topic Re: Need help with giving devices behind DMZ access to Lan Resou in Network Security

Need help with giving devices behind DMZ access to Lan Resources

David Haman — Mon, 11 Mar 2019 18:08:19 GMT

Heres a little background of my setup, I have 1 Isp which assigns me an Ip via dhcp , i have Patted my inside to outside to receive net access, I have also done the same with my Dmz interface which all devices on the Dmz can access the internet. Inside (vlan1) Outside (vlan2) Dmz (vlan3)

I have sucessfully setup rules to access from outside of my network a couple of security cameras to watch my dogs while i am work, my email server etc , plus i have vpn access. works very well. My only issue is i want dmz devices to be able to access and Use my Dns server that sits on the inside , but i have tried so many access list, rules etc and i continuously receive an error that states denied due to dns query. I also want DMZ devices to beable to access network printers (port 9100) that reside on the inside also but i have been unsucessful with this Of course the only way my dmz devices can access internal recourses is if i set the security level to 100 which i do not want to do . Vlan 3 labled dmz is my wireless segment . (as for now i have a second nic on my dns server that is on the 10.10.3.x network going to vlan 3 ) but that is just temp . I want Dmz computers to be able to access internal Dns and AD..etc..I also was wishing that the ASA could allow me to doa sort of ip helper so my vlan 3 can pull ip addresses from my dhcp server on the dmz network, but for now i have dhcp running on a server for just the inside, and the dmz is pulling dhcp address for clients from the asa dhcp server..I just want the dmz devices to be able to access certain inside resources.

Thanks in advance for any assistance

Here is my config

!
ASA Version 8.3(1)
!
hostname xxxxxxxxx
domain-name xxxxxxxxxxxx.local
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
name 10.10.10.9 foxclone
name 10.10.10.198 netprinter-01
name 10.10.10.14 file-serv
name 10.10.3.190 petcam
name 10.10.10.25 mail-serv
name 10.10.3.191 petcam2
name 10.10.10.254 namesrv0-1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
banner exec Welcome To xxxxxxx
banner login Welcome To xxxxxxx
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server namesrv0-1
domain-name xxxxxxxxx.local
dns server-group vlan3_dns_server
name-server 10.10.3.254(temp)
domain-name dmz.liquidskynet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
description inside network segment
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.192
object network mail-serv-smtp
host 10.10.10.25
object network mail-serv-https
host 10.10.10.25
object network foxclone
host 10.10.10.9
object network Inside_Outside_Dynamic_Pat
subnet 10.10.10.0 255.255.255.0
object network Dmz_Outside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network petcam2-http
host 10.10.3.191
object network petcam-http
host 10.10.3.190
object network petcam2-winstream
host 10.10.3.191
object network namesrv0-1
host 10.10.10.254
object network file-serv
host 10.10.10.14
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
description dmz network segment
object network Dmz_Inside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network namesrv0-1(vlan3)
host 10.10.3.254
object network mail-serv
host 10.10.10.25
object network foxclone-rdp-dmz
host 10.10.10.9
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.3.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list outside_access_in extended permit tcp any object petcam-http eq 8081
access-list outside_access_in extended permit tcp any object mail-serv-https eq https
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq smtp
access-list outside_access_in extended permit tcp any object foxclone eq 7000 inactive
access-list outside_access_in extended permit tcp any object petcam2-http eq 8082
access-list outside_access_in extended permit tcp any object petcam2-winstream eq 81 inactive
pager lines 24
logging enable
logging asdm informational
logging from-address cisco.alerts@liquidskynet.com
logging recipient-address david.haman@liquidskynet.com level alerts
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Vpn-1_Pool 192.168.10.10-192.168.10.34 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-631.bin
asdm location petcam 255.255.255.255 inside
asdm location file-serv 255.255.255.255 inside
asdm location petcam2 255.255.255.255 inside
asdm location 10.10.3.25 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.10.0 obj-192.168.10.0
nat (dmz,outside) source static obj-10.10.3.0 obj-10.10.3.0 destination static obj-192.168.10.0 obj-192.168.10.0
!
object network mail-serv-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network mail-serv-https
nat (inside,outside) static interface service tcp https https
object network foxclone
nat (inside,outside) static interface service tcp 7000 7000
object network Inside_Outside_Dynamic_Pat
nat (inside,outside) dynamic interface
object network Dmz_Outside_Dynamic_Pat
nat (dmz,outside) dynamic interface dns
object network petcam2-http
nat (dmz,outside) static interface service tcp 8082 8082
object network petcam-http
nat (dmz,outside) static interface service tcp 8081 8081
object network petcam2-winstream
nat (dmz,outside) static interface service tcp 81 81
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http server idle-timeout 60
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd dns namesrv0-1 68.87.73.246 interface inside
dhcpd domain liquidskynet.local interface inside
!
dhcpd address 10.10.3.10-10.10.3.30 dmz
dhcpd dns 10.10.3.254 68.87.73.246 interface dmz
dhcpd domain dmz.liquidskynet.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server inside foxclone C:\TFTP-Root
webvpn
group-policy Tunnel-1 internal
group-policy Tunnel-1 attributes
dns-server value 10.10.10.254 10.10.3.254
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel-1_splitTunnelAcl
default-domain value liquidskynet.local
group-policy DfltGrpPolicy attributes
dns-server value 10.10.10.254
ip-comp enable
re-xauth enable
pfs enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value Vpn-1_Pool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
username dhaman password xxxxxxxxxxxxxxxxxxxxx encrypted privilege 15
username dhaman attributes
vpn-group-policy Tunnel-1
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
group-lock none
tunnel-group DefaultRAGroup general-attributes
default-group-policy Tunnel-1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxxxxx
tunnel-group Tunnel-1 type remote-access
tunnel-group Tunnel-1 general-attributes
address-pool Vpn-1_Pool
default-group-policy Tunnel-1
tunnel-group Tunnel-1 ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 10.10.10.25
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Tue, 06 Jul 2010 23:11:19 GMT

Seems like you are missing access-list on the DMZ interface. Since DMZ interface is on lower security than the inside, you need exclusive rules to allow DMZ to inside communication.Please try adding an access-list rule allowing traffic from DMZ network to inside and see if that helps. Also, I do not see any NAT rules from inside to DMZ. You might need to add identity NAT to allow DMZ devices to access the inside servers. Hope this helps.

Regards,

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 00:46:06 GMT

Could you give an example, at first i did have a an access list for this but it did not seem to help.

I upgraded from an older version of asa to this 8.3 version and in the asdm it is a lot more granular than before.

i have tried such access list as

access-list dmz_access_in extended permit tcp any object namesrv0-1 eq domain

but still doesnt work

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Wed, 07 Jul 2010 02:34:48 GMT

You could use something like:

access-list dmz_access_in permit ip any host

The access list you have seems incorrect as most commonly DNS uses UDP but your access-list is for TCP. Hope this helps.

Regards,

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 04:00:14 GMT

Thank you for your assistance

i ran the following command

access-list dmz_access_in permit ip any host 10.10.10.254

I still have been receiving the following error when ever i try to have a dmz host use the Dns server in the inside ..im at a loss here

This is the error i receive

Deny inbound UDP from 10.10.3.11/62073 to 10.10.10.254/53 due to DNS Query

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Wed, 07 Jul 2010 04:32:46 GMT

Have you already added the NAT rule from inside to DMZ? Can you try using the packet-tracer and see at what point the firewall is blocking the access?

packet-tracer input dmz udp 1024 53 detailed

This should tell us the exact place where the packets are getting blocked. Hope this helps.

