Cisco 501 ASA/PIX configuration

Famous_20 · ‎09-27-2012

I'm having trouble configuring an ASA into a network solution. We have a 501 with the outside interface on 10.24.10.1, the inside interface as 172.18.10.1, and a DMZ on 192.168.1.1. in the DMZ there is a HTTP/FTP/TFTP server connected to 192.168.1.2 on a virtual machine. When on a machine configured to 172.18.10.10 I can ping to the outside interface but not the DMZ. When I am in the DMZ the PIX does block traffic to the inside, but I can't reach the outside interface. When on the outside I am blocked from the inside, but also blocked from the DMZ. I will post the config file below. Any thoughts?

Group10(config)# sh run

: Saved

:

PIX Version 8.0(4)

!

hostname Group10

enable password 8zN2iKai1VxwjKWN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

description OUTSIDE

nameif OUTSIDE

security-level 0

ip address 10.24.10.2 255.255.255.0

!

interface Ethernet1

no nameif

security-level 0

no ip address

!

interface Ethernet1.1

description DMZ

vlan 100

nameif DMZ

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet1.2

description INSIDE

vlan 200

nameif INSIDE

security-level 100

ip address 172.18.10.1 255.255.255.0

!

interface Ethernet2

no nameif

security-level 50

no ip address

!

ftp mode passive

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

access-list external extended permit tcp 10.0.0.0 255.0.0.0 any eq ftp

access-list external extended permit tcp 10.0.0.0 255.0.0.0 any eq www

access-list internal extended permit ip any any

access-list internal extended permit udp host 172.18.10.1 any eq tftp

access-list dmz extended permit ip any any

no pager

mtu OUTSIDE 1500

mtu DMZ 1500

mtu INSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OUTSIDE

icmp permit any DMZ

icmp permit any INSIDE

no asdm history enable

arp timeout 14400

static (DMZ,OUTSIDE) 10.24.10.3 192.168.1.2 netmask 255.255.255.255

access-group external in interface OUTSIDE

access-group internal out interface OUTSIDE

access-group dmz in interface DMZ

access-group internal in interface INSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 10.24.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

management-access INSIDE

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:774c3a24ef1b4127f4c630cc8fee1c1c

: end

Harish Balakrishnan · ‎09-27-2012

Hello Eric

In PIX, you need to have NAT to communicate with interface to interface, Let us starts trouble shooting from inside to DMZ communication

can you do the following and let me know the result

static (INSIDE,DMZ) 10.24.10.0 10.24.10.0 netmask 255.255.255.0

static (DMZ,INSIDE) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

regards

Harish

Famous_20 · ‎09-28-2012

Thanks for replying Harish. I added those two lines to the config, but I still can't ping 192.168.1.1. I can still get to the outside (10.24.10.1), but not the DMZ

Harish Balakrishnan · ‎09-28-2012

Hello Eric,

By design you will not be able to ping 192.168.1.1 but you should be able to ping any dmz servers based on the above nat and proper permission from dmz back to inside

Harish.

Famous_20 · ‎09-28-2012

Ok, I tried pinging from the 172.18.10.10 to the CentOS server at 192.168.1.2, but the request timed out. Should I remove anything from the original config after adding those two lines?

Harish Balakrishnan · ‎09-28-2012

Hello Eric

Sorry My mistake

Please remove the below and add the new nat line as follows

no static (INSIDE,DMZ) 10.24.10.0 10.24.10.0 netmask 255.255.255.0

static (INSIDE,DMZ) 172.18.10.0 172.18.10.0 netmask 255.255.255.0

regards

Harish.

Famous_20 · ‎09-28-2012

ok, that was done, but the ping request still time out.

Famous_20 · ‎09-28-2012

Oh, I was also looking at the routing table; am I correct to assume that the 192.168.1.0/24 network will not appear here?

Harish Balakrishnan · ‎09-28-2012

Hello Eric,

it should apprear in the routing as connected . see whether the interface DMZ is up and running.. if yes.. also please see

'show conn' while you are pinging the server

Regards

Harish.

Famous_20 · ‎09-28-2012

Ok, the DMZ interface shows as up. I set continuous ping and did the show conn and the reply was : 0 in use, 310 most . This is the routing table for the 172.18.10.10 machine:

Harish Balakrishnan · ‎09-28-2012

Hello Eric,

can you take show xlate and show route from the PIX and post

regards

Harish

Famous_20 · ‎09-28-2012

ok, this is the xlate:

Group10(config)# show xlate

3 in use, 321 most used

Global 192.168.1.0 Local 192.168.1.0

Global 172.18.10.0 Local 172.18.10.0

Global 10.24.10.3 Local 192.168.1.2

and this is the show route:

Group10(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 10.24.10.2 to network 0.0.0.0

C 172.18.10.0 255.255.255.0 is directly connected, INSIDE

C 10.24.10.0 255.255.255.0 is directly connected, OUTSIDE

C 192.168.1.0 255.255.255.0 is directly connected, DMZ

S* 0.0.0.0 0.0.0.0 [1/0] via 10.24.10.2, OUTSIDE

Harish Balakrishnan · ‎09-28-2012

Hello Eric,

Everything looks good now

as a last try, can you try to remove

no static (DMZ,INSIDE) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

also.. did you try to access any other port other that pinging.

regards

Harish.

varrao · ‎09-28-2012

Hi Eric,

You would need these nat configuration to make it working:

For Inside to DMZ ping:

nat (inside) 1 172.18.10.0 255.255.255.0

global (DMZ) 1 interface

For DMZ to inside ping:

Static (inside,DMZ) 172.18.10.0 172.18.10.0 netmask 255.255.255.0

For DMZ to outside:

nat (DMZ) 2 192.168.1.0 255.255.255.0

global (outside) 2 interface

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Famous_20 · ‎09-28-2012

Varun, thanks for your reply. I made the changes as you suggested, but the echo request timed out. I can try putting the 172.18.10.10 machine on another network to see if that might help. I cannot ping from the CentOS server (192.168.1.2) to the outside, eventhough there is a static NAT associated.