topic Re: *HTTPS RETURN TRAFFIC FROM DMZ** in Network Security

*HTTPS RETURN TRAFFIC FROM DMZ******

Jean Paul Enerst — Mon, 11 Mar 2019 19:49:04 GMT

Hi all,

I have a server for public access in a DMZ, let's say DMZ10 and the IP for this server is 10.2.3.1. This local IP is natted to a public IP for outside. Packet tracer from in the ASDM shows that the packets get to the host;however, the reply is deny by the default deny any any in the DMZ. I did have the following ACL in the DMZ to permit any https request to the server,but packet still deny... I certainly miss something.

access-list DMZxx_access_in line 20 extended permit tcp any host 10.2.3.1 eq https

Thanks,

Paul

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Jennifer Halim — Fri, 11 Feb 2011 01:18:00 GMT

Can you please share the configuration of your ASA?

Do you have inbound or outbound access-list applied to DMZ10 interface?

If traffic is initiated from outside towards DMZ10 server, the only access-list required is on the outside interface (for inbound direction). You do not need to configure access-list for the return connection as ASA is a stateful firewall (it keeps track of the connection).

However, if you actually initiate the traffic from DMZ10 server towards the internet/outside, then you require access-list on the DMZ10 interface to allow the traffic outbound (access-list to be applied to dmz10 interface in the inbound direction).

If you can share the following that would help:

sh run access-group

sh run http

sh run access-list

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Jean Paul Enerst — Fri, 11 Feb 2011 18:49:49 GMT

There are the show run commands has requested. As a test, I natted the same Public IP of the server to another local IP inside interface, everything works fine as expected which raise questions in doubt about the DMZ10!

sh run access-group

esult of the command: "show run access-group"

access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface inside
access-group DMZ10_access_in in interface DMZ10

sh run http

Result of the command: "show run http"

http server enable
http 192.168.1.0 255.255.255.0 management
http EngLab 255.255.254.0 inside
http 10.15x.xx.0 255.255.255.0 inside

Thanks,

Jean Paul

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Jennifer Halim — Sat, 12 Feb 2011 00:48:57 GMT

OK, that looks good to me.

What is the security level of all the interfaces? Hopefully DMZ10 is not the same as any other interfaces, and higher than the outside interface security level.

Did you perform a "clear xlate" after the changes and modification of NAT statement?

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Jean Paul Enerst — Sat, 12 Feb 2011 00:54:59 GMT

HI guys,

i still need help with this. This server in DMZ can't be accessed fom outside. However, packet tracert from the FW shows the connection in both way(see the attached doc above). When natted the same public ip to another ip in the inside interface, everything works fine... Bebow is part of the configuration..

ASA Version 8.0(4)32
!
dns-guard
!
interface Ethernet0/0
description Outside connected to MY ISP
speed 100
duplex full
nameif Outside
security-level 0
ip address 208.1xx.25x.xx 255.255.xx.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10.x.x 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ33
security-level 90
ip address 10.15x.33.x 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif DMZ77
security-level 50
ip address 10.15x.77.x 255.255.255.0
!

interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa804-32-k8.bin
ftp mode passive
clock timezone mst -7
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list DMZ77_access_in extended deny ip DMZ33-Network 255.255.255.0 DMZ77-Network 255.255.255.0
access-list DMZ77_access_in extended deny ip DMZ77-Network 255.255.255.0 DMZ33-Network 255.255.255.0
access-list DMZ77_access_in extended permit tcp host DMZ77-Server any eq www
access-list DMZ77_access_in extended permit tcp host DMZ77-Server any eq ssh
access-list DMZ77_access_in extended permit tcp host DMZ77-Server any eq ftp
access-list DMZ77_access_in extended permit tcp host DMZ77-Web-Server any eq ftp
access-list DMZ77_access_in extended permit tcp host DMZ77-Web-Server any eq ftp-data
access-list DMZ77_access_in extended permit tcp host DMZ77-Web-Server any eq https
access-list DMZ77_access_in extended permit tcp host DMZ77-Web-Server any eq 81
access-list DMZ77_access_in extended permit tcp host DMZ77-Server-Cust any eq https
access-list DMZ77_access_in remark *
access-list Outside_access_in extended permit tcp 208.8x.1x.20x.255.255.224 host 204.xx.xx.xx70 eq www
access-list Outside_access_in extended permit tcp 208.8x.1x.20x.255.255.224 host 204.xx.xx.xx70 eq ssh
access-list Outside_access_in extended permit tcp 209.115.232.64 255.255.xx.240 host 204.xx.xx.xx70 eq www
access-list Outside_access_in extended permit tcp 209.115.232.64 255.255.xx.240 host 204.xx.xx.xx70 eq ssh
access-list Outside_access_in extended permit ip host 2xx.1xx.1x5.xx host 204.xx.xx.xx

access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx70 eq www
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx70 eq ftp