Regards,

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 11:44:12 GMT

I have a ststic nat rule from source inside (inside network 10.10.10.0/24) to destination dmz

(dmz network 10.10.3.0/24) im not undestanding why i would need this though since my indside can already see

everything behind the dmz , its that the dmz cant see speccific services like dns behind the inside. o

r maybe i have it backwards?

i have added the staic nat as you suggested inside to dmz, and created an access rule to allow inbound to my dns server but udp/53 is still being dropped

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Wed, 07 Jul 2010 12:57:04 GMT

Can you post the output of the packet tracer here?

packet-tracer input dmz udp 1024 53 detailed

Regards,

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 13:43:01 GMT

Here are the results of

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac10428, priority=1, domain=permit, deny=false
        hits=8287, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=dmz, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST

Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac10c48, priority=0, domain=permit, deny=true
        hits=236, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Wed, 07 Jul 2010 15:33:48 GMT

Seems like the access-list is not applied to the interface. The traffic is getting dropped due to implicit rule. Can you please apply the ACL to the interface?

access-group in interface DMZ

Hope this helps to fix the issue.

Regards,

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 15:44:21 GMT

After running these commands

access-list dmz_access_in permit ip any host 10.10.10.254
access-group dmz_access_in in interface DMZ

i receive the following error

petcam2 1132 72.14.204.103 80 Deny tcp src dmz:petcam2/1132 dst outside:72.14.204.103/80 by access-group "dmz_access_in" [0x0, 0x0]

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 15:52:24 GMT

Hello

I have attached a screenshot of my asdm setups , acl, access rules and Nat, maybe this could help clear up my issue

Thank you very much

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Wed, 07 Jul 2010 17:40:14 GMT

Can you add the following lines to the access-list? Also, when you had that access-list, I am assuming you were able to get to the DNS server.

access-list dmz_access_in permit ip any host 10.10.10.254

access-list dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list dmz_access_in permit ip any any

Hope this helps.

Regards,

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 17:46:01 GMT

Hello,

I added the access list that you suggested but i still receive this error

DNSDeny inbound UDP from petcam2/64204 to 10.10.10.254/53 due to DNS Query

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Wed, 07 Jul 2010 19:22:18 GMT

Hello David,

At this point, I think the issue could be due to a bug in Cisco code. But before we go there, can you post the latest "show run" output (with the DMZ access-lists) and also the packet-tracer output

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Regards,

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 20:02:23 GMT

: Saved
: Written by dhaman at 15:57:32.736 EDT Wed Jul 7 2010
!
ASA Version 8.3(1)
!
hostname brickzone
domain-name liquidskynet.local
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
names
name 10.10.10.9 foxclone
name 10.10.10.198 netprinter-01
name 10.10.10.14 file-serv
name 10.10.3.190 petcam
name 10.10.10.25 mail-serv
name 10.10.3.191 petcam2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name liquidskynet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.192
object network mail-serv-smtp
host 10.10.10.25
object network mail-serv-https
host 10.10.10.25
object network foxclone
host 10.10.10.9
object network Inside_Outside_Dynamic_Pat
subnet 10.10.10.0 255.255.255.0
object network Dmz_Outside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network petcam2-http
host 10.10.3.191
object network petcam-http
host 10.10.3.190
object network petcam2-winstream
host 10.10.3.191
object network backup-serv
host 10.10.3.11
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
object network namesrv0-1
host 10.10.10.254
description AD,DNS,DHCP(Inside)
object network petcam-todns-to-inside
host 10.10.3.191
object network petcam2-inside-dns
host 10.10.3.191
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list dmz_access_in extended permit ip any host 10.10.10.254
access-list dmz_access_in extended deny ip any 10.10.10.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.3.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list outside_access_in extended permit tcp any object petcam-http eq 8081
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq https
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq smtp
access-list outside_access_in extended permit tcp any object foxclone eq 7000 inactive
access-list outside_access_in extended permit tcp any object petcam2-http eq 8082
access-list outside_access_in extended permit tcp any object petcam2-winstream eq 81 inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Vpn-1_Pool 192.168.10.10-192.168.10.34 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-631.bin
asdm location petcam 255.255.255.255 inside
asdm location file-serv 255.255.255.255 inside
asdm location mail-serv 255.255.255.255 inside
asdm location petcam2 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.10.0 obj-192.168.10.0
nat (dmz,outside) source static obj-10.10.3.0 obj-10.10.3.0 destination static obj-192.168.10.0 obj-192.168.10.0
!
object network mail-serv-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network mail-serv-https
nat (inside,outside) static interface service tcp https https
object network foxclone
nat (inside,outside) static interface service tcp 7000 7000
object network Inside_Outside_Dynamic_Pat
nat (inside,outside) dynamic interface
object network Dmz_Outside_Dynamic_Pat
nat (dmz,outside) dynamic interface
object network petcam2-http
nat (dmz,outside) static interface service tcp 8082 8082
object network petcam-http
nat (dmz,outside) static interface service tcp 8081 8081
object network petcam2-winstream
nat (dmz,outside) static interface service tcp 81 81
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http server idle-timeout 60
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd dns 10.10.10.254 interface inside
dhcpd domain liquidskynet.local interface inside
!
dhcpd address 10.10.3.10-10.10.3.30 dmz
dhcpd dns 68.87.71.230 68.87.73.246 interface dmz
dhcpd domain dmz.liquidskynet.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy Tunnel-1 internal
group-policy Tunnel-1 attributes
dns-server value 10.10.10.254
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel-1_splitTunnelAcl
default-domain value liquidskynet.local
group-policy DfltGrpPolicy attributes
dns-server value 10.10.10.254
ip-comp enable
re-xauth enable
pfs enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value Vpn-1_Pool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
username dhaman password XXXXXXXXXXXXXXXXXXXXXXXX encrypted privilege 15
username dhaman attributes
vpn-group-policy Tunnel-1
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
group-lock none
tunnel-group DefaultRAGroup general-attributes
default-group-policy Tunnel-1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key XXXXXXXXXXXXX
tunnel-group Tunnel-1 type remote-access
tunnel-group Tunnel-1 general-attributes
address-pool Vpn-1_Pool
default-group-policy Tunnel-1
tunnel-group Tunnel-1 ipsec-attributes
pre-shared-keyXXXXXXXXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum XXXXXXXXXXX
: end

