topic Re: DMZ Internet Access in Network Security

DMZ Internet Access

kharvey — Mon, 11 Mar 2019 17:36:52 GMT

I think that I am on the last part of my Firewall config, and that is allowing traffic out of the DMZ to the Internet. In theory I have it working where Internet traffic coming in is allowed, but I haven't been able to test that yet.

Here is the config for the DMZ:

interface Ethernet0/1
description TWTelecom Internet
speed 100
duplex full
nameif ExtNet
security-level 1
ip address 207.170.247.122 255.255.255.252

interface Ethernet0/2
description DMZ Interface
nameif DMZNet
security-level 25
ip address 10.2.2.254 255.255.0.0

object-group service WebPorts tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
port-object eq pop3

access-list DMZACL remark Allow all ICMP traffic
access-list DMZACL extended permit icmp any any
access-list DMZACL remark Allow SQL traffic from websites to SQL servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSQL eq 1433
access-list DMZACL remark Allow SMTP traffic from websites to Exchange servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSMTP eq smtp
access-list DMZACL remark Deny all DMZ traffic to Internal Network
access-list DMZACL extended deny ip any host 10.1.0.0
access-list DMZACL remark Allow DMZ access to the Internet
access-list DMZACL extended permit tcp 10.2.0.0 255.255.0.0 any object-group WebPorts
access-list DMZACL remark Deny EVERYTHING
access-list DMZACL extended deny ip any any

global (ExtNet) 1 216.64.172.34 netmask 255.255.255.255
global (ExtNet) 2 216.64.172.33 netmask 255.255.255.255
nat (IntNet) 0 access-list nonat
nat (IntNet) 1 10.1.0.0 255.255.0.0
nat (DMZNet) 2 10.2.0.0 255.255.0.0
static (IntNet,DMZNet) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

access-group IntACL in interface IntNet
access-group ExtACL in interface ExtNet
access-group DMZACL in interface DMZNet
route ExtNet 0.0.0.0 0.0.0.0 207.170.247.121 1

But so far I am unable to ping anything on the Internet, nor am I able to connect to anything using HTTP.

I don't think that the traffic is being blocked as I am able to use

packet-tracer input DMZNet tcp 10.2.1.100 80 209.85.171.104 80 detail

without any errors.

I have also checked the logs and it shows that it is trying to do the connection, but it doesn't appear like the connection ever finishes.

I think that it might be a routing issue. But I am not sure.

Can someone help to shed some light on this issue? I am pretty sure the ACL's are good, but I am still a bit skeptical of the NAT or possibly the routing.

Re: DMZ Internet Access

Federico Coto Fajardo — Fri, 23 Apr 2010 21:43:06 GMT

Hi,

You're tryintg to get out to the internet from the interface called DMZNet correct?

This interface has a security level of 25.

The outside ExNet has a security level of 1.

This means that traffic should flow from this interface to the outside interface (security level 0) without any ACLs.

The DMZNet has an IP range of 10.2.0.0/16

The ExNet has a public IP.

Can you PING 207.170.247.121 from the ASA itself?

Can you PING 4.2.2.2 from the ASA itself?

If the answer is yes, then you have Internet from the ASA itself.

Check with the ''sh xlate local 10.2.2.x'' when attempting to get out to the Internet from that host on the DMZ.

Federico.

Re: DMZ Internet Access

kharvey — Fri, 23 Apr 2010 21:53:43 GMT

Wow, thank you for that fast reply.

In most cases, yes the Internet would flow freely from one interface to a lower interface, but I have specific denies in place to block unwanted traffic out.

But as I said my packet trace works without issue.

So I ran sh xlate local 10.2.50.100 and here is the output that I received:

PAT Global 216.64.172.33(1551) Local 10.2.50.100 ICMP id 768

Using the IntNet interface I am able to ping 209.85.171.104, but I am unable to ping that using either ExtNet or DMZNet

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.85.171.104, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

When running a ping from 10.2.50.100 to 209.85.171.104 this is what is showing up in the log

Apr 23 2010

07:38:17

302020

10.2.50.100

768

209.85.171.104

Built outbound ICMP connection for faddr 209.85.171.104/0 gaddr 216.64.172.33/42153 laddr 10.2.50.100/768

Apr 23 2010

07:38:21

302021

209.85.171.104

10.2.50.100

768

Teardown ICMP connection for faddr 209.85.171.104/0 gaddr 216.64.172.33/42153 laddr 10.2.50.100/768

Re: DMZ Internet Access

Federico Coto Fajardo — Fri, 23 Apr 2010 22:00:17 GMT

The only difference that I see is:

The IntNet gets translated to 216.64.172.34
The DMZNet gets translated to 216.64.172.33

You say, Internet works fine from the IntNet interface?
Could you do a test:

no nat (DMZNet) 2 10.2.0.0 255.255.0.0
nat (DMZNet) 1 10.2.0.0 255.255.0.0
clear xlate

In this way, the DMZNet will get translated to .34 as the IntNet.

Let's see if it works.

Re: DMZ Internet Access

kharvey — Wed, 28 Apr 2010 22:17:43 GMT

I apologize for the late response.

But I made those changes, and I am still unable to ping from my DMZNet interface.

I am actually stumped as to why I am unable to connect out at this point.

Re: DMZ Internet Access

Federico Coto Fajardo — Wed, 28 Apr 2010 22:23:57 GMT

Please double-check that the destination that you're trying to reach is allowed on the DMZACL access-list.

Also, check if the translation is being built when attempting the connection.

sh xlate

Also, try to reach the default gateway of the ASA from the host on the DMZ, to check if traffic from the DMZ through the outside interface is working.

You can use an utility called Packet Tracer which you can use it via the CLI or ASDM that shows if any process on the ASA is blocking the connection.

Federico.

Re: DMZ Internet Access

kharvey — Thu, 29 Apr 2010 13:20:47 GMT

It is creating the xlate when I run the ping:

Firewall# sh xlate | inc 10.2
PAT Global 216.64.172.33(16856) Local 10.2.50.100 ICMP id 768

I am able to ping the default gateway just fine from the computer I am testing with. When I try to ping from the ASA itself (ping DMZNet 209.85.171.104) I get request timed out.

I am afraid that I do not know how to do the packet tracer command with ICMP properly (I will have to look that up a bit later). But when I ran the command:

packet-tracer input DMZNet icmp 10.2.2.100 1 1 1 209.85.171.104

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 ExtNet

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZACL in interface DMZNet
access-list DMZACL extended permit icmp any any
access-list DMZACL remark Allow SQL traffic from websites to SQL servers
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (DMZNet) 2 10.2.0.0 255.255.0.0
match ip DMZNet 10.2.0.0 255.255.0.0 ExtNet any
dynamic translation to pool 2 (216.64.172.33)
translate_hits = 10, untranslate_hits = 0
Additional Information:

Result:
input-interface: DMZNet
input-status: up
input-line-status: up
output-interface: ExtNet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Now I do know how to run the packet tracer for TCP and this is what I got from there:

packet-tracer input DMZNet tcp 10.2.2.100 80 209.85.171.104 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 ExtNet

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZACL in interface DMZNet
access-list DMZACL extended permit tcp 10.2.0.0 255.255.0.0 any object-group WebPorts
access-list DMZACL remark Deny EVERYTHING
object-group service WebPorts tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
port-object eq pop3
port-object eq imap4
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZNet) 2 10.2.0.0 255.255.0.0
match ip DMZNet 10.2.0.0 255.255.0.0 ExtNet any
dynamic translation to pool 2 (216.64.172.33)
translate_hits = 11, untranslate_hits = 0
Additional Information:
Dynamic translate 10.2.2.100/80 to 216.64.172.33/319 using netmask 255.255.255.255

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZNet) 2 10.2.0.0 255.255.0.0
match ip DMZNet 10.2.0.0 255.255.0.0 ExtNet any
dynamic translation to pool 2 (216.64.172.33)
translate_hits = 11, untranslate_hits = 0
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 701784, packet dispatched to next module

Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 207.170.247.121 using egress ifc ExtNet
adjacency Active
next-hop mac address 001b.c016.c8f7 hits 42500

Result:
input-interface: DMZNet
input-status: up
input-line-status: up
output-interface: ExtNet
output-status: up
output-line-status: up
Action: allow

It looks like I might have a NAT problem....again.

Re: DMZ Internet Access

Federico Coto Fajardo — Thu, 29 Apr 2010 14:23:52 GMT

The problem seems NAT, let's do the following:

Please post the output of:

sh run nat

sh run global

sh run static

sh run access-group

sh run access-list

Federico.

