10-12-2024 06:30 AM
Hello everyone, I have a problem with my project, which is that the firewall in HQ prevents GRID network computers from accessing servers located in the DMZ, I tried writing many access lists but to no avail. Knowing that there is an IPsec connection between the two firewalls and there is an encrypted connection that I verified through the ping. All computers reach the Google server connected to the ISP router. The inside computers reach the DMZ servers .
HQ-FWL:
ASA Version 9.6(1)
!
hostname HQ
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface GigabitEthernet1/1
nameif OUTSIDE
security-level 0
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif INSIDE
security-level 100
ip address 172.16.1.254 255.255.255.0
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 10.10.10.2 255.255.255.252
!
object network HOME
subnet 172.16.2.128 255.255.255.128
nat (INSIDE,OUTSIDE) dynamic interface
object network NET1
subnet 172.16.3.64 255.255.255.192
nat (DMZ,OUTSIDE) dynamic interface
object network PARKING
subnet 172.16.3.192 255.255.255.224
nat (INSIDE,OUTSIDE) dynamic interface
object network TRAFFIC
subnet 172.16.4.0 255.255.255.224
nat (INSIDE,OUTSIDE) dynamic interface
!
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.0.254 1
!
access-list RES extended permit icmp any any
access-list RES extended permit tcp 172.16.3.192 255.255.255.224 host 172.16.3.2 eq 443
access-list RES extended permit tcp 172.16.3.192 255.255.255.224 host 172.16.3.2 eq www
access-list RES extended permit tcp 172.16.4.0 255.255.255.224 host 172.16.3.2 eq 443
access-list RES extended permit tcp 172.16.4.0 255.255.255.224 host 172.16.3.2 eq www
access-list RES extended permit tcp 172.16.2.128 255.255.255.128 host 172.16.3.2 eq www
access-list RES extended permit tcp 172.16.2.128 255.255.255.128 host 172.16.3.2 eq 443
access-list RES extended permit tcp 172.16.2.64 255.255.255.192 host 172.16.3.2 eq 443
access-list RES extended permit tcp 172.16.2.64 255.255.255.192 host 172.16.3.2 eq www
access-list VPN-ACL extended permit ip 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128
access-list DMZ-ACCESS extended permit icmp any any
!
access-group RES in interface OUTSIDE
access-group DMZ-ACCESS in interface DMZ
aaa authentication ssh console LOCAL
!
username Admin1 password lHxxhaQjg.0S8gXG encrypted
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323
inspect http
inspect icmp
inspect tftp
!
service-policy global_policy global
!
ssh 172.16.3.64 255.255.255.192 DMZ
ssh timeout 3
!
crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac
!
crypto map CMAP 10 match address VPN-ACL
crypto map CMAP 10 set peer 172.16.3.130
crypto map CMAP 10 set ikev1 transform-set TSET
crypto map CMAP interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
encr 3des
authentication pre-share
group 2
!
tunnel-group 172.16.3.130 type ipsec-l2l
tunnel-group 172.16.3.130 ipsec-attributes
ikev1 pre-shared-key cisco
!
router ospf 10
router-id 1.1.1.6
log-adjacency-changes
network 172.16.0.0 255.255.255.0 area 0
network 10.10.10.0 255.255.255.252 area 0
network 172.16.1.0 255.255.255.0 area 0
BRANCH-FWL:
ASA Version 9.6(1)
!
hostname BRANCH
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface GigabitEthernet1/1
nameif OUTSIDE
security-level 0
ip address 172.16.3.130 255.255.255.252
!
interface GigabitEthernet1/2
nameif INSIDE
security-level 100
ip address 10.10.10.6 255.255.255.252
!object network NET2
subnet 172.16.2.0 255.255.255.128
nat (INSIDE,OUTSIDE) dynamic interface
!
