Solved: ASA 5505, DMZ And Base License

bojan.vujic · ‎08-08-2011

Hi all,

I need help about ASA 5505 and DMZ and Base License,

This is what I found i documentation:

"For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an

inside business network, and a third VLAN assigned to your home network. The home network does not

need to access the business network, so you can use the no forward interface command on the home

VLAN; the business network can access the home network, but the home network cannot access the

business network." Page 6-17.

This is exactly what I need. Mail server in DMZ, full access from internet to DMZ, and from inside network to DMZ, no access from DZM to inside network. If I good understand, this is possible with base license.

I successfully configure, internet Access for DZM and inside network, Mail server can be accessed from internet, as well as RDP on inside network. But I have problem to configure communication from inside network to DMZ.

Any Idea what I did wrong?

Thanks in advance,

this is configuration:

ASA Version 8.0(3)

hostname ciscoasa

names

!

interface Vlan1

description LAN port

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XXX XXX XXX XXX – my public IP

!

interface Vlan3

description DZM Mail Server

no forward interface Vlan1

nameif mailserver

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

no ftp mode passive

access-list Mailserver extended permit tcp any host XXX XXX XXX XXX – my public IP eq ssh

access-list Mailserver extended permit tcp any host XXX XXX XXX XXX – my public IP eq 3389

access-list Mailserver extended permit tcp any host XXX XXX XXX XXX – my public IP eq https

access-list Mailserver extended permit tcp any host XXX XXX XXX XXX – my public IP eq 9001

access-list Mailserver extended permit tcp any host XXX XXX XXX XXX – my public IP eq www

access-list Mailserver extended permit tcp any host XXX XXX XXX XXX – my public IP eq smtp

access-list Mailserver extended permit tcp any host XXX XXX XXX XXX – my public IP eq pop3

access-list MailInfIn extended permit tcp any 192.168.1.0 255.255.255.0

pager lines 24

logging flash-bufferwrap

logging flash-maximum-allocation 2048

mtu inside 1500

mtu outside 1500

mtu mailserver 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

nat (mailserver) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.0.11 https netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.0.11 3389 netmask 255.255.255.255

static (mailserver,outside) tcp interface www 192.168.1.11 www netmask 255.255.255.255

static (mailserver,outside) tcp interface pop3 192.168.1.11 pop3 netmask 255.255.255.255

static (mailserver,outside) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255

access-group Mailserver in interface outside

access-group MailInfIn in interface mailserver

route outside 0.0.0.0 0.0.0.0 ISP GW 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable 9001

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 mailserver

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 mailserver

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 mailserver

ssh timeout 5

console timeout 15

threat-detection basic-threat

threat-detection statistics access-list

username xxxx

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:57c16ff26572bd5170eb97d83b60caa2

: end

varrao · ‎08-08-2011

Hi Bojan,

For the users in inisde to access teh mail server on the DMZ, you would need a static for it:

static (mailserver,inside) 192.168.1.11 192.168.1.11

It shudl work after that.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-08-2011

The command is for all the users.

you would just need to add this statement as well;

global (mailserver) 101 interface

-Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-08-2011

Hi Bojan,

For the users in inisde to access teh mail server on the DMZ, you would need a static for it:

static (mailserver,inside) 192.168.1.11 192.168.1.11

It shudl work after that.

Thanks,

Varun

Thanks,
Varun Rao

bojan.vujic · ‎08-08-2011

Thanks for fast response Varun,

But in inside network I have 40 users. How I can enable all them to access DMZ server ?

varrao · ‎08-08-2011

The command is for all the users.

you would just need to add this statement as well;

global (mailserver) 101 interface

-Varun

Thanks,
Varun Rao

bojan.vujic · ‎08-08-2011

In your previous post you recommended command "static (mailserver,inside) 192.168.1.11 192.168.1.11", both address are same, is this correct ?

varrao · ‎08-08-2011

Hi Bojan,

This is static translation for your mail server, this means that the internal users would send the request to mail server on 192.168.1.11 and it would be translated to its own ip.

Try it and let me know if it works.

