cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3034
Views
0
Helpful
21
Replies

ASA, inside to dmz access

kegodfrey
Level 1
Level 1

Hi, hope someone can help. I've been working on setting up access from some clients on the inside interface to a host on the dmz. I've been unable to get it working so far. The config is below.

ASA Version 7.0(8)

!

enable password Bte2XWw78iXdJmqt encrypted

passwd Bte2XWw78iXdJmqt encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240 standby x.x.x.x

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.901

vlan 901

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.

0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

failover

failover lan unit primary

failover lan interface LANFAIL Management0/0

failover polltime unit msec 500 holdtime 5

failover polltime interface 3

failover key *****

failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2

icmp permit any inside

icmp permit any dmz

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh x.x.x.x 255.255.255.240 outside

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483

: end

I can see in the log the following when the connection fails when trying icmp form the inside host 10.0.0.92 to the dmz host 192.168.1.50.

%ASA-7-609002: Teardown local-host inside:10.0.0.92 duration 0:00:02

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:02

Any help would be greatly appreciated.

21 Replies 21

lm20ele
Level 1
Level 1

Try adding the inspect icmp to the default global_policy.

ASA# config t

ASA(config)# policy-map global_policy

ASA(config-pmap)# class inspection_default

ASA(config-pmap-c)#inspec icmp

srikantganesh
Level 1
Level 1

Try adding

static(inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

==

Recommend Updating the firewall to the latest version 8.2(1)(Not to resolve this issue but as best practice

looks like you're also missing an ACL on the inside interface

access-list inside-in extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.0.0

access-group inside-in in interface inside

this command "static(inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0" uses static identity NAT for inside address 10.0.0.0 when accesss by dmz. Static identity NAT translates the real IP address to the same IP address. The translation is always active, and both "translated" and remote hosts can originate connections

Thanks for getting back with some recommendations guys. I'm still having problems accessing the DMZ from inside, icmp, rdp or otherwise. The logs are showing this info..

%ASA-7-609002: Teardown local-host inside:10.0.0.92 duration 0:00:02

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:02

Any ideas? Thanks for your help.

after applying the changes, post your config again pls

Thanks, here is the latest config..

enable password Bte2XWw78iXdJmqt encrypted

passwd Bte2XWw78iXdJmqt encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240 standby x.x.x.x

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.901

vlan 901

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list inside-in extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.

255.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.

0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

failover

failover lan unit primary

failover lan interface LANFAIL Management0/0

failover polltime unit msec 500 holdtime 5

failover polltime interface 3

failover key *****

failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2

icmp permit any inside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

access-group inside-in in interface inside

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15

username instalec password 19VhLQJ8INTCLvRW encrypted

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483

: end

[OK]

IDG-ASA#

nat 0 with acl takes precedence over static identity.

You can remove this line:

nat (inside) 0 access-list nonat

Also, this line doesn't make any sense:

access-list dmz-in extended permit ip any host 192.168.1.50 log

If the dmz host listens in port 80 or 23 try tcp connection. Although icmp should work.

sh logg | i 192.168.1.50

and see what that says.

Does 192.168.1.50 have 192.168.1.1 as its gateway?

Does this layer 3 device 10.0.0.252 have a route to the firewall in order to get to 192.168.1.0/24?

remove

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

add

access-list dmz-in extended permit ip 192.168.1.0 255.0.0.0 10.0.0.0 255.255.255.0

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

try it now.

check your routing

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

for interfaces directly connected to the ASA, you dont need to route for those interfaces. Make sure routing is setup properly. Post a network diagram if you have one so we can see traffic path between inside and dmz..

Thanks for the feedback. Here is the log for the 192.168.1.50 host, it does have 192.168.1.1 as its default gateway and can ping it's default gateway. The routing is in place, hosts on the 10.x subnet(s) have a route to the 192.168.1.0/24 subnet via the inside interface of the ASA.

ip route 192.168.1.0 255.255.255.0 10.0.0.224

As to how it connects, both the inside and dmz interface are connected to the same switch in different vlan's. There is vlan for DMZ, where the only route into it is via the ASA. The inside interface connects into the main VLAN, where the default gateway for the hosts on this vlan is 10.0.0.252. The host 192.168.1.50 can ping the 192.168.1.1 interface, the hosts on the LAN can ping the 10.0.0.224(inside ASA interface) Your assistance is greatly appreciated.

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/0 gaddr 10.0.0.92

/512 laddr 10.0.0.92/512

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:02

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:00

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:00

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:00

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:00

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.50/0 gaddr 10.

0.0.92/512 laddr 10.0.0.92/512

looks like the connection is built and allowed.

is your switch doing inter-vlan routing? your ASA is routing the packets between interfaces, your vlans should be a layer vlan without SVI on the switch and just point your PC's gateway to the ASA directly..

The switch is doing inter vlan routing, but not for the dmz vlan 901. The only devices on the dmz vlan 901 are the dmz interface of the ASA and the 192.168.1.50 host. The DMZ vlan is configured only as a L2 vlan and no routed interface exists for it on the switch.

The switch is the default gateway for the 10.x hosts. I dont want to have to change the client PC's default gateway the internal ASA interface, is this necessary?

not necessary. your setup is ok.

Try adding

access-list inside-in extended permit icmp any any

access-list dmz-in extended permit icmp any any

your switch should have ip route 192.168.1.0 255.255.255.0 point to ASA [inside interface]

Your should only route on ASA for prefixes it doesnt know about...

remove this on ASA

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

remove this..

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

your need to be more specific when routing to inside. try and add routes for subnets again on ASA you want to route to inside..

and test.....

Review Cisco Networking for a $25 gift card