Re: DMZ Internet Access

kharvey — Thu, 29 Apr 2010 14:37:32 GMT

Firewall# sh run nat
nat (IntNet) 0 access-list nonat
nat (IntNet) 1 10.1.0.0 255.255.0.0
nat (DMZNet) 2 10.2.0.0 255.255.0.0

Firewall# sh run global
global (ExtNet) 1 216.64.172.34 netmask 255.255.255.255
global (ExtNet) 2 216.64.172.33 netmask 255.255.255.255

Firewall# sh run static
static (IntNet,DMZNet) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (IntNet,ExtNet) 216.64.172.35 10.1.2.12 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.40 10.1.2.6 netmask 255.255.255.255
static (DMZNet,ExtNet) 216.64.172.41 10.1.2.2 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.61 10.1.1.100 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.62 10.1.1.101 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.59 10.1.1.102 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.58 10.1.1.104 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.42 10.1.1.106 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.57 10.1.2.150 netmask 255.255.255.255
static (IntNet,ExtNet) 216.64.172.38 10.1.2.30 netmask 255.255.255.255

Firewall# sh run access-group
access-group IntACL in interface IntNet
access-group ExtACL in interface ExtNet
access-group DMZACL in interface DMZNet

Firewall# sh run access-list
access-list DMZACL remark Allow all ICMP traffic
access-list DMZACL extended permit icmp any any
access-list DMZACL remark Allow SQL traffic from websites to SQL servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSQL eq 1433
access-list DMZACL remark Allow SMTP traffic from websites to Exchange servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSMTP eq smtp
access-list DMZACL remark Deny all DMZ traffic to Internal Network
access-list DMZACL extended deny ip any 10.1.0.0 255.255.0.0
access-list DMZACL remark Allow DMZ access to the Internet
access-list DMZACL extended permit tcp 10.2.0.0 255.255.0.0 any object-group WebPorts
access-list DMZACL remark Deny EVERYTHING
access-list DMZACL extended deny ip any any

Re: DMZ Internet Access

Federico Coto Fajardo — Thu, 29 Apr 2010 14:49:36 GMT

Ok, here are the commands we need:

nat (DMZNet) 2 10.2.0.0 255.255.0.0
global (ExtNet) 2 216.64.172.33 netmask 255.255.255.255
access-group DMZACL in interface DMZNet

You need to get to 209.85.171.104 from 10.2.2.100 correct?

The access list applied to the DMZNet is DMZACL.
You are referring to an object-group called DMZWebsites, but from the configuration I only see
the object-group WebPorts tcp
You need to make sure that on the DMZACL, the outgoing traffic is allowed (or post the object-groups as well)

Then,
Host 10.2.2.100 (DMZNet) will be NATed to 216.64.172.33 when going out the outside interface.
We have checked that the translation takes place ''sh xlate local 10.2.2.100'' correct?

You have said, that you can PING 207.170.247.121 from 10.2.2.100 fine correct?
This means that traffic is flowing fine from the DMZNet to the outside.

The IP that you're trying to reach 209.85.171.104, is located on the outside interface from the ASA perspective correct?
What is this device?

Federico.

Re: DMZ Internet Access

kharvey — Thu, 29 Apr 2010 15:43:07 GMT

Sorry about that, I forgot about the object groups.

object-group service WebPorts tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
port-object eq pop3
port-object eq imap4

object-group network DMZWebsites
network-object host 10.2.1.101
network-object host 10.2.1.100
network-object host 10.2.1.104
network-object host 10.2.1.102

209.85.171.104 is just one of the IP addresses for www.google.com Since I may have a problem with DNS resolution, I am first testing with IP's, once I get the IP's functioning I will start playing with DNS.

So to answer your question I need all DMZNet systems (10.2.0.0/16) to be able to access the Internet.

The system that I am currently testing with is setup on DHCP and has an IP of 10.2.50.102

Firewall# sh xlate local 10.2.50.102
309 in use, 777 most used

This is on an ASA 5510 running 8.0(5)

Re: DMZ Internet Access

Federico Coto Fajardo — Thu, 29 Apr 2010 15:48:28 GMT

I cannot PING 209.85.171.104 or open a browser with that IP either.

Can you try a PING to 4.2.2.2?

Federico.

Re: DMZ Internet Access

kharvey — Thu, 29 Apr 2010 16:14:36 GMT

Alright, so I am a dunce, and Google has changed their IP.

I am able to successfully ping the 4.2.2.2

Which means that this has probably been working since the start

I was also able to get DNS up and running, but allowing External DNS traffic.

Thank you very much Federico, you have perfectly resolved my problem.

Re: DMZ Internet Access

Federico Coto Fajardo — Thu, 29 Apr 2010 16:18:33 GMT

Glad that is working.

Thank you Ken.

Federico.