access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx71 eq 5222
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx72 eq smtp
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx73 eq ftp
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx73 eq https
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx73 eq www
access-list Outside_access_in extended permit tcp host 7x.8x.1xx.xx host 204.xx.xx.xx73 eq 81
access-list Outside_access_in extended permit tcp host 9x.4x.15x.x0 host 204.xx.xx.xx73 eq 81
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx73 eq ftp-data
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx74 eq ftp
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx74 eq ftp-data
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx74 range 1024 1034
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx70 eq ftp-data
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx75 eq smtp
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx75 eq https
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx75 eq pop3
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx75 eq imap4
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx75 eq 993
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx76 eq www
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx76 eq https
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx77 eq https
access-list Outside_access_in extended permit icmp any host 204.xx.xx.xx77
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx79 eq ftp
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx79 eq ftp-data
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx80 eq 993
access-list Outside_access_in remark Outside Access to New Exchange server
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx80 eq https
access-list Outside_access_in remark Outside Access to the New Exchange server
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx80 eq imap4
access-list Outside_access_in remark Outside Access to the new Exchange server
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx80 eq pop3
access-list Outside_access_in extended permit esp any host 204.xx.xx.xx89
access-list Outside_access_in extended permit ah any host 204.xx.xx.xx89
access-list Outside_access_in extended permit udp any host 204.xx.xx.xx89 eq isakmp
access-list Outside_access_in extended permit udp any host 204.xx.xx.xx89 eq 4500
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx89 eq 10000
access-list Outside_access_in extended permit tcp any host 204.xx.xx.xx93 eq https

logging enable
logging monitor warnings
logging buffered warnings
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu DMZ33 1500
mtu DMZ77 1500
mtu management 1500

ip verify reverse-path interface Outside
ip audit name Inside_Interface attack action alarm

ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Outside) 50 204.xx.xx.xx68 netmask 255.255.255.255
global (Outside) 40 204.xx.xx.xx69 netmask 255.255.255.255
global (Outside) 20 204.xx.xx.xx66 netmask 255.255.255.255
global (Outside) 30 204.xx.xx.xx67 netmask 255.255.255.255
global (DMZ33) 1 DMZ33-Network netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 30 EngLab1 255.255.254.0
nat (inside) 20 EngLab2 255.255.254.0
nat (inside) 20 EngLab3 255.255.254.0
nat (inside) 20 EngLab4 255.255.254.0
nat (inside) 40 0.0.0.0 0.0.0.0
nat (DMZ33) 1 DMZ33-Network 255.255.255.0
static (inside,DMZ33) 10.1xx.0.0 10.1xx.0.0 netmask 255.255.0.0

static (inside,Outside) 204.xx.xx.xx75 Server-Dom netmask 255.255.255.255

static (inside,Outside) 204.xx.xx.xx80 Server-Exc netmask 255.255.255.255
static (inside,Outside) 204.xx.xx.xx72 Server-Kk netmask 255.255.255.255
static (inside,Outside) 204.xx.xx.xx73 Server-Web netmask 255.255.255.255
static (inside,Outside) 204.xx.xx.xx71 Server- netmask 255.255.255.255
static (inside,Outside) 204.xx.xx.xx76 Server-Net netmask 255.255.255.255
static (inside,Outside) 204.xx.xx.xx70 Server-test netmask 255.255.255.255
static (inside,Outside) 204.xx.xx.xx78 204.xx.xx.xx78 netmask 255.255.255.255
static (inside,Outside) 204.xx.xx.xx79 Server-C netmask 255.255.255.255
static (inside,Outside) 204.xx.xx.xx93 10.1x.x.24 netmask 255.255.255.255
static (DMZ77,Outside) 204.xx.xx.xx77 DMZ77-Server-Cust netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface inside
access-group DMZ3_access_in in interface DMZ33
access-group DMZ77_access_in in interface DMZ77

route Outside 0.0.0.0 0.0.0.0 204.xx.xx.xx94 1

route Outside 2.xx.0.0 255.255.0.0 204.xx.xx.xx94 1
route Outside 2.xx.0.0 255.255.0.0 204.xx.xx.xx94 1
route Outside 2.xx.0.0 255.255.0.0 204.xx.xx.xx94 1
route Outside 2.xx.0.0 255.255.0.0 204.xx.xx.xx94 1

