Solved: Cisco ASA 5505 DMZ Setup

jpdalton1 · ‎03-13-2013

Hello,

I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.

I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.

I need to be able to do the following:

- RDP access from inside network to the DMZ servers

- Internet access for the DMZ

I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:

- DMZ HTTPS to outside (Office 365 Services)

- Outside HTTPS to DMZ (ADFS Servers on DMZ only)

- DMZ HTTPS to inside (ADFS Servers Only)

- Inside HTTPS to DMZ (ADFS Servers Only)

Running Config:

!

interface Vlan1

nameif inside

security-level 100

ip address ccl-sua-asa 255.255.255.0

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 172.16.0.1 255.255.255.0

!

interface Vlan100

nameif outside

security-level 0

ip address 77.107.90.202 255.255.255.248

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 100

speed 100

duplex full

!

interface Ethernet0/1

description Connected to CCL-SUA-SW1 port 16

!

interface Ethernet0/2

switchport access vlan 3

!

access-list inbound extended permit icmp any any

access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp

access-list inbound remark Inbound ACT for Ruth Edmonds Only

access-list inbound extended permit tcp any interface outside eq www

access-list inbound extended permit tcp any interface outside eq 5022 inactive

access-list inbound remark Inbound rules for OWA 30/06/09 MD

access-list inbound extended permit tcp any host 77.107.90.203 eq https log

access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD

access-list inbound extended permit tcp object-group mimecast interface outside eq ldap

access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp

access-list inbound remark change request MET 56030 inbound POP3 for mimecast

access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3

access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML

access-list inbound extended permit tcp any host 77.107.90.205 eq https

access-list inbound remark Inbound rule for survey 011012 ML

access-list inbound extended permit tcp any host 77.107.90.205 eq www

access-list inbound extended deny ip any any

access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0

access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0

access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0

access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0

access-list outbound extended deny ip any 192.168.255.0 255.255.255.0

access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list outbound extended deny udp any 192.168.255.0 255.255.255.0

access-list outbound extended deny ip any 10.0.0.0 255.0.0.0

access-list outbound extended deny ip any 192.168.0.0 255.255.0.0

access-list outbound extended permit ip any any

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.40.0 255.255.255.0

nat (inside) 1 192.168.41.0 255.255.255.0

nat (dmz) 1 172.16.0.0 255.255.255.0

static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255

static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255

static (inside,outside) tcp interface www WEB www netmask 255.255.255.255

static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255

static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255

static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255

static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255

access-group outbound in interface inside

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 77.107.90.201 1

route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1

Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working

Many Thanks

James

Jouni Forss · ‎03-13-2013

Hi,

The following configuration should already enable PAT translation from DMZ to OUTSIDE

global (outside) 1 interface

nat (dmz) 1 172.16.0.0 255.255.255.0

The DMZ Internet should work UNLESS its somehow dependant on connections to INSIDE. For example if you are using DNS servers on the DMZ hosts that are located behind INSIDE interface. This is because of the above mentioned limitation with your ASA license. DMZ cant initiate connections towards INSIDE.

The "packet-tracer" command should confirm if all the ASA configuration are correct to enable Internet traffic for the DMZ

Example command to simulate and DMZ connection could be

packet-tracer input dmz tcp 172.16.0.100 12345 8.8.8.8 80

- Jouni

View solution in original post

Jouni Forss · ‎03-13-2013

Hi,

Seems you have created an ACL for the "dmz" interface

You need to allow UDP/53 which is DNS service through the firewall.

access-list dmz_access_in permit udp eq 53

Or if you want to allow DNS querys to any DNS server

access-list dmz_access_in permit udp any eq 53

- Jouni

View solution in original post

Jouni Forss · ‎03-13-2013

Hi,

If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE

You can confirm the License level with "show version" command. It should read at the end of the output.

In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command

no forward interface Vlan1

Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.

OUTSIDE -> DMZ

INSIDE -> DMZ

Connection initiating should be possible.

So it seems to me that you already have one problem that will limit connectivity and not just the NAT.

You already seem to have the Default PAT configuration for DMZ Internet traffic.

You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.

The corrent NAT configuration to enable that traffic would be to use

static (inside,dmz) netmask

Repeat for all

EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.

- Jouni

jpdalton1 · ‎03-13-2013

Hello,

The license is a Base License.

I have added a 'static' nat for:

Original ---

Interface: Inside

Source: inside-network/24

Translated ---

Interface: dmz

Use IP Address: inside-network/24

Is that all i need to do? What rules do i need to put in to perform the tasks i mentioned?

Thanks

James

Jouni Forss · ‎03-13-2013

Hi,

As I mentioned,

You wont be able to connect from DMZ to INSIDE with Base License.

So even if you made rules you could only

Connect from DMZ to OUTSIDE
Connect from OUTSIDE to DMZ
Connect from INSIDE to DMZ

And considering one of your requirements was to

Connect from DMZ to INSIDE, which isnt possible at the moment with regards to the Base License

The traffic from DMZ to OUTSIDE should already work.

There is no point making ACLs for DMZ to INSIDE traffic as it wont work anyway on your current Base License

- Jouni

jpdalton1 · ‎03-13-2013

Hello,

I have managed to get RDP working to the DMZ servers.

I cannot get the internet working on the DMZ servers?

Thanks

James

Jouni Forss · ‎03-13-2013

Hi,

The following configuration should already enable PAT translation from DMZ to OUTSIDE

global (outside) 1 interface

nat (dmz) 1 172.16.0.0 255.255.255.0

The DMZ Internet should work UNLESS its somehow dependant on connections to INSIDE. For example if you are using DNS servers on the DMZ hosts that are located behind INSIDE interface. This is because of the above mentioned limitation with your ASA license. DMZ cant initiate connections towards INSIDE.

The "packet-tracer" command should confirm if all the ASA configuration are correct to enable Internet traffic for the DMZ

Example command to simulate and DMZ connection could be

packet-tracer input dmz tcp 172.16.0.100 12345 8.8.8.8 80

- Jouni

jpdalton1 · ‎03-13-2013

This is an error i have in the log:

Deny udp src dmz:vm-fedprx-01/60022 dst outside:85.159.128.20/53 by access-group "dmz_access_in" [0x0, 0x0]

Deny udp src dmz:vm-fedprx-01/52428 dst outside:85.159.128.20/53 by access-group "dmz_access_in" [0x0, 0x0]

Thanks

James

Jouni Forss · ‎03-13-2013

Hi,

Seems you have created an ACL for the "dmz" interface

You need to allow UDP/53 which is DNS service through the firewall.

access-list dmz_access_in permit udp eq 53

Or if you want to allow DNS querys to any DNS server

access-list dmz_access_in permit udp any eq 53

- Jouni

jpdalton1 · ‎03-13-2013

Hi Jouni,

That has all worked!

Thank you :-)

janne.mattila1 · ‎06-07-2016

Hi,

i have similar problem. I need to to do also www-server in dmz-area, that need to get connect to local area database server. i do have two public internet ip-address bouth has targeted ssl-certificate, we have cisco asa 5505 firewall unlimited security plus (this is outsourced service), my question is it possible to do that by using this one firewall or do i need to have two firewall? can anyone give me hint about solution?

thanks for helping me with this.

Janne