Solved: ASA DMZ to outside (ASDM)

i716 · ‎06-26-2018

I have configured the ASA with 3 interfaces (inside, outside and dmz). Inside and dmz get their IP via DHCP and they’re of course on different subnets. Outside gets its IP from the ISP (PPPoE)

Everythings is working fine except for the DMZ interface which gets the correct IP from the DHCP but is unable to connect to the outside interface.

Since the guest wifi is connected to the DMZ in this setup, it needs to get to the outside (outside to DMZ is not required and only ports for http and https are fine)

Since the DMZ has a higher security level than the outside interface, I believe that no ACLs are required. Just a simple rule as in DMZ -> outside. There is just the guest wifi in the DMZ so not much harm can be done.

I have tried setting up such a rule with the interfaces DMZ and outside but it does not work.

Packet tracer says that the package is dropped by ACL rule. That is very strange.

Any ideas?

i716 · ‎07-01-2018

UPDATE 7/2/2018:

I found the solution:

nat (dmz,outside) after-auto source dynamic any interface

did the trick. No ping, like with the inside interface, Packet Tracer still gives the same error and is complaining that the packet is dropped, but the guest WLAN can connect to the internet! And it can not connect to the main network. That is all I wanted.

If somebody finds the time for it, it would be nice to explain why it didn't work when I tried exactly the same on ADSM but now it works after the CLI command. And also, why is there still an error in the Packet Tracer?

View solution in original post

i716 · ‎06-26-2018

Only solutions how to configure it using ASDM please. No CLI.

johnd2310 · ‎06-26-2018

Hi,

what does your routing table look like?

thanks

John

**Please rate posts you find helpful**

Dennis Mink · ‎06-26-2018

run the asdm packet tracer and simulate a packet from DMZ (wifi) to like 8.8.8.8 on port 80 see how the packet gets treated and see what ACL is applied and what NAT

Please remember to rate useful posts, by clicking on the stars below.

i716 · ‎07-01-2018

@Dennis: Already tried this. See my initial post.

i716 · ‎07-01-2018

Why isn't it possible to just create a rule that allows traffic from the DMZ IP range (let's say 10.0.0.1/24 to the outside interface? I do not need anything else. Just DMZ to outside for normal internet access and no access from DMZ to inside (to prevent guests from accessing devices that are on the inside - let's call this the 192.168.1.1/24 range)

i716 · ‎07-01-2018

As you can see from this list, there is also no rule that specifically allows inside to outside, yet I can access the internet from any device that is connected to the inside interface. And that makes sense, since the inside interface has security 100 whereas the outside interface has security 0. So traffic should be allowed. The same should be true with the DMZ interface. This is really confusing.

Dennis Mink · ‎07-01-2018

how about NAT, are you NATing your DMZ network against a public IP addres on your outside interface on the way out to the internet? Also can you ping the FW from inside the DMZ?

Please remember to rate useful posts, by clicking on the stars below.

i716 · ‎07-01-2018

@Dennis:
Why do I have to NAT anything? It should just allow DMZ to outside. Same as Inside goes to outside. Why do I need other rules? All traffic from DMZ should go to outside.

i716 · ‎07-01-2018

No, I can not ping the ASA from the guest network. Which is good sign since no traffic from the guest network goes to the main network where the ASA is located.
A device connected to the guest wlan also gets an IP assigned from the guest subnet as defined in the dhcp settings. Everythings perfectly normal except that no internet connection can be made.

i716 · ‎07-01-2018

Just in case, here is the running config of the device. There are a few issues with it:

- What is object network NETWORK_OBJ_192.168.1.48_28? I don't use that IP

- Why is the name server 209.244.0.3? I specifically set it to 1.1.1.1

Result of the command: "show running-config"

