Solved: ASA 5510 DMZ Configuration

mscha2000 · ‎12-26-2011

Hello, any help or insight into why I can't get this working properly would be extremely helpful.

I have a Cisco ASA 5510 connected to 2 private lans (1 for my HQ pc's{inside} and 1 for the worldwide mpls{outside})

It is also connected to the public internet at interface "public" and my dmz at "dmz" interface. I suspect I have a routing issue because packet-trace yields allow, the nat looks ok and the objects look ok at least to me but I'm the one with the non working config so.... Help, please.

Basically this is the desired flow:

1. I need all traffic from the inside to be able to flow to the outside unimpeded as they are both trusted networks. (this is ok right now as I allow everything via access-list 101.)

2. I need any host on the public internet to be able to reach a server on the dmz via the pat which I set up from the "public" interface to the "DMZ" interface. The desired flow would be that the person on the internet types in https://webserver.company.com and this is directed to the public interface ip which forwards to the webserver object on the dmz. (I cannot get this working any which way)

3. I need the dmz to be able to communicate with another server on the mpls via the "outside" interface when it recieves the request from the public it then checks with this other server on the outside via nat(translating the dmz range into the ip of the outside interface on the firewall)

I have a default route that points to the mpls or outside interface for 0.0.0.0 0.0.0.0 via 10.x.x.1 - (and although I'm not sure I suspect this could be conflicting with traffic that needs to be sent to the "public" interface .... meaning that the firewall should dump packets bound for 0.0.0.0 0.0.0.0 to the public interface - 184.x.x.194 but I'm very reluctant to change the default route as this is in production and I'm not sure how it will affect traffic).

However, I do suspect that if I changed the route from default to static as such:

route 10.0.0.0 255.0.0.0 10.x.x.1 (this would get all lan and mpls traffic to the mpls gateway)

route 0.0.0.0 0.0.0.0 184.x.x.193 (this would send everything else from public to the public internet gateway)

I think this is accurate but then I would bypassing my corporate internet proxy which is behind the mpls gateway at 10.x.x.1

Does anyone else think this is a routing issue? Is there a way to get http traffic originating from the lan (10.x.x.x) to use the mpls gateway and http traffic for the dmz to use the public internet gateway at 184.x.x.193. I don't want to start causing a flow problem for the internet nor do I want to bypass my corp internet proxy.

Either way I cannot get this to work, eventhough the logic checks out, I cannot get even a ping response when I allow icmp any any for testing.

Note: I can ping resources on each network from the firewall, not only it's own ports in the associated network but other resources on those networks as well.

Here is the running-config:

ciscoasa# sho run

: Saved

:

ASA Version 8.4(1)

!

hostname ciscoasa

domain-name marcjacobs.lvmh

enable password wrblOSAyPeeKhvhL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 100

ip address 10.x.x.2 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.x.x.8 255.255.254.0

!

interface Ethernet0/2

nameif public

security-level 0

ip address 184.x.x.194 255.255.255.248

!

interface Ethernet0/3

nameif DMZ

security-level 50

ip address 192.168.x.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.x.1 255.255.255.0

management-only

!

boot system disk0:/asa841.bin

ftp mode passive

dns server-group DefaultDNS

domain-name marcjacobs.lvmh

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network webserver

host 192.168.x.26

object network dmz_range

range 192.168.x.1 192.168.x.254

object network OUTSIDE

subnet 10.x.y.0 255.255.255.240

access-list 101 extended permit ip any any

access-list 101 extended permit icmp any any

access-list 101 extended permit udp any any

access-list 101 extended permit tcp any any

access-list 101 extended permit gre any any

access-list 101 extended permit esp any any

access-list 101 extended permit tcp any any eq smtp

access-list dmz_outside extended permit ip any 10.98.9.0 255.255.255.240

access-list test_ping extended permit icmp any any

access-list webserver_insidehost extended permit tcp host 192.168.x.26 host 10.x.x.45 eq https

access-list public_in extended permit tcp any host 192.168.x.26 eq https

access-list ping_test extended permit icmp any any echo

access-list ping_test extended permit icmp any any echo-reply

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu public 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (outside,DMZ) source static OUTSIDE OUTSIDE

!

object network webserver

nat (DMZ,public) static interface service tcp https https

access-group 101 in interface outside

access-group test_ping in interface public

route outside 0.0.0.0 0.0.0.0 10.x.x.1 1

route outside 10.x.x.91 255.255.255.255 10.x.x.1 1

route inside 10.x.x.0 255.255.255.0 10.x.x.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

telnet timeout 100

ssh scopy enable

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username cseiber password 2kzsrDh0SvZ/CKV0 encrypted

username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:16a704ae3f98ae986d7bc1c594c97f48

: end

ciscoasa#

Julio Carvajal · ‎12-27-2011

Hello mscha,

yes, that is correct, the thing is that as soon as the traffic traverses the ASA you will not be able to do it because the ASA does not support Police-based routing, so you cannot send one specific traffic to one ISP.

You will need to use a device that supports PBR.

Here is the document I promissed.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

ajay chauhan · ‎12-26-2011

Thats correct.

If you have internet connected on public then your default route should point to public internet. For MPLS you can have that private network route poinint outside interface.

Port translation rule for-webserver looks good .It should work once route is added.

object network webserver

host 192.168.x.26

So far proxy is concern if you mean to say thats fall in Corp network then for proxy traffic should go via this firewall. Then add one more static or dynamic nat entry for that IP address.

Thanks

Ajay

mscha2000 · ‎12-26-2011

Ajay,

Thank you for your support. I just want to make it clear so that you may answer the question if you know the solution.

I have 2 internet connections -

1. goes via the lan to the core switch (which has the firewall as the default gateway) which is on 10.x.2.0 (a separate private vlan for the mpls connection)

2. This one is for dmz only and guest wireless network at my HQ - the problem here is that the dmz has no route to the public internet through this guest\dmz internet connection. The firewall is using 10.x.2.1 as it's default gateway and if I change that route all traffic will change.

I only want the dmz traffic destined for the internet to go to the internet via the 184.x.x.193 gateway and I want all other internet bound traffic originating on the lan to go through the mpls internet via the 10.x.2.1 gateway.

Do I need to use a route map or am I making this more complicated than it needs to be?

Julio Carvajal · ‎12-26-2011

Hello Mscha2000

So what you are looking for is to do Police based routing, witch is one of the features that is not yet supported on an ASA.

There are some work-arounds availables but CISCO does not support it as a processure.

Here is one document that might provide you a better explanation of this, even though I think the scenario you want to create is not supported and will not work.

Hope this helps.

Do rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mscha2000 · ‎12-27-2011

Julio,

Thanks again for your support. The asa is connected to a 6506-E which uses the firewall for its default gateway which causes all traffic to traverse the firewall. If I could figure out a different way to set up the routing I may find a work around.

Its only the dmz that I want to go out the public internet. I might be able to do something with vlans.

Sent from my Verizon Wireless BlackBerry

Julio Carvajal · ‎12-27-2011

Hello mscha,

yes, that is correct, the thing is that as soon as the traffic traverses the ASA you will not be able to do it because the ASA does not support Police-based routing, so you cannot send one specific traffic to one ISP.

You will need to use a device that supports PBR.

Here is the document I promissed.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mscha2000 · ‎12-28-2011

Julio,

I cannot find the attachment. Is there a link to this document?

On Tue, Dec 27, 2011 at 4:49 PM, jcarvaja <

Julio Carvajal · ‎12-28-2011

Hello,

Here you go:

https://supportforums.cisco.com/docs/DOC-13015

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mscha2000 · ‎01-09-2012

Julio,

Thank you for the document. I was trying to avoid adding router to

the scenario for simplification reasons. I don't think I will go this

route, it just seems to be too complicated.

I will definitely give a high rating.

Let me ask you, I have a cisco asa 5505 that I can use specifically for the

dmz. Keeping in mind my network topology:

- 2 private networks (1 lan (connected at Inside interface) and 1 to the

mpls(connected at outside interface - this is also where my corp internet

access goes through).

- 1 interface for public internet access

- 1 DMZ interface

The problem is the default route which is pointed at the mpls by design and

since there's no pbr in the 5510 I am left with no choice but to add

additional equipment.

do you think I can achieve what I want with the addition of the 5505.

That would make it possible to have a default route on the asa to the

public network which would solve my routing issue above. I'm just not sure

how to configure the 5505 as it's a bit different than the 5510. Is all

the nat and routing the same?

I have a couple of questions:

1. I would need to connect this firewall to my core switch (in a separate

vlan of course) for communication to the inside application - will there be

a conflict with both firewalls connected? Is this a foolish thing to do?

2. How would I set up the nat\routing to the mpls "outside" network from

the dmz network on this additional security device?

3. How would you accomplish what I think you know I'm trying to do?

Thanks,

-Mike

On Wed, Dec 28, 2011 at 4:21 PM, jcarvaja <

Julio Carvajal · ‎01-09-2012

Hello Mscha 2000,

Can you try to create a diagram of the network set-up you want to use with the ASA 5505. This will help me answering your questions.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mscha2000 · ‎01-09-2012

Julio,

I've inserted a picture explaining what I am proposing to see if this makes sense and could solve my problem. Please let me know what you think. I have only 4 days left now to complete this implementation.

I think the jpeg came out too small so I'll attach it to the email thread as well.

Thank you very much for your continued support,

-Mike

mscha2000 · ‎01-09-2012

Julio,

I replied on the forums but my pic came out small. I'm trying to get

you a more readable version.

Thanks again,

-Mike

On Mon, Jan 9, 2012 at 12:57 PM, jcarvaja <

Julio Carvajal · ‎01-09-2012

Hello,

I dont get it! It would be the same thing as you will also need 2 routes on the ASA 5510. Right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mscha2000 · ‎01-09-2012

Hi,

I understand what you mean but I would be disconnecting the asa 5510

from the public internet and from the dmz and replacing it with the 5505.

Basically, just adding another firewall to the topology strictly for dmz

purposes.

The problem before was that I could not change the default route of the

5510 because I need internet traffic to still pass through the mpls gateway

to our corporate proxy. If I did not have this requirement I would be fine

with a simple route change - 0.0.0.0 0.0.0.0 10.x.9.x would be replaced by

0.0.0.0 0.0.0.0 184.x.x.194. So, what I am saying is to add the 5505 and

give it the default route 0.0.0.0 0.0.0.0 184.x.x.194 leaving the 5510 out

of it.

This should be a pretty standard dmz setup where:

184.x.x.194 is the "outside" network

192.168.x.x is the "Inside" network

default route 0.0.0.0 0.0.0.0 184.x.x.194 gets all internet traffic to and

from the dmz only throught the outside network as desired.

10.x.4.x is given a static route something like route mpls 10.0.0.0

255.0.0.0 10.x.9.x

which makes it 3 networks connected to the asa 5505 but the default route

is as desired...

Does that make sense?

-Mike

On Mon, Jan 9, 2012 at 2:38 PM, jcarvaja <

Julio Carvajal · ‎01-09-2012

Hello,

Correct, that does make sense,in that way you will be able to acomplish what you are looking for, as each ASA will provide internet connectivity to one security zone using a different interface( 5505 internet interface and 5510 MPLS interface)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC