05-16-2011 01:54 AM - edited 03-11-2019 01:33 PM
Ok, the bit that works.
I have a rule on our ASA, source=dmz server, destination=domain server, service=domain which works fine and permits access to my domain controllers and access shared folders from a test DMZ server.
..and the bit that doesn't.
What I cannot fathom is accessing member servers even though I've added another rule but with services 53, 137-139 and 445 (all TCP/UDP)
Help as always appreciated.
Thanks
05-16-2011 03:50 AM
Hi Mark,
So you're trying to access some servers in your DMZ network from the outside on ports 53, 137-139 and 445 (all TCP/UDP)?
If yes, you need to have access-lists to permit traffic to these ports and static nat commands. Can you paste your configuration here?
Regards,
Anu
05-16-2011 05:05 AM
Hi Anu,
I'm trying to access the member servers using the DMZ servers.
If I RDP to a DMZ server I can access my DC's, but not my member servers
I am on the inside of my network.
Thanks,
Mark
05-18-2011 03:40 AM
Anyone?
05-18-2011 03:47 AM
Hi Mark,
Could you just explain, while accessing the member servers, behind which interface does the source lie and behind which interface does the destination lie, along with the Ip addresses??
Thanks,
Varun
05-18-2011 05:16 AM
Hi Varun,
Ok, the source DMZ server (192.168.3.4) is on Ethernet0/1.20 DMZ3 (we are using a vlan setup to a cisco switch). As mentioned I can access the Domain Controllers without any issues whatsoever.
The destination Domain Member (10.0.0.29) server is on Ethernet0/0 Inside (same as the Domain Controllers)
Thanks
Mark
05-18-2011 05:36 AM
Hi Mark,
For accessing the domain member from the DMZ server, you would need the following check list:
1. Allow access from DMZ3 to inside, since your DMZ3 is low security interface, through ACl and apply the ACL on in interface DMZ3.
2. You would need a Natting for the the dmz server to your domain member, something like:
nat (DMZ3) 5 192.168.3.4
global (inside) 5 interface
3. You would also need a translation for the destination, like
static (inside,DMZ3) 1.1.1.1 10.0.0.29
if the domain member needs to be accessed by its original IP, then;
static (inside,DMZ3) 10.0.0.29 10.0.0.29
These should work for you, let me know the results.
If it still does not work kindly provide me the relevant configuration that you have for the setup, we might need to take captures and logs after it.
Thanks,
Varun
05-18-2011 05:54 AM
Hi Varun,
In ref to no.1 wouldn't this already be there if I can access the Domain controllers from DMZ3
For no.2 I cannot see any NAT rule relating to the DC's
...and for no.3 I cannot see anything relating in the ACL for DC's
Just trying to make sense of it all. Is there a command I can run to question my questions in case I'm not seeing what I would expect in ASDM
Many thanks,
Mark
05-18-2011 06:06 AM
Hi Mark,
1. If you are able to access domain controller from dmz, it might not be necessary that you have ports open for accessing other members as well, just check whether the ACL includes other domain members as well.
As far as other queries are concerned, I would suggest if you could provide the following:
show run nat
show run global
show run static
show run access-group
show run access-list
This would clear out the confusion between us, also you can run a packet-tracer:
packet-tracer input DMZ3 tcp 192.168.3.4 1234 10.0.0.29 445 detailed
This would atleast give us some guidance where the tarfic is being dropped.
Thanks,
Varun
05-18-2011 06:32 AM
Hi Varun,
I cannot see anything that would suggest I can get to any domain members, all I can see is a rule relating to the source=dmz servers to destination=DC's with service domain/UDP=permit
I have omitted some results that I'm sure are not relevant
Result of the command: "show run nat"
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 InternalNetwork 255.255.255.0
nat (DMZ1) 1 DMZ1 255.255.255.0
nat (DMZ2) 1 DMZ2 255.255.255.0
nat (DMZ3) 1 DMZ3 255.255.255.0
nat (DMZ4) 1 DMZ4 255.255.255.0
Result of the command: "show run global"
global (DMZ2) 1 interface
global (DMZ3) 1 interface
global (DMZ4) 1 interface
global (outside) 2 DMZservername_external netmask 255.0.0.0
global (outside) 1 EXT. IP netmask 255.0.0.0
Result of the command: "show run static" (I have removed most results)
static (inside,DMZ3) DCservername DCservername netmask 255.255.255.255
Result of the command: "show run access-group"
access-group inside_access_in in interface inside
access-group DMZ1_access_in in interface DMZ1
access-group DMZ2_access_in in interface DMZ2
access-group DMZ3_access_in in interface DMZ3
access-group DMZ4_access_in in interface DMZ4
access-group outside_access_in in interface outside
Result of the command: "show run access-list"
A lot of results here I wasn't prepared to list publically, anything in particular you're looking for?
Could I run the packet tracer using the Tools > Packet tracer? (if so do I need to input options for each screen?
Thanks,
Mark
05-18-2011 06:48 AM
Hi Mark,
You might need to add the following static command for your domain member:
static (inside,DMZ3) DCmember DCmember 255.255.255.255
where DCmember----10.0.0.29
and alsdo I was asking for only this ACL:
show run access-list DMZ3_access_in
That would be enough, and all that you need.
Thanks,
Varun
05-18-2011 06:50 AM
and please run the packet-tracer in CLI, it would give you a clear picture of packet flow.
Varun
05-18-2011 06:58 AM
Here you go Varun
Result of the command: "show run access-list DMZ3_access_in"
access-list DMZ3_access_in extended permit udp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 eq domain
access-list DMZ3_access_in extended permit object-group TCPUDP host DMZservername3 host DomainServerMember object-group RE
access-list DMZ3_access_in extended permit tcp host DMZservername1 any eq www
access-list DMZ3_access_in extended permit tcp host DMZservername2 any eq www
access-list DMZ3_access_in extended permit tcp host DMZservername3 any object-group DM_INLINE_TCP_6
access-list DMZ3_access_in extended permit ip host DMZservername1 host APCUPS
access-list DMZ3_access_in extended permit icmp DMZ3 255.255.255.0 any
access-list DMZ3_access_in extended permit ip DMZ3 255.255.255.0 any
access-list DMZ3_access_in extended deny ip DMZ3 255.255.255.0 any
I might add the static route first and see what happens
Mark
05-18-2011 07:26 AM
Hi Mark,
I guess this is the access-list that you have for dmz server to domain member:
access-list DMZ3_access_in extended permit object-group TCPUDP host DMZservername3 host DomainServerMember object-group RE
and it looks good to me, please verify if DMZservername3-----> 192.168.3.4 and DomainServerMembe-------> 10.0.0.29
if so your ACL is fine, just add the static command:
static (inside,DMZ3) 10.0.0.29 10.0.0.29
and it should work.
Let me know how it goes.
thanks,
Varun
05-18-2011 07:38 AM
Hi Varun,
That one static addition seems to have solved the problem, are these routes visible anywhere in the ASDM GUI?
I'll be checking some other things over the coming weeks but many thanks for your input and patience in helping solve the problem
Many thanks again,
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide