Solved: ASA5505 DMZ Host

ronald.lawrimore · ‎06-20-2011

How can I get DMZ hosts to be able to access the Internet via the Outside interface of my ASA5505.I am using the DMZ to allow temp guest acces to the Internet.

Here is my configuration and it can be changed as needed.

User Access Verification

Password:
Type help or '?' for a list of available commands.
ciscoasa> ena
Password: *******
ciscoasa# sho run
: Saved
:
ASA Version 8.0(4)
!

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.39 255.255.255.0
!
interface Vlan8
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.31.10.1 255.255.255.0
!
interface Vlan11
nameif outside
security-level 0
ip address 24.172.82.xxx 255.255.255.252
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 11
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 8
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name asa
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object udp
protocol-object tcp
access-list dmz extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any dmz
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 24.172.85.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.31.10.10-172.31.10.254 dmz
dhcpd dns 24.25.4.106 24.25.4.107 interface dmz
dhcpd lease 7200 interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
!
!
prompt hostname context
Cryptochecksum:03882db7c1560e226de0ec2e1bc5723a
: end
ciscoasa#

mirober2 · ‎06-20-2011

Hi Ronald,

As we thought, there is no return traffic coming back from the ISP to the ASA. I would suggest calling your ISP and asking them to confirm that they received your traffic, or why they are not sending the return traffic back to the ASA.

-Mike

View solution in original post

mirober2 · ‎06-20-2011

Hi Ronald,

The only thing your config is missing is NAT/PAT to translate the private IP addresses used by the DMZ hosts to a public one that can be routable on the Internet. You can setup a basic interface PAT by adding this line:

nat (dmz) 101 0.0.0.0 0.0.0.0

That line will translate all DMZ hosts to the outside interface IP address when they access the Internet.

Hope that helps.

-Mike

ronald.lawrimore · ‎06-20-2011

I have added that and can see via debugging that the connection is established. I am using a TWC Business class modem at the connection to the Internet and my Outside port. If I put the old NetGear box back in place instead of the ASA I can get on the Intenet. I know all the static IP information from TWC, but cannot get any web browesing. Via a packet trace I can see that the next hop is the TWC modem. Am I correct that the Outside static route of 0.0.0.0 0.0.0.0 via same gateway I would configure on the NetGear box of 24.172.85.xxx.

mirober2 · ‎06-20-2011

Hi Ronald,

Yes, you are correct. The static route should be the same gateway as what you had configured on the Netgear box.

If you see the connection being established and the packet tracer confirms this then the ASA's rules are all correct. Did you reboot the modem/TWC router after connecting the ASA? You'll need to do this so that the TWC equipment re-learns the MAC address of your outside IP address (since it will be changing from the Netgear MAC to the ASA MAC).

-Mike

ronald.lawrimore · ‎06-20-2011

This is what I get when I try to browse from a client on the DMZ to a web address..

mirober2 · ‎06-20-2011

Hi Ronald,

As you noted, the logs show that the connection is being built. I see DNS queries from your clients going out to your ISP's DNS server and see that the translation is working correctly. It looks like all of the ASA rules are correct.

Have you tried rebooting the ISP's equipment after connecting the ASA?

-Mike

ronald.lawrimore · ‎06-20-2011

I have rebooted the ISP equipment. Left it off for about 5 minutes and the turned it back on.

mirober2 · ‎06-20-2011

Hi Ronald,

In that case, you should setup packet captures on the outside interface to see if there is bidirectional traffic. You can do something simple like this:

capture outside interface outside match udp any any eq 53

Then, try to browse to the Internet again and check the output of 'show capture outside'.

-Mike

ronald.lawrimore · ‎06-20-2011

I get this in the capture log.

mirober2 · ‎06-20-2011

Hi Ronald,

As we thought, there is no return traffic coming back from the ISP to the ASA. I would suggest calling your ISP and asking them to confirm that they received your traffic, or why they are not sending the return traffic back to the ASA.

-Mike

ronald.lawrimore · ‎06-20-2011

Will do and thanks for all of your input.