Solved: ASA 5510 8.4 DMZ question

Lon · ‎10-26-2011

I have 3 Servers in my DMZ. The Servers can VNC and ping each other fine. From 'inside' I can ping and VNC 2 of them, but not the third.

From 'inside' I can access NS2 (172.168.1.12) and WebServer (192.168.1.10)

I cannot access NS1 (172.168.1.11)

Since I had to learn 8.4 in less than a week, I may have other items wrong. I'm open to any criticism.

.

Lon

:

ASA Version 8.4(2)

!

hostname #####

domain-name #####

enable password ##### encrypted

passwd ##### encrypted

names

dns-guard

!

interface Ethernet0/0

speed 10

duplex full

nameif outside

security-level 0

ip address 69.##.##.82 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.0.2 255.255.0.0

!

interface Ethernet0/2

nameif dmz

security-level 80

ip address 172.168.1.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name #####

object network insidetoInternet

subnet 10.1.0.0 255.255.0.0

description Inside net to Internet connector

object network RemoteAccessServer

host 10.1.2.7

description Internal Terminal Server 3389

object network WebServer

host 172.168.1.10

description Web Server in DMZ

object network dmz-to-inside

subnet 172.168.1.0 255.255.255.0

description Route traffic DMZ and Inside

object network ExchangeServer

host 10.1.2.3

description Exchange (Mail) Server

object network NS1

host 172.168.1.11

description DNS Server in DMZ

object network NS2

host 172.168.1.12

description DNS Server in DMZ

object network inside-to-dmz

subnet 10.1.0.0 255.255.0.0

description Route traffic DMZ and Inside

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object object WebServer

network-object object ExchangeServer

object-group network DM_INLINE_NETWORK_2

network-object object NS1

network-object object NS2

access-list OutsideAllowedIn extended permit icmp any any

access-list outside_access_in extended permit tcp any object RemoteAccessServer eq 3389

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www

access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq domain

access-list outside_access_in extended permit tcp any object ExchangeServer eq 2883

access-list outside_access_in extended permit tcp any object ExchangeServer eq smtp

access-list outside_access_in extended permit tcp any object ExchangeServer eq https

access-list outside_access_in extended permit tcp any object ExchangeServer eq 8080

access-list outside_access_in extended permit tcp any object ExchangeServer eq 4343

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-205.bin

no asdm history enable

arp timeout 14400

nat (inside,dmz) source static inside-to-dmz inside-to-dmz destination static dmz-to-inside dmz-to-inside

!

object network insidetoInternet

nat (inside,outside) dynamic interface

object network RemoteAccessServer

nat (inside,outside) static 69.##.##.88

object network WebServer

nat (dmz,any) static 69.##.##.90

object network ExchangeServer

nat (inside,any) static 69.##.##.85

object network NS1

nat (dmz,any) static 69.##.##.91

object network NS2

nat (dmz,any) static 69.##.##.92

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 69.##.##.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

quit

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection scanning-threat shun duration 3600

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.1.2.3 source inside

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:#####

: end

[OK]

Julio Carvajal · ‎10-27-2011

Hello Lon,

lol, sometimes that is the first thing to check.

Well I am happy now everything is working.

Please mark the question as answered.

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-26-2011

Hello Lon,

First lets do a packet tracer, then we could do captures.

Packet-tracer input inside tcp 10.1.0.11 1025 172.16.1.11 5900 (VNC Port)

Please provide us the output you will get

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Lon · ‎10-26-2011

Result of the command: "Packet-tracer input inside tcp 10.1.0.11 1025 172.16.1.11 5900"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network insidetoInternet
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.1.0.11/1025 to 69.##.##.82/46184

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 361221, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Julio Carvajal · ‎10-26-2011

Hello Lon,

As we can see seems like the ASA allows this traffic so next thing to do will be captures:

-access-list capin permit tcp host 10.1.0.11 host 172.16.1.11 eq 5900

-access-list capin permit tcp host 172.16.1.11 eq 5900 host 172.16.1.11

-capture capin access-list capin interface inside

-access-list capdmz permit tcp host 10.1.0.11 host 172.16.1.11 eq 5900

-access-list capdmz permit tcp host 172.16.1.11 eq 5900 host 10.1.0.11

-capture capdmz access-list capdmz interface dmz

-Http 0.0.0.0 0.0.0.0 inside

-Then you will need to download the capture on a browser.

-https://10.1.0.11/capture/capin/pcap

-https://10.1.0.11/capture/capdmz/pcap

Then attach the captures to this discussion.

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Lon · ‎10-26-2011

Julio,

I modified your access-list example a little.

Changed 172.16... to 172.168...

Changed the second line of capin -- internal ip to 10.1.0.11 instead of 172.16...

oh... dang... I guess I should be using 172.16 not 172.168---I'll have to change that in the morning.

However, I am getting empty files. I must be doing something wrong. I'll try again in the morning.

Lon

Lon · ‎10-27-2011

Ok, I was so focused on the Firewall.... I didn't even notice that the Server in question did not have a gateway assigned. As I was changing the IP addresses to 172.16.... I noticed and fixed it, all is well now. Thank-you for your assistance. Someitmes it's the simple stuff that gets us.

Lon

Julio Carvajal · ‎10-27-2011

Hello Lon,

lol, sometimes that is the first thing to check.

Well I am happy now everything is working.

Please mark the question as answered.

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC