ASA 9.1 Inside To DMZ Access

mthomas1999 · ‎02-27-2013

Hello, I recently upgraded my asa from 8.2 to 9.1 (reconfigured from scratch - didnot convert old config) and everything seems to be working fine except for communication between my INTERNAL network and my DMZ. Any help would be greatly appreciated. Here's my config below -

:

ASA Version 9.1(1)

!

hostname ZEPPELIN

domain-name MIWEBPORTAL.com

enable password XXXXX

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd FClk4V74ruL1dFGo encrypted

names

!

interface Ethernet0/0

description ISP-MODEM

switchport access vlan 20

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/3

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/4

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/5

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/6

description DMZ

switchport access vlan 99

!

interface Ethernet0/7

description DMZ

switchport access vlan 99

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan19

description INTERNAL-NET

nameif MYNETWORK

security-level 100

ip address 172.19.19.1 255.255.255.0

!

interface Vlan20

description DHCP-MODEM-INTERNET

mac-address XXX

nameif INTERNET

security-level 0

ip address dhcp setroute

!

interface Vlan99

description DMZ-NET

no forward interface Vlan19

nameif MYDMZ

security-level 50

ip address 192.168.99.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name MIWEBPORTAL.com

object network MYNETWORK

subnet 172.19.19.0 255.255.255.0

object network MYDMZ

subnet 192.168.99.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu MYNETWORK 1500

mtu INTERNET 1500

mtu MYDMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network MYNETWORK

nat (MYNETWORK,INTERNET) dynamic interface

object network MYDMZ

nat (MYDMZ,INTERNET) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable 1999

http 172.19.19.0 255.255.255.0 MYNETWORK

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 172.19.19.0 255.255.255.0 MYNETWORK

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 691200

dhcpd ping_timeout 750

!

dhcpd address 172.19.19.18-172.19.19.28 MYNETWORK

dhcpd enable MYNETWORK

!

dhcpd address 192.168.99.9-192.168.99.19 MYDMZ

dhcpd enable MYDMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username XXXX password xxxxxx

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5c772fc57a4aaf9546d3a28527c1ca06

: end

Jouni Forss · ‎02-27-2013

Hi,

Which direction are we talking about? Who is initiating the connection?

For the other direction there is an obvious reason (bolded command)

no forward interface Vlan19

interface Vlan99

description DMZ-NET

no forward interface Vlan19

nameif MYDMZ

security-level 50

ip address 192.168.99.1 255.255.255.0

No host from DMZ can initiate connections to INTERNAL.

INTERNAL however should be able to initiate connections to DMZ.

I guess you have a Base License ASA5505 since it has the limitation that if you want to configure a 3rd interface it will be a DMZ interface from which you have to limit traffic to one of the other two Vlan interfaces.

- Jouni

Jouni Forss · ‎02-27-2013

Bah,

Your topic says its "inside" to "dmz"

However I cant see a reason why INTERNAL to DMZ initiated connections wouldnt work.

You can use the "packet-tracer" command to simulate some connection though and see what firewall rules it hits and if the connection will pass

For example

packet-tracer input MYNETWORK tcp 172.19.19.100 1234 192.168.99.100 80

- Jouni

mthomas1999 · ‎02-27-2013

okay thanks, couldn't see why it wouldn't work either. I will try a packet trace when i get home and post the results.

mthomas1999 · ‎02-27-2013

Do you think this config would allow DMZ access from Internal (suggested from another site)

object network INTERNAL2DMZ
subnet 172.19.19.0 255.255.255.0

object network INDMZ

172.19.19.0 255.255.255.0

nat (MYNETWORK,MYDMZ) static INTERNAL2DMZ

Jouni Forss · ‎02-27-2013

Hi,

You dont need to configure NAT between 2 local interfaces/networks of the ASA if you specifically dont want any translations

Both of your existing NAT configurations are for both INTERNAL and DMZ to INTERNET so they shouldnt affect the traffic between INTERNAL and DMZ

- Jouni

mthomas1999 · ‎02-28-2013

Here is the results of the packet trace from my asa 5505 (9.1)

ZEPPELIN# packet-tracer input MYNETWORK tcp 172.19.19.29 1234 192.168.99.9 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.99.0 255.255.255.0 MYDMZ

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group MYNETWORK_access_in in interface MYNETWORK

access-list MYNETWORK_access_in extended deny ip object Media-PC any

Additional Information:

Result:

input-interface: MYNETWORK

input-status: up

input-line-status: up

output-interface: MYDMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ZEPPELIN#

Jouni Forss · ‎02-28-2013

Hi,

The configuration you copy/pasted in the original post doesnt have any mention of ACL.

The "packet-tracer" in this case says clearly that this traffic is blocked by an interface ACL

Specifically a ACL rule:

access-list MYNETWORK_access_in extended deny ip object Media-PC any - See more at: https://supportforums.cisco.com/thread/2202200?tstart=0#sthash.UoROadCV.dpuf

access-list MYNETWORK_access_in extended deny ip object Media-PC any

And its attached to the MYNETWORK interface with command

access-group MYNETWORK_access_in in interface MYNETWORK

- Jouni

mthomas1999 · ‎02-28-2013

Okay i added that ACL to block internet from my Media-PC. If i remove that rule it should allow access to MYDMZ? I pretty sure i tested access to my dmz before i added that rule.

Jouni Forss · ‎02-28-2013

Hi,

If you block traffic with "deny ip object

So if you dont have any rule before that rule to allow traffic from MYNETWORK to MYDMZ then that rule will block any traffic the host initiates.

You would need to have the following rule to first allow traffic to DMZ and then block all other traffic

access-list MYNETWORK_access_in remark Allow traffic from Media-PC to MYDMZ

access-list MYNETWORK_access_in extended deny ip object Media-PC any - See more at: https://supportforums.cisco.com/thread/2202200?tstart=0#sthash.OwNkb23t.dpuf

access-list MYNETWORK_access_in extended permit ip object Media-PC 192.168.99.0 255.255.255.0

access-list MYNETWORK_access_in remark Deny all other traffic from Media-PC

access-list MYNETWORK_access_in extended deny ip object Media-PC any

- Jouni

mthomas1999 · ‎02-28-2013

How do i keep that ACL in place and allow access to the DMZ?

Jouni Forss · ‎02-28-2013

Hi,

If you add the rules I mentioned in the earlier reply to the top of the ACL mentioned then Media-PC could access DMZ but nothing else past the ASA.

- Jouni

mthomas1999 · ‎02-28-2013

Okay thank you very much, i will give it a try when i get home and post the results.

mthomas1999 · ‎03-01-2013

So i tryied adding the rules mentioned above and managed to lock myself out of the asa and it started acting very weird. Sometimes i could ping the asa gateway and sometimes i couldn't. Also, ASDM would not load anymore so I consoled in and did a write erase. I redid the config with NO ACLS and the config is now back to what is posted. I still have NO DMZ access from internal network.

Jouni Forss · ‎03-01-2013

Hi,

If you have the configuration from the original post with no ACLs configured to the interfaces then you should be able to connect from MYNETWORK hosts to MYDMZ hosts.

If you are using ICMP/PING to test traffic between hosts I would suggest configuring the following setting

policy-map global_policy

class inspection_default

inspect icmp

Specifically the "inspect icmp" which allows ICMP Echo replys back automatically.

- Jouni