Thanks,

Varun

Thanks,
Varun Rao

bojan.vujic · ‎08-08-2011

I add bot command, and no changes. Users from Inside network are not able to connect on any port in DMZ.

varrao · ‎08-08-2011

Cam you quickly run a packet-tracer:

packet-tracer input inside tcp 192.168.0.11 2345 192.168.1.11 25 detailed

can you show me this output???

Thanks,

Varun

Thanks,
Varun Rao

bojan.vujic · ‎08-08-2011

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd49676d8, priority=1, domain=permit, deny=false
        hits=32563, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (mailserver,inside) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
match ip mailserver host 192.168.1.11 inside any
    static translation to 192.168.1.11
    translate_hits = 0, untranslate_hits = 12
Additional Information:
NAT divert to egress interface mailserver
Untranslate 192.168.1.11/0 to 192.168.1.11/0 using netmask 255.255.255.255

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd496d758, priority=0, domain=permit-ip-option, deny=true
        hits=2233, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd4f1ec58, priority=70, domain=inspect-smtp, deny=false
        hits=0, user_data=0xd4f1eb08, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=25

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any mailserver any
    dynamic translation to pool 101 (192.168.1.1 [Interface PAT])
    translate_hits = 14, untranslate_hits = 10
Additional Information:
Dynamic translate 192.168.0.103/2345 to 192.168.1.1/1027 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xd4a56858, priority=1, domain=nat, deny=false
        hits=13, user_data=0xd4a567b8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any inside any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd4a55f48, priority=1, domain=host, deny=false
        hits=2234, user_data=0xd4a55ab0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd4969dc0, priority=0, domain=host-limit, deny=false
        hits=2230, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (mailserver,inside) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
match ip mailserver host 192.168.1.11 inside any
    static translation to 192.168.1.11
    translate_hits = 0, untranslate_hits = 12
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd3e0e1f0, priority=5, domain=nat-reverse, deny=false
        hits=11, user_data=0xd51e94f8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.1.11, mask=255.255.255.255, port=0

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mailserver,outside) tcp interface www 192.168.1.11 www netmask 255.255.255.255
match tcp mailserver host 192.168.1.11 eq 80 outside any
    static translation to 81.93.77.22/80
    translate_hits = 0, untranslate_hits = 145
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd4b393c0, priority=5, domain=host, deny=false
        hits=454, user_data=0xd4f2e010, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.1.11, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd4a2f888, priority=0, domain=permit-ip-option, deny=true
        hits=476, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3099, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_fp_tcp_normalizer
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_punt
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_fp_tcp_normalizer
snp_ifc_stat

Phase: 13
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.11 using egress ifc mailserver
adjacency Active
next-hop mac address 0013.8f72.0878 hits 9711

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: mailserver
output-status: up
output-line-status: up
Action: allow

varrao · ‎08-08-2011

Hi Bojan,

The command output looks good to me as expected:

can you take the captures and logs now:

access-list cap permit ip host host 192.168.1.11

access-list cap permit ip host 192.168.1.11 host

access-list cap permit ip host 192.168.1.1 host 192.168.1.11

access-list cap permit ip host 192.168.1.11 host 192.168.1.1

cap capin access-list cap interface inside

cap capdmz access-list cap interface DMZ

https://supportforums.cisco.com/docs/DOC-1222

and

logging buffer 7

and generate some traffic and do:

show cap capin

show cap capdmz

and show logg | in 192.168.1.11

these outputs are important.

-Varun

Thanks,
Varun Rao

bojan.vujic · ‎08-08-2011

After I reboot ASA, it seems that all works fine now, except http. Packet tracer is ok, as before.

varrao · ‎08-08-2011

Did you save the configuration before reboot, can you compare the configuration before the reboot and after the reboot to chcek if you ahve anything missing.

-Varun

Thanks,
Varun Rao

bojan.vujic · ‎08-08-2011

I save configuration before reboot, and same configuration now works fine. Web Server issues is also solved, it was problem on server, so my conclusion is that two commands that you give me before help me about my problem.

Thanks a lot.

varrao · ‎08-08-2011

Hey, glad to hear that...good it resolved the issue for you.

-Varun

Thanks,
Varun Rao