: Saved
:
ASA Version 8.4(2) 
!
hostname xxxxxx
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport trunk allowed vlan 1,3
 switchport mode trunk
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 description OCN
 nameif outside
 security-level 0
 pppoe client vpdn group ISP
 ip address pppoe setroute 
!
interface Vlan3
 description DMZ, Guest Network
 nameif dmz
 security-level 50
 ip address 192.168.2.1 255.255.255.0 
!
ftp mode passive
clock timezone JST 9
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 209.244.0.3
 name-server 1.0.0.1
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.1.48_28
 subnet 192.168.1.48 255.255.255.240
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list AnyConnect_Client_Local_Print extended deny ip any any 
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns 
access-list dmz_access_out remark dmz-outside
access-list dmz_access_out extended permit ip 192.168.2.0 255.255.255.0 interface outside log disable 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool pool1 192.168.1.XX-192.168.1.XX mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.48_28 NETWORK_OBJ_192.168.1.48_28 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group dmz_access_out out interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
http server enable
http 192.168.1.X 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=XXXXXXXX,CN=XXXXXXXX
 keypair ASDM_LAUNCHER
 crl configure
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate XXXXXXX
XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX
....
XXXXXX XXXXXX XXXXXX
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group ISP request dialout pppoe
vpdn group ISP localname XXXXX@one.ocn.ne.jp
vpdn group ISP ppp authentication pap
vpdn username XXXXXXX@one.ocn.ne.jp password ***** 

dhcpd option 6 ip 1.1.1.1
!
dhcpd address 192.168.1.X-192.168.1.XX inside
dhcpd enable inside
!
dhcpd address 192.168.2.XX-192.168.2.XX dmz
dhcpd dns 1.1.1.1 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.X.X /
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_test1 internal
group-policy GroupPolicy_test1 attributes
 wins-server none
 dns-server value 209.244.0.3 1.0.0.1
 vpn-tunnel-protocol ssl-client 
 default-domain none
 split-tunnel-all-dns disable
username XXXX passwordXXXXXtj.XXXXXA encrypted
tunnel-group test1 type remote-access
tunnel-group test1 general-attributes
 address-pool pool1
 default-group-policy GroupPolicy_test1
tunnel-group test1 webvpn-attributes
 group-alias test1 enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:XXXXXXXX2024bdXXXXXXXXX4c3X
: end

johnd2310 · ‎07-01-2018

Hi,

You are using private ip addresses on your network and therefore you need NAT to access the Internet. The inside network is working because you have NAT statements :

object network obj_any
nat (inside,outside) dynamic interface

For the DMZ to access the Internet you need NAT for that interface as well:

object network obj_192.169.2.0
subnet 192.168.2.0 255.255.255.0
nat(dmz, outside) dynamic interface

Thanks

John

**Please rate posts you find helpful**

i716 · ‎07-01-2018

@john
Thank you for your reply.
The internet is now working for the guest network. The Packet Tracer still sees the following issue, however. As long as this does not compromise the security of the main network, it'll be fine cause the following goals are achieved:
-Guest WLAN to internet OK
-Guest WLAN to inside not possible (expected behavior)

Also, can you explain why there are "objects" that refer to IP addresses that I have never used?

(See pic below)

Especially the address ending in .48 and the two odd addresses starting with 224

UPDATE: I have disabled the strange entry referring to IP .48 and it is still working:

UPDATE2: That was for AnyConnect. Disabling this one let's me establish a connection but then I can't access network resources incl Remote Desktop. Still strange since no device uses the .48 IP

i716 · ‎07-01-2018

Here is a screenshot from the NAT Rules and Access Rules. Please don't ask me what the 192.168.1.48_28 rule is, it has just been there but the IP is not used anywhere on my network.

i716 · ‎07-01-2018

UPDATE 7/2/2018:

I found the solution:

nat (dmz,outside) after-auto source dynamic any interface

did the trick. No ping, like with the inside interface, Packet Tracer still gives the same error and is complaining that the packet is dropped, but the guest WLAN can connect to the internet! And it can not connect to the main network. That is all I wanted.

If somebody finds the time for it, it would be nice to explain why it didn't work when I tried exactly the same on ADSM but now it works after the CLI command. And also, why is there still an error in the Packet Tracer?