03-13-2013 02:49 AM - edited 03-11-2019 06:13 PM
Hello,
I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.
I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.
I need to be able to do the following:
- RDP access from inside network to the DMZ servers
- Internet access for the DMZ
I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:
- DMZ HTTPS to outside (Office 365 Services)
- Outside HTTPS to DMZ (ADFS Servers on DMZ only)
- DMZ HTTPS to inside (ADFS Servers Only)
- Inside HTTPS to DMZ (ADFS Servers Only)
Running Config:
!
interface Vlan1
nameif inside
security-level 100
ip address ccl-sua-asa 255.255.255.0
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Vlan100
nameif outside
security-level 0
ip address 77.107.90.202 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 100
speed 100
duplex full
!
interface Ethernet0/1
description Connected to CCL-SUA-SW1 port 16
!
interface Ethernet0/2
switchport access vlan 3
!
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp
access-list inbound remark Inbound ACT for Ruth Edmonds Only
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 5022 inactive
access-list inbound remark Inbound rules for OWA 30/06/09 MD
access-list inbound extended permit tcp any host 77.107.90.203 eq https log
access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD
access-list inbound extended permit tcp object-group mimecast interface outside eq ldap
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp
access-list inbound remark change request MET 56030 inbound POP3 for mimecast
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3
access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq https
access-list inbound remark Inbound rule for survey 011012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq www
access-list inbound extended deny ip any any
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 192.168.255.0 255.255.255.0
access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list outbound extended deny udp any 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 10.0.0.0 255.0.0.0
access-list outbound extended deny ip any 192.168.0.0 255.255.0.0
access-list outbound extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.40.0 255.255.255.0
nat (inside) 1 192.168.41.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255
static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface www WEB www netmask 255.255.255.255
static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255
static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255
static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255
static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255
access-group outbound in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.107.90.201 1
route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1
Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working
Many Thanks
James
Solved! Go to Solution.
03-13-2013 04:42 AM
Hi,
The following configuration should already enable PAT translation from DMZ to OUTSIDE
global (outside) 1 interface
nat (dmz) 1 172.16.0.0 255.255.255.0
The DMZ Internet should work UNLESS its somehow dependant on connections to INSIDE. For example if you are using DNS servers on the DMZ hosts that are located behind INSIDE interface. This is because of the above mentioned limitation with your ASA license. DMZ cant initiate connections towards INSIDE.
The "packet-tracer" command should confirm if all the ASA configuration are correct to enable Internet traffic for the DMZ
Example command to simulate and DMZ connection could be
packet-tracer input dmz tcp 172.16.0.100 12345 8.8.8.8 80
- Jouni
03-13-2013 04:54 AM
Hi,
Seems you have created an ACL for the "dmz" interface
You need to allow UDP/53 which is DNS service through the firewall.
access-list dmz_access_in permit udp
Or if you want to allow DNS querys to any DNS server
access-list dmz_access_in permit udp
- Jouni
03-13-2013 03:14 AM
Hi,
If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE
You can confirm the License level with "show version" command. It should read at the end of the output.
In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command
no forward interface Vlan1
Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.
OUTSIDE -> DMZ
INSIDE -> DMZ
Connection initiating should be possible.
So it seems to me that you already have one problem that will limit connectivity and not just the NAT.
You already seem to have the Default PAT configuration for DMZ Internet traffic.
You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.
The corrent NAT configuration to enable that traffic would be to use
static (inside,dmz)
Repeat for all
EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.
- Jouni
03-13-2013 04:22 AM
Hello,
The license is a Base License.
I have added a 'static' nat for:
Original ---
Interface: Inside
Source: inside-network/24
Translated ---
Interface: dmz
Use IP Address: inside-network/24
Is that all i need to do? What rules do i need to put in to perform the tasks i mentioned?
Thanks
James
03-13-2013 04:34 AM
Hi,
As I mentioned,
You wont be able to connect from DMZ to INSIDE with Base License.
So even if you made rules you could only
And considering one of your requirements was to
The traffic from DMZ to OUTSIDE should already work.
There is no point making ACLs for DMZ to INSIDE traffic as it wont work anyway on your current Base License
- Jouni
03-13-2013 04:37 AM
Hello,
I have managed to get RDP working to the DMZ servers.
I cannot get the internet working on the DMZ servers?
Thanks
James
03-13-2013 04:42 AM
Hi,
The following configuration should already enable PAT translation from DMZ to OUTSIDE
global (outside) 1 interface
nat (dmz) 1 172.16.0.0 255.255.255.0
The DMZ Internet should work UNLESS its somehow dependant on connections to INSIDE. For example if you are using DNS servers on the DMZ hosts that are located behind INSIDE interface. This is because of the above mentioned limitation with your ASA license. DMZ cant initiate connections towards INSIDE.
The "packet-tracer" command should confirm if all the ASA configuration are correct to enable Internet traffic for the DMZ
Example command to simulate and DMZ connection could be
packet-tracer input dmz tcp 172.16.0.100 12345 8.8.8.8 80
- Jouni
03-13-2013 04:51 AM
This is an error i have in the log:
Deny udp src dmz:vm-fedprx-01/60022 dst outside:85.159.128.20/53 by access-group "dmz_access_in" [0x0, 0x0] |
Deny udp src dmz:vm-fedprx-01/52428 dst outside:85.159.128.20/53 by access-group "dmz_access_in" [0x0, 0x0] |
Thanks
James
03-13-2013 04:54 AM
Hi,
Seems you have created an ACL for the "dmz" interface
You need to allow UDP/53 which is DNS service through the firewall.
access-list dmz_access_in permit udp
Or if you want to allow DNS querys to any DNS server
access-list dmz_access_in permit udp
- Jouni
03-13-2013 05:04 AM
Hi Jouni,
That has all worked!
Thank you :-)
06-07-2016 10:02 PM
Hi,
i have similar problem. I need to to do also www-server in dmz-area, that need to get connect to local area database server. i do have two public internet ip-address bouth has targeted ssl-certificate, we have cisco asa 5505 firewall unlimited security plus (this is outsourced service), my question is it possible to do that by using this one firewall or do i need to have two firewall? can anyone give me hint about solution?
thanks for helping me with this.
Janne
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide