topic Re: ASA 5510 intervlan routing in Network Security

ASA 5510 intervlan routing

Nay Myo Tun — Mon, 11 Mar 2019 19:11:05 GMT

Hi,

Could you please help to advise? I have issue on my project . I have already setup the ASA 5510 and configured eth0 for outside ( security-level 0) , eth1 for DMZ (security-level 50 ) and eth3 for internal network ( security-level 100 ). I want to route / ftp to ping / ftp from each VLAN to another .

I have configured the necessary ACL to allow the traffic ( DMZ <=> Outside ) interfaces .

Using packet tracer from Outside to DMZ , the packet is allowed. But I can't ping / ftp from one interface to another . Pls. see the attached screen shot.

But according to what i ve read from this forum, " If you are trying inter-vlan routing, then make sure that both sub-interfaces have a nameif and security level set to same value."

Does it apply to DMZ , internal and external interfaces with diff security level ? Really appreciate your advise since I am now confused.

Re: ASA 5510 intervlan routing

Jennifer Halim — Thu, 18 Nov 2010 05:42:21 GMT

For traffic to and from inside and DMZ, you would need to configure static 1:1 NAT in addition to the access-list to permit the traffic through.

Assuming that your inside subnet is 172.25.152.0/24, then you would need to configure the following:

static (inside,dmz) 172.25.152.0 172.25.152.0 netmask 255.255.255.0

Then "clear xlate" after the above. You should be able to access to and from between inside and dmz, providing that you already configure the access-list to permit the traffic.

Re: ASA 5510 intervlan routing

Nay Myo Tun — Fri, 26 Nov 2010 15:41:59 GMT

Sorry,late response,Jennifer. I still cannot resolve .

My requirement is

( 1 ) I'd like to ssh/ ftp from internal server to DMZ server

( 2 ) would like to ssh / telnet access to Router from internal network. ( currently no way to control/ configure RTR from internal segment unless using console access )

( 3 ) outside < --- > DMZ ftp traffic . And also But the current config still doen't fullfill my requirement. Kindly take note my FW is ASA Version 8.3(1)with 5510 HW. My config is as per attach. What could be the blocking issue?

Re: ASA 5510 intervlan routing

Mohamed Sobair — Fri, 26 Nov 2010 17:14:08 GMT

Hi,

In firewall terminology, from Higher Security level to access lower securtiy level Only nat is required, From Lower Security level to higher security level an access-list or conduit must be used to permit the traffic.

Your configuration looks Ok except that you dont have dynamic Nat for the inside Network to DMZ and Outside.

For ASA version 8.3 , The configuration is slightly different, please add the following commands and check out your Access:

object network obj-192.25.130.0   subnet 192.25.130.0 255.255.255.0   nat (inside,outside) dynamic 192.25.152.250
object network obj-192.25.130.0-01   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz1) dynamic 192.25.156.250
object network obj-192.25.130.0-02   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz2) dynamic 192.25.154.250

HTH

Mohamed

Re: ASA 5510 intervlan routing

Nay Myo Tun — Mon, 29 Nov 2010 12:26:32 GMT

Hi sobair,

Thanks and really appreciate your expertise. I am now able to access the DMZ server/ External Router from the internal network.But still trying the opposite direction from the lower security level to the higer security level. ( External to DMZ server , and DMZ server to Interal Network ).So should I configure just ACL only in order to permit the traffic from lower security to higher security ?

My Current Config is

object-group service PORT_GROUPtcp

port-object eq echo

port-object eq ftp

port-object eq ssh

! Allow access from Internet to DMZ SVR

access-list OUT_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP

Pls. see the attached for more detail.

Re: ASA 5510 intervlan routing

cadet alain — Mon, 29 Nov 2010 13:59:30 GMT

Hi,

if you want access from out to dmz then you need an ACL permitting the traffic from lower to higher security but you also have to do static nat from dmz server to outside.

For dmz to in you need an ACL but you don't need static nat just dynamic nat from dmz to in.

Regards.

Re: ASA 5510 intervlan routing

Mohamed Sobair — Mon, 29 Nov 2010 14:50:23 GMT

Hi,

No not only an ACL, you need static Nat from inside to DMZ that allows access from DMZ network to the inside Network along with ACL applied on the DMZ interface.

HTH

Mohamed

Re: ASA 5510 intervlan routing

cadet alain — Mon, 29 Nov 2010 21:36:26 GMT

Hi Mohamed,

I didn't say only an ACL but also dynamic nat from dmz to in but you're surely right about static but I can't test it as I haven't got any ASA in my lab and it's been a long time since I've configured one.

Regards.

Re: ASA 5510 intervlan routing

Nay Myo Tun — Tue, 30 Nov 2010 15:34:38 GMT

Hi Mohamed,

I have tried added the static nat . But still error message and didn't go through from DMZ to IN and OUT to DMZ. Kindly advise. Attach is the network diagram.

( For Extenal to DMZ2 )

object network DMZ2_static

host 192.25.154.107

nat (DMZ2,OUT) static 192.25.152.246

( For DMZ to internal )

object network DMZ2_IN_static

host 172.25.154.107

nat ( DMZ2,IN) static 172.25.130.250

Existing ACL

access-list OUT_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP

access-list IN_IN extended permit ip 192.25.130.0 255.255.255.0 any

Existing Group

access-group OUTSIDE_IN in interface OUT

access-group INSIDE_IN in interface IN

( error message : )

Source IP Source Destination IP Dest (port) Description

192.25.154.107	37457	192.25.130.22	22	Inbound TCP connection denied from 192.25.154.107/37457 to 192.25.130.102/22 flags SYN on interface DMZ2
192.25.154.107	43166	192.25.130.22	21	Inbound TCP connection denied from 192.25.154.107/43166 to 192.25.130.102/21 flags SYN on interface DMZ2
192.25.158.60	3096	192.25.158.248	443	Teardown TCP connection 3215 for management:192.25.158.60/3096 to identity:192.25.158.248/443 duration 0:03:01 bytes 989 TCP Reset-O
192.25.158.60	4026	192.25.158.248	80	TCP access denied by ACL from 192.25.158.60/4026 to management:192.25.158.248/80

( Note: 192.25.158.60 is management station @ 158 network. )

Re: ASA 5510 intervlan routing

Mohamed Sobair — Tue, 30 Nov 2010 17:40:35 GMT

Hi,

From DMZ to Internal , try bellow config:

hostname(config)# object network host-obj 2.hostname(config-network-object)# host172.25.154.107
3.hostname(config-network-object)# nat (inside,dmz) static 172.25.130.250

Access-list DMZ permit ip any host 172.25.130.250

Access-group DMZ in interface DMZ2

And From Outside to DMZ, try the following:

object network DMZ2_static

host 192.25.154.107

nat (DMZ2,OUT) static 192.25.152.246

access-list OUTSIDE_IN extended permit tcp any host 172.25.130.250 object-group PORT_GROUP

access-group OUTSIDE_IN in interface OUT

HTH

Mohamed

Re: ASA 5510 intervlan routing

Nay Myo Tun — Wed, 01 Dec 2010 15:17:55 GMT

Hi Mohamed,

Thanks for your kind support. I still have issue to access from OUT to DMZ and DMZ to internal network.

ASA01# sh nat translated interface OUT

Auto NAT Policies (Section 2)

1 (DMZ2) to (OUT) source static OUT_TO_DMZ2 172.25.152.246

translate_hits = 0, untranslate_hits = 0

2 (DMZ2) to (OUT) source dynamic OUT 172.25.152.250

translate_hits = 77, untranslate_hits = 0

ASA01# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list OUT_IN; 6 elements; name hash: 0xc608a2be

access-list OUT_IN line 1 extended permit tcp any host 172.25.154.107 object-group PORT_GROUP 0x93ff2600

access-list OUT_IN line 1 extended permit tcp any host 172.25.154.107 eq echo (hitcnt=2) 0x9124577b

access-list OUT_IN line 1 extended permit tcp any host 172.25.154.107 eq ftp (hitcnt=28) 0x4450eadc

access-list OUT_IN line 1 extended permit tcp any host 172.25.154.107 eq ssh (hitcnt=25) 0x8bf2d476

access-list OUT_IN line 2 extended permit tcp any host 172.25.154.250 object-group PORT_GROUP 0xc2fa2030

access-list OUT_IN line 2 extended permit tcp any host 172.25.154.250 eq echo (hitcnt=2) 0xe7ad53a7

access-list OUT_IN line 2 extended permit tcp any host 172.25.154.250 eq ftp (hitcnt=2) 0x01d86629

access-list OUT_IN line 2 extended permit tcp any host 172.25.154.250 eq ssh (hitcnt=0) 0x8814dc01

access-list INSIDE_IN; 1 elements; name hash: 0xcf1073ab

access-list INSIDE_IN line 1 extended permit ip 172.25.130.0 255.255.255.0 any (hitcnt=0) 0xf2f5e4a1

access-list DMZ2; 5 elements; name hash: 0x85355895

access-list DMZ2 line 1 extended permit ip any host 172.25.130.250 (hitcnt=0) 0x7d17c44b

access-list DMZ2 line 2 extended permit icmp 172.25.154.0 255.255.255.0 host 172.25.130.250 (hitcnt=0) 0xc172bb61

access-list DMZ2 line 3 extended permit tcp 172.25.154.0 255.255.255.0 host 172.25.130.250 object-group PORT_GROUP 0x84222e17

access-list DMZ2 line 3 extended permit tcp 172.25.154.0 255.255.255.0 host 172.25.130.250 eq echo (hitcnt=0) 0x950b8d32

access-list DMZ2 line 3 extended permit tcp 172.25.154.0 255.255.255.0 host 172.25.130.250 eq ftp (hitcnt=0) 0x704a9bc5

access-list DMZ2 line 3 extended permit tcp 172.25.154.0 255.255.255.0 host 172.25.130.250 eq ssh (hitcnt=0) 0xc6b3d207

ASA01#

object network DMZ1
    subnet 172.25.156.0 255.255.255.0
object network DMZ2
    subnet 172.25.130.0 255.255.255.0
object network OUT
    subnet 172.25.130.0 255.255.255.0
object network DMZ2
    host 172.25.154.107
object network DMZ1
     subnet 172.25.130.0 255.255.255.0
object network DMZ2_TO_INSIDE
    host 172.25.154.107
object network OUT_TO_DMZ2
    host 172.25.154.107

object network DMZ2
   nat (INSIDE,DMZ2) dynamic 172.25.154.250
object network OUT
   nat (DMZ2,OUT) dynamic 172.25.152.250
object network DMZ1
   nat (DMZ2,DMZ1) dynamic 172.25.156.250
object network DMZ2_TO_INSIDE
   nat (INSIDE,DMZ2) static 172.25.130.250
object network OUT_TO_DMZ2
   nat (DMZ2,OUT) static 172.25.152.246
access-group OUT_IN in interface OUT
access-group DMZ2 in interface DMZ2
route OUT 0.0.0.0 0.0.0.0 172.25.152.246 1
route OUT 172.25.240.0 255.255.255.0 172.25.152.246 1

Here is the syslog

Dst IP Port

5	Dec 01 2010	16:16:52	305013	172.25.154.107	22			Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src OUT:172.25.240.111/48863 dst DMZ2:172.25.154.107/22 denied due to NAT reverse path failure
3	Dec 01 2010	16:17:55	710003	172.25.158.60	2472	172.25.158.248	80	TCP access denied by ACL from 172.25.158.60/2472 to management:172.25.158.248/80
5	Dec 01 2010	16:20:07	305013	172.25.154.107	22			Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src OUT:172.25.240.111/49079 dst DMZ2:172.25.154.107/22 denied due to NAT reverse path failure
4	Dec 01 2010	16:28:25	106023	172.25.240.111		172.25.154.107		Deny icmp src OUT:172.25.240.111 dst DMZ2:172.25.154.107 (type 8, code 0) by access-group "OUT_IN" [0x0, 0x0]

Note: 172.25.240.111 is the IP address of the server which is connected to the External to gi0/0 RTR 3825 172.25.240.110/24.

RTR 3825 gi0/1 172.25.152.246 is connected to FW OUT 172.25.152.248.

Re: ASA 5510 intervlan routing

Mohamed Sobair — Wed, 01 Dec 2010 16:24:26 GMT

Hi,

DO you have nat excemption configured? could you post the output of (show run nat)

Mohamed

Re: ASA 5510 intervlan routing

Nay Myo Tun — Thu, 02 Dec 2010 01:47:47 GMT

Thanks,Mohamed. I don't have nat excemption configured.

AODWASA01# sh run nat
!
object network DWH-MAIN
nat (DWH-MAIN,GDG_MAIN) dynamic 172.25.154.250
object network FW_EXT
nat (DWH-MAIN,FW_EXT) dynamic 172.25.152.250
object network GDG-MGT
nat (DWH-MAIN,GDG_MGT) dynamic 172.25.156.250
object network GDG_MAIN_TO_DWH-MAIN
nat (DWH-MAIN,GDG_MAIN) static 172.25.130.250
object network FW_EXT_TO_GDG_MAIN
nat (GDG_MAIN,FW_EXT) static 172.25.152.246

Thanks.

Re: ASA 5510 intervlan routing

Nay Myo Tun — Thu, 02 Dec 2010 02:08:11 GMT

Hi Mohamed, Here is the output.

AODWASA01# sh run nat
!
object network IN
      nat (IN,DMZ2) dynamic 172.25.154.250
object network OUT
      nat (IN,OUT) dynamic 172.25.152.250
object network DMZ1
      nat (IN,DMZ1) dynamic 172.25.156.250
object network DMZ2_TO_IN
      nat (IN,DMZ2) static 172.25.130.250
object network OUT_TO_DMZ2
      nat (DMZ2,OUT) static 172.25.152.246

Thanks.

Re: ASA 5510 intervlan routing

Mohamed Sobair — Thu, 02 Dec 2010 11:32:18 GMT

Remove the following commands:

object network DMZ2_TO_INSIDE
host 172.25.154.107

object network DMZ2_TO_INSIDE
nat (INSIDE,DMZ2) static 172.25.130.250

Add the following commands:

object network DMZ2-TO-INSIDE
subnet 172.25.104.0 255.255.255.0

object network DMZ2-TO-INSUIDE
nat (INSIDE,DMZ2) static 172.25.104.0

Access-group dmz in interface DMZ2

access-list dmz permit ip 172.25.130.0 255.255.255.0 172.25.104.0 255.255.255.0

clear xlate , and check the access from the DMZ to the inside.

Regards,

Mohamed

Re: ASA 5510 intervlan routing

Nay Myo Tun — Thu, 02 Dec 2010 14:30:03 GMT

Hi Mohamed,

Kindly check the packet tracer result.

ASA01# packet-tracer input DMZ2 tcp 172.25.154.107 ftp 172.25.130.250 ftp

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network DMZ2_TO_INSIDE
nat (INSIDE,DMZ2) static 172.25.130.250
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 172.25.130.250/21 to 172.25.154.107/21

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: DMZ2
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA01#

ASA01# packet-tracer input OUT tcp 172.25.152.250 ftp 172.25.154.107 ftp

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.25.154.0 255.255.255.0 DMZ2

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface OUT
access-list OUT_IN extended permit tcp any host 172.25.154.107 object-group DW_GROUP
object-group service DW_GROUP tcp
port-object eq echo
port-object eq ftp
port-object eq ssh
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network OUT_TO_DMZ2
nat (DMZ2,OUT) static 172.25.152.246
Additional Information:

Result:
input-interface: OUT
input-status: up
input-line-status: up
output-interface: DMZ2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA01#

Re: ASA 5510 intervlan routing

Nay Myo Tun — Thu, 02 Dec 2010 14:33:45 GMT

Thanks, Mohamed. I will do it the first thing in the morning and will update accordingly.

Re: ASA 5510 intervlan routing

Nay Myo Tun — Tue, 14 Dec 2010 15:04:27 GMT

Hi Mohamed,

I have managed to configure all outbound direction ( INSIDE--> DMZ1& 2 , INSIDE --> OUTSIDE , DMZ1,2 ---> OUTSIDE.

But still not able to access inbound direction ( OUT --> DMZ 1,2 , DMZ1,2 ---> INSIDE ). Kindly advise how to allow traffic from DMZ --> INSIDE, OUTSIDE ---> DMZ. I need to be able to ping / ftp inbound direction from lower to higher security level. Kindly take note that my IOS version is ASA Version 8.3(1).

For outbound direction, these dynamic NAT config seems to be OK since I can access ssh / ftp outbound direction ( higher to lower security interface)

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 172.25152.248 255.255.255.0
!
interface Ethernet0/1
nameif DMZ1
security-level 50
ip address 172.25.154.249 255.255.255.0
!
interface Ethernet0/2
nameif DMZ2
security-level 50
ip address 172.25.156.249 255.255.255.0
!
interface Ethernet0/3
nameif INSIDE
security-level 100
ip address 172.25.130.248 255.255.255.0

Dynamic NATs ( successful for outbound access )

( Outbound from inside to DMZ2 )

object network INSIDE_dynamic_DMZ2

subnet 172.25.130.0 255.255.255.0

nat (INSIDE,DMZ2) dynamic 172.25154.250

( Outbound from DMZ2 to outside )

object network DMZ2_dynamic_OUTSIDE

host 172.25.154.107

nat (DMZ2,OUTSIDE) dynamic 172.25152.251

( Outbound from inside to outside )

object network INSIDE_dynamic_OUTSIDE

subnet 172.25.130.0 255.255.255.0

nat (INSIDE,OUTSIDE) dynamic 172.25152.250

( Outbound from inside to DMZ1 )

object network INSIDE_dynamic_DMZ1

subnet 172.25.130.0 255.255.255.0

nat (INSIDE,DMZ1) dynamic 172.25.156.250

STATIC NATs ( Not successful for inbound access )

( Inbound from outside to DMZ1 )

object network OUTSIDE-static_DMZ1

subnet 172.25.156.0 255.255.255.0

nat (DMZ1,OUTSIDE) static 172.25.152.252

( Inbound from DMZ2 to INSIDE )

object network DMZ2-static-INSIDE

subnet 172.25.154.0 255.255.255.0

nat (INSIDE,DMZ2) static 172.25.130.253

Errror Message I got when I ssh "172.25.130.101" ( inside server ) from DMZ1 server 172.25154.107 .

Dec 07 2010

17:40:53

106023

172.25.154.107

60815

172.25.154.101

Deny tcp src DMZ2:172.25.154.107/60815 dst INSIDE:172.25.154.101/22 by access-group "DMZ2_INSIDE" [0x0, 0x0]

( Inbound from outside to DMZ2 )

object network OUTSIDE-static-DMZ2

subnet 172.25.154.0 255.255.255.0

nat (DMZ2, OUTSIDE) static 172.25.152.253

( Error message when ssh from the external server which is located external interface of Router to DMZ2 server 172.25154.107 : )

#ssh 172.25.154.107
ssh: connect to host 172.25.154.107 port 22: No route to host

( Note: routing has been added in the external server and can ping to ext interface of FW )

Access Lists

access-list OUTSIDE_IN extended permit tcp any host 172.25154.107 object-group PORT_GROUP

access-list INSIDE_IN extended permit ip 172.25.130.0 255.255.255.0 any

access-list OUTSIDE_DMZ1 extended permit ip 172.25.156.0 255.255.255.0 172.25152.0 255.255.255.0

access-list DMZ2_INSIDE extended permit ip 172.25130.0 255.255.255.0 172.25154.0 255.255.255.0

access-list DMZ1_INSIDE extended permit ip 172.25130.0 255.255.255.0 172.25150.0 255.255.255.0

access-list OUTSIDE_DMZ2 extended permit ip 172.25.154.0 255.255.255.0 172.25152.0 255.255.255.0

access-group OUTSIDE_DMZ1 in interface OUTSIDE

access-group DMZ2_INSIDE in interface DMZ2

access-group DMZ1_INSIDE in interface DMZ1

Regards,