT

Ok, the bit that works.

I have a rule on our ASA, source=dmz server, destination=domain server, service=domain which works fine and permits access to my domain controllers and access shared folders from a test DMZ server.

..and the bit that doesn't.

What I cannot fathom is accessing member servers even though I've added another rule but with services 53, 137-139 and 445 (all TCP/UDP)

Help as always appreciated.

Thanks

Re: Accessing shared folder on member server from DMZ

Anu M Chacko — Mon, 16 May 2011 10:50:08 GMT

Hi Mark,

So you're trying to access some servers in your DMZ network from the outside on ports 53, 137-139 and 445 (all TCP/UDP)?

If yes, you need to have access-lists to permit traffic to these ports and static nat commands. Can you paste your configuration here?

Regards,

Anu

Re: Accessing shared folder on member server from DMZ

mark.a.coleman — Mon, 16 May 2011 12:05:10 GMT

Hi Anu,

I'm trying to access the member servers using the DMZ servers.

If I RDP to a DMZ server I can access my DC's, but not my member servers

I am on the inside of my network.

Thanks,

Mark

Re: Accessing shared folder on member server from DMZ

mark.a.coleman — Wed, 18 May 2011 10:40:58 GMT

Anyone?

Re: Accessing shared folder on member server from DMZ

varrao — Wed, 18 May 2011 10:47:03 GMT

Hi Mark,

Could you just explain, while accessing the member servers, behind which interface does the source lie and behind which interface does the destination lie, along with the Ip addresses??

Thanks,

Varun

Re: Accessing shared folder on member server from DMZ

mark.a.coleman — Wed, 18 May 2011 12:16:28 GMT

Hi Varun,

Ok, the source DMZ server (192.168.3.4) is on Ethernet0/1.20 DMZ3 (we are using a vlan setup to a cisco switch). As mentioned I can access the Domain Controllers without any issues whatsoever.

The destination Domain Member (10.0.0.29) server is on Ethernet0/0 Inside (same as the Domain Controllers)

Thanks

Mark

Re: Accessing shared folder on member server from DMZ

varrao — Wed, 18 May 2011 12:36:39 GMT

Hi Mark,

For accessing the domain member from the DMZ server, you would need the following check list:

1. Allow access from DMZ3 to inside, since your DMZ3 is low security interface, through ACl and apply the ACL on in interface DMZ3.

2. You would need a Natting for the the dmz server to your domain member, something like:

nat (DMZ3) 5 192.168.3.4

global (inside) 5 interface

3. You would also need a translation for the destination, like

static (inside,DMZ3) 1.1.1.1 10.0.0.29

if the domain member needs to be accessed by its original IP, then;

static (inside,DMZ3) 10.0.0.29 10.0.0.29

These should work for you, let me know the results.

If it still does not work kindly provide me the relevant configuration that you have for the setup, we might need to take captures and logs after it.

Thanks,

Varun

Re: Accessing shared folder on member server from DMZ

mark.a.coleman — Wed, 18 May 2011 12:54:36 GMT

Hi Varun,

In ref to no.1 wouldn't this already be there if I can access the Domain controllers from DMZ3

For no.2 I cannot see any NAT rule relating to the DC's

...and for no.3 I cannot see anything relating in the ACL for DC's

Just trying to make sense of it all. Is there a command I can run to question my questions in case I'm not seeing what I would expect in ASDM

Many thanks,

Mark

Re: Accessing shared folder on member server from DMZ

varrao — Wed, 18 May 2011 13:06:25 GMT

Hi Mark,

1. If you are able to access domain controller from dmz, it might not be necessary that you have ports open for accessing other members as well, just check whether the ACL includes other domain members as well.

As far as other queries are concerned, I would suggest if you could provide the following:

show run nat

show run global

show run static

show run access-group

show run access-list

This would clear out the confusion between us, also you can run a packet-tracer:

packet-tracer input DMZ3 tcp 192.168.3.4 1234 10.0.0.29 445 detailed

This would atleast give us some guidance where the tarfic is being dropped.

Thanks,

Varun

Re: Accessing shared folder on member server from DMZ

mark.a.coleman — Wed, 18 May 2011 13:32:11 GMT

Hi Varun,

I cannot see anything that would suggest I can get to any domain members, all I can see is a rule relating to the source=dmz servers to destination=DC's with service domain/UDP=permit

I have omitted some results that I'm sure are not relevant

Result of the command: "show run nat"

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 InternalNetwork 255.255.255.0
nat (DMZ1) 1 DMZ1 255.255.255.0
nat (DMZ2) 1 DMZ2 255.255.255.0
nat (DMZ3) 1 DMZ3 255.255.255.0
nat (DMZ4) 1 DMZ4 255.255.255.0

Result of the command: "show run global"

global (DMZ2) 1 interface
global (DMZ3) 1 interface
global (DMZ4) 1 interface
global (outside) 2 DMZservername_external netmask 255.0.0.0
global (outside) 1 EXT. IP netmask 255.0.0.0

Result of the command: "show run static" (I have removed most results)

static (inside,DMZ3) DCservername DCservername netmask 255.255.255.255

Result of the command: "show run access-group"

access-group inside_access_in in interface inside
access-group DMZ1_access_in in interface DMZ1
access-group DMZ2_access_in in interface DMZ2
access-group DMZ3_access_in in interface DMZ3
access-group DMZ4_access_in in interface DMZ4
access-group outside_access_in in interface outside

Result of the command: "show run access-list"

A lot of results here I wasn't prepared to list publically, anything in particular you're looking for?

Could I run the packet tracer using the Tools > Packet tracer? (if so do I need to input options for each screen?

Thanks,

Mark

Re: Accessing shared folder on member server from DMZ

varrao — Wed, 18 May 2011 13:48:33 GMT

Hi Mark,

You might need to add the following static command for your domain member:

static (inside,DMZ3) DCmember DCmember 255.255.255.255

where DCmember----10.0.0.29

and alsdo I was asking for only this ACL:

show run access-list DMZ3_access_in

That would be enough, and all that you need.

Thanks,

Varun

Re: Accessing shared folder on member server from DMZ

varrao — Wed, 18 May 2011 13:50:28 GMT

and please run the packet-tracer in CLI, it would give you a clear picture of packet flow.

Varun

Re: Accessing shared folder on member server from DMZ

mark.a.coleman — Wed, 18 May 2011 13:58:28 GMT

Here you go Varun

Result of the command: "show run access-list DMZ3_access_in"

access-list DMZ3_access_in extended permit udp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 eq domain
access-list DMZ3_access_in extended permit object-group TCPUDP host DMZservername3 host DomainServerMember object-group RE
access-list DMZ3_access_in extended permit tcp host DMZservername1 any eq www
access-list DMZ3_access_in extended permit tcp host DMZservername2 any eq www
access-list DMZ3_access_in extended permit tcp host DMZservername3 any object-group DM_INLINE_TCP_6
access-list DMZ3_access_in extended permit ip host DMZservername1 host APCUPS
access-list DMZ3_access_in extended permit icmp DMZ3 255.255.255.0 any
access-list DMZ3_access_in extended permit ip DMZ3 255.255.255.0 any
access-list DMZ3_access_in extended deny ip DMZ3 255.255.255.0 any

I might add the static route first and see what happens

Mark

Re: Accessing shared folder on member server from DMZ

varrao — Wed, 18 May 2011 14:26:03 GMT

Hi Mark,

I guess this is the access-list that you have for dmz server to domain member:

access-list DMZ3_access_in extended permit object-group TCPUDP host DMZservername3 host DomainServerMember object-group RE

and it looks good to me, please verify if DMZservername3-----> 192.168.3.4 and DomainServerMembe-------> 10.0.0.29

if so your ACL is fine, just add the static command:

static (inside,DMZ3) 10.0.0.29 10.0.0.29

and it should work.

Let me know how it goes.

thanks,

Varun

Re: Accessing shared folder on member server from DMZ

mark.a.coleman — Wed, 18 May 2011 14:38:58 GMT

Hi Varun,

That one static addition seems to have solved the problem, are these routes visible anywhere in the ASDM GUI?

I'll be checking some other things over the coming weeks but many thanks for your input and patience in helping solve the problem

Many thanks again,

Mark

Re: Accessing shared folder on member server from DMZ

varrao — Wed, 18 May 2011 15:37:12 GMT

Hi Mark,

Thats great news, had a hunch that you are missing this statement. To chcek the nat i ASDM, you need to go to Firewall ----> Nat rules and you would see this rule aded there...I am not really sure about the exact tab but it should be there....I am happy it worked for you.

P.S.- rate posts which are helpful.

Thanks,

Varun

Re: Accessing shared folder on member server from DMZ

mark.a.coleman — Thu, 19 May 2011 07:51:56 GMT

Hi Varun,

I checked the NAT rules and it just didn't register, if I had bothered to try and access another DC rather than concentrating on just one I reckon the lightbulb would have illuminated LOL. Proof that another set of eyes is so worthwhile in these situations.

Thanks again and I'll go through the posts as requested.

Mark