Here is the Trace

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac10428, priority=1, domain=permit, deny=false
        hits=16767, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=dmz, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac10c48, priority=0, domain=permit, deny=true
        hits=464, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Wed, 07 Jul 2010 20:19:15 GMT

Hello David,

I do not see the DMZ access-list applied to the interface.

access-group dmz_access_in in interface DMZ

Also, the identity NAT between inside and DMZ is missing:

object network namesrv0-1
host 10.10.10.254
description AD,DNS,DHCP(Inside)

nat (inside,dmz) static 10.10.10.254

Please enter these commands and then run the packet tracer again.

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Hopefully that should tell us where it is getting blocked. Current output indicates that there is not access-list on the DMZ interface.

Regards,

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 20:43:56 GMT

after i added

access-list dmz_access_in permit ip any host 10.10.10.254

access-list dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list dmz_access_in permit ip any any

I was forgetting

nat (inside,dmz) source static namesrv0-1 namesrv0-1 destination static namesrv0-1 namesrv0-1

access-group dmz_access_in in interface DMZ

My dmz devices can now use my dns server that sits on the inside interface

Thank you so very much for your assistance with helping me I really appreciate it, now i have a much better understanding of this

Re: Need help with giving devices behind DMZ access to Lan Resou

Nagaraja Thanthry — Wed, 07 Jul 2010 21:01:47 GMT

Nice to know that things are working now. Glad that we could help.

Regards,

Note: Do not forget to rate the useful posts.

Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman — Wed, 07 Jul 2010 22:07:05 GMT

One last question could you explain how these are allowing dmz devices the ability to use the dns server on the inside, is there anyway that i could get more granular with a rule that allows the dmz network (10.10.3.0/24) to use udp 53 located on 10.10.10.254 (dns server)

access-list dmz_access_in permit ip any host 10.10.10.254

access-list dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list dmz_access_in permit ip any any (this seems like it would not be safe ) but if i disable then the dmz devices can not use 10.10.10.254 to resolve

nat (inside,dmz) source static namesrv0-1 namesrv0-1 destination static namesrv0-1 namesrv0-1

access-group dmz_access_in in interface DMZ

Thanks again