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.3.129 1
!
access-list RES1 extended permit icmp any any
access-list RES1 extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.2 eq 443
access-list RES1 extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.2 eq www
access-list VPN-ACL extended permit ip 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192
!
access-group RES1 in interface OUTSIDE
aaa authentication ssh console LOCAL
!
username Admin1 password lHxxhaQjg.0S8gXG encrypted
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323
inspect http
inspect icmp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh 172.16.2.0 255.255.255.128 INSIDE
ssh timeout 3
!
crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac
!
crypto map CMAP 10 match address VPN-ACL
crypto map CMAP 10 set peer 172.16.0.1
crypto map CMAP 10 set ikev1 transform-set TSET
crypto map CMAP interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
encr 3des
authentication pre-share
group 2
!
tunnel-group 172.16.0.1 type ipsec-l2l
tunnel-group 172.16.0.1 ipsec-attributes
ikev1 pre-shared-key cisco
!
router ospf 10
router-id 1.1.1.7
log-adjacency-changes
network 172.16.3.128 255.255.255.252 area 0
network 10.10.10.4 255.255.255.252 area 0
!
I tried the following lines but none of them worked. On the contrary, they stopped the DMZ network computers from accessing the Google server:
BRANCH-FWL:
access-list VPN-ACL extended permit tcp 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192 eq domain
access-list VPN-ACL extended permit udp 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192 eq domain
access-list RES1 extended permit tcp any any eq domain
access-list RES1 extended permit udp any any eq domain
access-list RES1 extended permit tcp any any eq 8080
access-list RES1 extended permit tcp any any eq smtp
access-list RES1 extended permit tcp any any eq pop3
HQ-FWL:
access-list VPN-ACL extended permit tcp 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128 eq domain
access-list VPN-ACL extended permit udp 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128 eq domain
access-list VPN-ACL extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.67 eq domain
access-list VPN-ACL extended permit udp 172.16.2.0 255.255.255.128 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit udp 172.16.2.0 255.255.255.128 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.67 eq domain
access-list RES extended permit tcp any host 172.16.3.67 eq domain
access-list RES extended permit udp any host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.3.192 255.255.255.224 host 172.16.3.67 eq domain
no access-list DMZ-ACCESS extended permit udp 172.16.3.192 255.255.255.224 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit udp 172.16.4.0 255.255.255.224 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.4.0 255.255.255.224 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.2.128 255.255.255.128 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit udp 172.16.2.128 255.255.255.128 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.3.128 255.255.255.252 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit udp 172.16.3.128 255.255.255.252 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp any any eq domain
access-list DMZ-ACCESS extended permit udp any any eq domain
access-list DMZ-ACCESS extended permit tcp any any eq www
access-list DMZ-ACCESS extended permit tcp any any eq 443
access-list DMZ-ACCESS extended permit tcp any any eq 8080
access-list DMZ-ACCESS extended permit tcp any any eq smtp
access-list DMZ-ACCESS extended permit tcp any any eq pop3
Solved! Go to Solution.
10-13-2024 11:47 PM
After a lot of experimentation, the following worked for me:
I deleted all the ACL lines and kept the following lines:
BRANCH-FWL:
access-list VPN-ACL extended permit ip 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192
HQ-FWL:
access-list VPN-ACL extended permit ip 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128
access-list RES extended permit icmp 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192
access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.68 eq smtp
access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.69 eq www
access-list RES extended permit tcp host 172.16.3.4 host 172.16.3.69 eq www
access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.68 eq pop3
access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.69 eq 31000
!
!
access-group RES in interface OUTSIDE
10-12-2024 07:04 AM
Sorry I dont install PT in my PC but I will inform you one tips'
ACL of IPsec VPN dont work with l4 port
You need to use pure L3 ACL for IPsec VPN
MHM
10-13-2024 11:47 PM
After a lot of experimentation, the following worked for me:
I deleted all the ACL lines and kept the following lines:
BRANCH-FWL:
access-list VPN-ACL extended permit ip 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192
HQ-FWL:
access-list VPN-ACL extended permit ip 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128
access-list RES extended permit icmp 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192
access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.68 eq smtp
access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.69 eq www
access-list RES extended permit tcp host 172.16.3.4 host 172.16.3.69 eq www
access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.68 eq pop3
access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.69 eq 31000
!
!
access-group RES in interface OUTSIDE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide