Solved: ASA 5510 , web server behind DMZ,,,,internet access issue

redasaleh · ‎12-08-2010

hi all

i am new with ASA, i have installed ASA 5510, to do the following configuration,,

1) internet (outside) (my ISP give me the following public ip 78.138.xx.xx/24 !!!

2) my LAN clients (inside) is 192.168.3.0/24 they supose to access the internet

3) my Webserver (DMZ) is 10.7.240.2 should be accessed from outside (http,https,smtp,pop3,ftp).

now what i did my lan clients can access the internet but my web server can not

i used the following senario to do the confuguration but it seems something is missing.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#inspect

please help me to fix my configuration ,,,

1> to allow/nat my web server to accessed from the internet & via-vers

2> to allow users/clints from inside to access the internet.

3> to fix security issues

cadet alain · ‎12-09-2010

hi,

so now DMZ ---> internet is ok but internet---> DMZ not ok? or inside<-------> not ok?

Please forget about static nat from outside to DMZ as your asdm picture was showing: get rid of this.

if you want DMZ---> Internet then nat(dmz)1 and global (outside) 1 and ACL

if you want Internet to DMZ then static (DMZ,outside) and ACL

if you want inside to dmz then static(DMZ,inside) and ACL

if you want inside to outside then nat(inside) and global(outside) and ACL

Regards.

Don't forget to rate helpful posts.

View solution in original post

Federico Coto Fajardo · ‎12-08-2010

Hi,

The reason that internal clients can access Internet is because you have NAT configured:

nat (inside) 1 192.168.3.0 255.255.255.0

You will need NAT for the DMZ:

nat (DMZ) 1 10.7.240.0 255.255.255.0

To make the server in the DMZ accesible from the outside:

static (DMZ,out) tcp PUBLIC_IP 80 10.7.240.2 80

static (DMZ,out) tcp PUBLIC_IP 443 10.7.240.2 443

static (DMZ,out) tcp PUBLIC_IP 25 10.7.240.2 25

and so on...

Federico.

redasaleh · ‎12-09-2010

hi Federico

thank you for yr fast replay ,,, i tryed to do that but i got error ::::::

ciscoasa(config)# nat (DMZ) 1 10.7.240.0 255.255.255.0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

ciscoasa(config)# sh run nat
nat (inside) 1 192.168.3.0 255.255.255.0 dns
nat (DMZ) 1 10.7.240.0 255.255.255.0

please check these screenshots

so nothing i can do even using ASDM..

please can you help by the way ...

ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.1(1)

Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "disk0:/asa802-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 day 16 hours

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

thanx in advanced

cadet alain · ‎12-09-2010

Hi,

In the show run you posted in initial message you have OUTSIDE and DMZ with same security level and so I would change the OUTSIDE security level to 0 or something lower than DMZ.

If you want to leave same level then you need this command: same-security-traffic permit inter-interface in global config

and ity that case no need for ACLs or NAT for DMZ to communicate with OUTSIDE but don't forget your static nat for OUTSIDE to DMZ along with ACL

Regards.

Don't forget to rate helpful posts.

Federico Coto Fajardo · ‎12-09-2010

When you do ''sh run'' it's showing the command as accepted:
nat (DMZ) 1 10.7.240.0 255.255.255.0

This is all you need to allow Internet access to the DMZ.
Can you check that?

Federico.

cadet alain · ‎12-09-2010

Hi,

As I said before your problem comes from same security level on DMZ and OUTSIDE.

Regards.

Alain.

Don't forget to rate helpful posts.

redasaleh · ‎12-09-2010

hi evrybody

Alain , Federico. thank you very much you are right Alain its the security level but now i have internet access in my web server but the clients can not to access my server!!!!! i write this reply from my server ? what to do in this case

check this

this is all my access lists access list (i want to keep only the neccessory for my senario) access to the server from the internet + internet access for my clients

Green to be remained

Red to be removed

access-list OUTSIDE extended permit object-group My_Services any host 78.138.55.40

access-list OUTSIDE extended permit icmp host 78.138.55.40 any

access-list OUTSIDE extended permit udp host 78.138.55.40 any

access-list OUTSIDE extended permit object-group My_Services 10.7.240.0 255.255.255.0 any

access-list OUTSIDE extended permit object-group My_Services host 78.138.55.40 any

access-list OUTSIDE extended permit object-group My_Services any any

access-list OUTSIDE extended permit tcp any any

access-list OUTSIDE extended permit ip any any

access-list OUTSIDE extended permit tcp any host 78.138.55.40

access-list DMZ_out extended permit object-group My_Services any any

access-list DMZ_out extended permit tcp any any

access-list DMZ_out extended permit ip any any

access-list DMZ_in extended permit object-group My_Services any any

access-list DMZ_in extended permit ip any host 10.7.240.2

access-list DMZ_in extended permit tcp any host 10.7.240.2

access-list DMZ_in extended permit ip host 10.7.240.2 any

access-list DMZ_in extended permit tcp host 10.7.240.2 any

access-list DMZ_in extended permit tcp any any

access-list DMZ_in extended permit ip any any

access-list INSIDE extended permit object-group My_Services 192.168.3.0 255.255.255.0 any

access-list INSIDE extended permit object-group My_Services any 192.168.3.0 255.255.255.0

access-list INSIDE extended permit object-group My_Services any any

access-list DNSINCAP extended permit ip host 192.168.3.2 host 8.8.8.8

access-list DNSINCAP extended permit ip host 192.168.3.2 host 83.229.66.20

access-list DNSINCAP extended permit ip host 8.8.8.8 host 192.168.3.2

access-list DNSINCAP extended permit ip host 83.229.66.20 host 192.168.3.2

access-list DNSOUTCAP extended permit ip host 8.8.8.8 host 78.138.55.40

access-list DNSOUTCAP extended permit ip host 83.229.66.20 host 78.138.55.40

access-list DNSOUTCAP extended permit ip host 8.8.8.8 host 78.138.55.1

access-list DNSOUTCAP extended permit ip host 83.229.66.20 host 78.138.55.1

access-list DNSOUTCAP extended permit ip host 78.138.55.40 host 8.8.8.8

access-list DNSOUTCAP extended permit ip host 78.138.55.40 host 83.229.66.20

access-list DNSOUTCAP extended permit ip host 78.138.55.1 host 8.8.8.8

access-list DNSOUTCAP extended permit ip host 78.138.55.1 host 83.229.66.20

access-list DMZ_nat_outbound extended permit object-group My_Services 10.7.240.0 255.255.255.240 any

access-list DMZ_nat_static_1 extended permit tcp host 10.7.240.2 eq https any

access-list DMZ_nat_static extended permit tcp host 10.7.240.2 eq www any

access-list outside_nat_static extended permit tcp host 78.138.55.40 eq www any

thank you again

cadet alain · ‎12-09-2010

hi,

so now DMZ ---> internet is ok but internet---> DMZ not ok? or inside<-------> not ok?

Please forget about static nat from outside to DMZ as your asdm picture was showing: get rid of this.

if you want DMZ---> Internet then nat(dmz)1 and global (outside) 1 and ACL

if you want Internet to DMZ then static (DMZ,outside) and ACL

if you want inside to dmz then static(DMZ,inside) and ACL

if you want inside to outside then nat(inside) and global(outside) and ACL

Regards.

Don't forget to rate helpful posts.