route inside 10.xx.xx.0 255.255.0.0 1x.1xx.0.1 1

route Outside 20x.0.xx.254 194.254 255.255.255.255 204.xx.xx.xx94 1
route Outside 20x.0.xx.254 204.201 255.255.255.255 204.xx.xx.xx94 1
route Outside 20x.0.xx.254 209.70 255.255.255.255 204.xx.xx.xx94 1
route Outside 20x.0.xx.254 209.104 255.255.255.255 204.xx.xx.xx94 1
route Outside 20x.0.xx.254 209.209 255.255.255.255 204.xx.xx.xx94 1
route Outside 20x.0.xx.254 209.226 255.255.255.255 204.xx.xx.xx94 1
route Outside 20x.0.xx.254 220.52 255.255.255.252 204.xx.xx.xx94 1
route inside 204.xx.xx.xx78 255.255.255.255 1x.1xx.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http EngLab 255.255.254.0 inside
http 10.15x.x.0 255.255.255.0 inside
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map0 20 set pfs group1
crypto dynamic-map Outside_dyn_map0 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map Outside_dyn_map0 40 set pfs
crypto dynamic-map Outside_dyn_map0 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map VPN_map 65535 ipsec-isakmp dynamic Outside_dyn_map0
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 90
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh EngLabEng 255.255.254.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server Server-Trivor source inside prefer
ssl encryption des-sha1 rc4-md5
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect dcerpc
inspect icmp
inspect http
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
: end

THANKS,

Jean Paul

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Jennifer Halim — Sat, 12 Feb 2011 01:16:54 GMT

A few things to further troubleshoot the issue:

1) You advised that the same public ip address works fine with a host on the inside --> that means that as far as the public ip address is concern, it is OK.

2) And if it works for an inside host and you just modify the static NAT configuration from inside host to your DMZ host, that means the translation on the ASA is correct too. As long as you issue "clear xlate" after the changes.

3) Then the only access-list required for inbound connection is on the outside interface which refers to the public ip address. So whether you translate the same public ip address to an inside host or to a dmz host, it doesn't really make any difference as far as the access-list is concern. And again, you have tested it working towards an inside host, so it should work just the same for dmz host.

All of the above seem to point to the dmz host issue instead of issue on the ASA firewall (again, just to double confirm that as long as you perform "clear xlate" after the changes made from static NAT towards inside host (for your testing) to dmz host.

Next would be to check the DMZ host itself:

1) What is the default gateway on the host set to? is that the dmz interface ip address of the ASA?

2) Is there any personal firewall, etc enabled that might be blocking inbound connection from different subnets?

3) What about if test HTTP instead of HTTPS connection? Also remember to add access-list on the outside interface (Outside_access_in) for HTTP as I don't see that configured yet.

Lastly, to see exactly where it's failing, you can run packet capture on the ASA (on the dmz interface):

access-list cap-dmz permit ip host any

access-list cap-dmz permit ip any host

cap cap-dmz interface access-list cap-dmz

Then try to generate the traffic from the Internet, then check out the output of "sh cap cap-dmz"

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Jean Paul Enerst — Sat, 12 Feb 2011 02:27:22 GMT

Hi Jenn,

Yes, that correct, I did test the same PUBLIC IP by natted it to an IP address in the inside interface address, and it worked fine. As you said the ACL in the outside interface still the same. This server is in 3 different network at the same time: Inside network, DMZ33, DMZ77. DMZ77 is for outside(PUBLIC IP natted to this ) access from Internet, DMZ33 for inside address from the inside network. The NIC connected to the inside network will be shutdown when the server is in production.

To answer your questions:

1. The default GW is set for the ASA IP( DMZ77 ip in the interface). And ASA can ping the server, server can ping ASA BACK.

2. Server guy said that the personnal firewall of the server is off which may be true as the server is pingable via both its DMZs IP address.

3. I haven't tested the https access yet, but will do that ASAP

I did do packet capture, the capture show that the FW send the packet out, but the server never respond back(nothing coming back)!

I am convince that the server itself is the issue,but I am still need to proove it to the server.

Thanks,

Jean Paul

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Jennifer Halim — Sat, 12 Feb 2011 04:34:30 GMT

That is your proof to the server guy:

"I did do packet capture, the capture show that the FW send the packet out, but the server never respond back(nothing coming back)!"

If the server replied back, you should be able to see that in the ASA packet capture because packet capture will show you the packet fresh from the wire.

topic Re: ***************HTTPS RETURN TRAFFIC FROM DMZ**************** in Network Security

***************HTTPS RETURN TRAFFIC FROM DMZ********************

Re: ***************HTTPS RETURN TRAFFIC FROM DMZ****************

Re: ***************HTTPS RETURN TRAFFIC FROM DMZ****************

Re: ***************HTTPS RETURN TRAFFIC FROM DMZ****************

Re: ***************HTTPS RETURN TRAFFIC FROM DMZ****************

Re: ***************HTTPS RETURN TRAFFIC FROM DMZ****************

Re: ***************HTTPS RETURN TRAFFIC FROM DMZ****************

Re: ***************HTTPS RETURN TRAFFIC FROM DMZ****************

topic Re: *HTTPS RETURN TRAFFIC FROM DMZ** in Network Security

*HTTPS RETURN TRAFFIC FROM DMZ******

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Re: *HTTPS RETURN TRAFFIC FROM DMZ**

Re: *HTTPS RETURN TRAFFIC FROM DMZ**