Re: ASA 5510 FW in bound traffic from DMZ--> INT , OUT --> DMZ

ongmichael · ‎12-07-2010

Hi,

I have managed to configure all the outbound direction ( INSIDE--> DMZ1& 2 , INSIDE --> OUTSIDE , DMZ1,2 ---> OUTSIDE.

But still not able to access inbound direction ( OUT --> DMZ 1,2 , DMZ1,2 ---> INSIDE ). Kindly advise how to allow traffic from DMZ --> INSIDE, OUTSIDE ---> DMZ. I need to be able to ping / ftp inbound direction from lower to higher security level. Kindly take note that my IOS version is ASA Version 8.3(1).

For outbound direction, these dynamic NAT config seems to be OK since I can access ssh / ftp outbound direction ( higher to lower security interface)

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 192.25.152.248 255.255.255.0
!
interface Ethernet0/1
nameif DMZ1
security-level 50
ip address 192.25.154.249 255.255.255.0
!
interface Ethernet0/2
nameif DMZ2
security-level 50
ip address 192.25.156.249 255.255.255.0
!
interface Ethernet0/3
nameif INSIDE
security-level 100
ip address 192.25.130.248 255.255.255.0

Dynamic NATs ( successful for outbound access )

( Outbound from inside to DMZ2 )

object network INSIDE_dynamic_DMZ2

subnet 192.25.130.0 255.255.255.0

nat (INSIDE,DMZ2) dynamic 192.25.154.250

( Outbound from DMZ2 to outside )

object network DMZ2_dynamic_OUTSIDE

host 192.25.154.107

nat (DMZ2,OUTSIDE) dynamic 192.25.152.251

( Outbound from inside to outside )

object network INSIDE_dynamic_OUTSIDE

subnet 192.25.130.0 255.255.255.0

nat (INSIDE,OUTSIDE) dynamic 192.25.152.250

( Outbound from inside to DMZ1 )

object network INSIDE_dynamic_DMZ1

subnet 192.25.130.0 255.255.255.0

nat (INSIDE,DMZ1) dynamic 192.25.156.250

STATIC NATs ( Not successful for inbound access )

( Inbound from outside to DMZ1 )

object network OUTSIDE-static_DMZ1

subnet 192.25.156.0 255.255.255.0

nat (DMZ1,OUTSIDE) static 192.25.152.252

( Inbound from DMZ2 to INSIDE )

object network DMZ2-static-INSIDE

subnet 192.25.154.0 255.255.255.0

nat (INSIDE,DMZ2) static 192.25.130.253

Errror Message I got when I ssh "192.25.130.101" ( inside server ) from DMZ1 server 192.25.154.107 .

4

Dec 07 2010

17:40:53

106023

192.25.154.107

60815

192.25.154.101

22

Deny tcp src DMZ2:192.25.154.107/60815 dst INSIDE:192.25.154.101/22 by access-group "DMZ2_INSIDE" [0x0, 0x0]

( Inbound from outside to DMZ2 )

object network OUTSIDE-static-DMZ2

subnet 192.25.154.0 255.255.255.0

nat (DMZ2, OUTSIDE) static 192.25.152.253

( Error message when ssh from the external server which is located external interface of Router to DMZ2 server 192.25.154.107 : )

#ssh 192.25.154.107
ssh: connect to host 192.25.154.107 port 22: No route to host

( Note: routing has been added in the external server and can ping to ext interface of FW )

Access Lists

access-list OUTSIDE_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP

access-list INSIDE_IN extended permit ip 192.25.130.0 255.255.255.0 any

access-list OUTSIDE_DMZ1 extended permit ip 192.25.156.0 255.255.255.0 192.25.152.0 255.255.255.0

access-list DMZ2_INSIDE extended permit ip 192.25.130.0 255.255.255.0 192.25.154.0 255.255.255.0

access-list DMZ1_INSIDE extended permit ip 192.25.130.0 255.255.255.0 192.25.150.0 255.255.255.0

access-list OUTSIDE_DMZ2 extended permit ip 192.25.154.0 255.255.255.0 192.25.152.0 255.255.255.0

access-group OUTSIDE_DMZ1 in interface OUTSIDE

access-group DMZ2_INSIDE in interface DMZ2

access-group DMZ1_INSIDE in interface DMZ1

Regards,

Michael

Kureli Sankar · ‎12-08-2010

Michael,

There are multiple issues with inbound access from LOW to HIGH and this is ASA 8.3 NAT. For speedy solution I suggest opening a TAC case.

This thread may go on and on people asking for various packet-trac output and syslogs and configs.

-KS

ongmichael · ‎12-09-2010

Thanks KS,

I really appreciate your professional answer. Does it mean that people with similar issues should not come and ask to this forum in order not to waste their time instead always open ticket at TAC? And also thanks for your very useful answer in ASA with "multiple issues with inbound access from LOW to HIGH and in the ASA 8.3 NAT. So ASA doesn't recommend inbound access from LOW to HIGH?

Thanks.

Kureli Sankar · ‎12-10-2010

Michael,

Sorry. I didn't mean to say there are multiple issues with LOW to HIGH traffic on the 8.3 code.

I meant to say that you seem to have multiple issues (3 that you listed above) that you are trying to address in this thread that may take longer to troubleshoot via the forum.

8.3 is very new and we from TAC need to gather many outputs before we can solve a case. So, based on experience I said what I said.

If you read this thread here: https://supportforums.cisco.com/message/3184888#3184888

We went back and forth from sept 2nd till sept 16th and finally I asked the poster to open a case and I solved the case in 10 min. after getting on the ASA.

So, when I notice or get a sense that it may take a few days before we can arrive at a solution then I suggest that they open a TAC case.

Here are other useful 8.3 links:

Before and after NAT config samples: https://supportforums.cisco.com/docs/DOC-9129

ASA 8.3 NAT video: https://supportforums.cisco.com/videos/1014

All you need to know about 8.3 upgrade: https://supportforums.cisco.com/docs/DOC-12690

ASA 8.3 Asymmetric NAT rules matched for forward and reverse flows https://supportforums.cisco.com/docs/DOC-12569

-KS