cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
257
Views
1
Helpful
2
Replies

Cisco Packet Tracer ASA 5506 Prevents Access to DMZ Servers

alaas3303
Level 1
Level 1

Hello everyone, I have a problem with my project, which is that the firewall in HQ prevents GRID network computers from accessing servers located in the DMZ, I tried writing many access lists but to no avail. Knowing that there is an IPsec connection between the two firewalls and there is an encrypted connection that I verified through the ping. All computers reach the Google server connected to the ISP router. The inside computers reach the DMZ servers .

HQ-FWL:

ASA Version 9.6(1)

!

hostname HQ

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface GigabitEthernet1/1

nameif OUTSIDE

security-level 0

ip address 172.16.0.1 255.255.255.0

!

interface GigabitEthernet1/2

nameif INSIDE

security-level 100

ip address 172.16.1.254 255.255.255.0

!

interface GigabitEthernet1/3

nameif DMZ

security-level 50

ip address 10.10.10.2 255.255.255.252

!

object network HOME

subnet 172.16.2.128 255.255.255.128

nat (INSIDE,OUTSIDE) dynamic interface

object network NET1

subnet 172.16.3.64 255.255.255.192

nat (DMZ,OUTSIDE) dynamic interface

object network PARKING

subnet 172.16.3.192 255.255.255.224

nat (INSIDE,OUTSIDE) dynamic interface

object network TRAFFIC

subnet 172.16.4.0 255.255.255.224

nat (INSIDE,OUTSIDE) dynamic interface

!

route OUTSIDE 0.0.0.0 0.0.0.0 172.16.0.254 1

!

access-list RES extended permit icmp any any

access-list RES extended permit tcp 172.16.3.192 255.255.255.224 host 172.16.3.2 eq 443

access-list RES extended permit tcp 172.16.3.192 255.255.255.224 host 172.16.3.2 eq www

access-list RES extended permit tcp 172.16.4.0 255.255.255.224 host 172.16.3.2 eq 443

access-list RES extended permit tcp 172.16.4.0 255.255.255.224 host 172.16.3.2 eq www

access-list RES extended permit tcp 172.16.2.128 255.255.255.128 host 172.16.3.2 eq www

access-list RES extended permit tcp 172.16.2.128 255.255.255.128 host 172.16.3.2 eq 443

access-list RES extended permit tcp 172.16.2.64 255.255.255.192 host 172.16.3.2 eq 443

access-list RES extended permit tcp 172.16.2.64 255.255.255.192 host 172.16.3.2 eq www

access-list VPN-ACL extended permit ip 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128

access-list DMZ-ACCESS extended permit icmp any any

!

access-group RES in interface OUTSIDE

access-group DMZ-ACCESS in interface DMZ

aaa authentication ssh console LOCAL

!

username Admin1 password lHxxhaQjg.0S8gXG encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323

inspect http

inspect icmp

inspect tftp

!

service-policy global_policy global

!

ssh 172.16.3.64 255.255.255.192 DMZ

ssh timeout 3

!

crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac

!

crypto map CMAP 10 match address VPN-ACL

crypto map CMAP 10 set peer 172.16.3.130

crypto map CMAP 10 set ikev1 transform-set TSET

crypto map CMAP interface OUTSIDE

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 10

encr 3des

authentication pre-share

group 2

!

tunnel-group 172.16.3.130 type ipsec-l2l

tunnel-group 172.16.3.130 ipsec-attributes

ikev1 pre-shared-key cisco

!

router ospf 10

router-id 1.1.1.6

log-adjacency-changes

network 172.16.0.0 255.255.255.0 area 0

network 10.10.10.0 255.255.255.252 area 0

network 172.16.1.0 255.255.255.0 area 0

 

BRANCH-FWL:

ASA Version 9.6(1)

!

hostname BRANCH

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface GigabitEthernet1/1

nameif OUTSIDE

security-level 0

ip address 172.16.3.130 255.255.255.252

!

interface GigabitEthernet1/2

nameif INSIDE

security-level 100

ip address 10.10.10.6 255.255.255.252

!object network NET2

subnet 172.16.2.0 255.255.255.128

nat (INSIDE,OUTSIDE) dynamic interface

!

route OUTSIDE 0.0.0.0 0.0.0.0 172.16.3.129 1

!

access-list RES1 extended permit icmp any any

access-list RES1 extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.2 eq 443

access-list RES1 extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.2 eq www

access-list VPN-ACL extended permit ip 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192

!

access-group RES1 in interface OUTSIDE

aaa authentication ssh console LOCAL

!

username Admin1 password lHxxhaQjg.0S8gXG encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323

inspect http

inspect icmp

inspect tftp

!

service-policy global_policy global

!

telnet timeout 5

ssh 172.16.2.0 255.255.255.128 INSIDE

ssh timeout 3

!

crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac

!

crypto map CMAP 10 match address VPN-ACL

crypto map CMAP 10 set peer 172.16.0.1

crypto map CMAP 10 set ikev1 transform-set TSET

crypto map CMAP interface OUTSIDE

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 10

encr 3des

authentication pre-share

group 2

!

tunnel-group 172.16.0.1 type ipsec-l2l

tunnel-group 172.16.0.1 ipsec-attributes

ikev1 pre-shared-key cisco

!

router ospf 10

router-id 1.1.1.7

log-adjacency-changes

network 172.16.3.128 255.255.255.252 area 0

network 10.10.10.4 255.255.255.252 area 0

!

I tried the following lines but none of them worked. On the contrary, they stopped the DMZ network computers from accessing the Google server:

BRANCH-FWL:

access-list VPN-ACL extended permit tcp 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192 eq domain
access-list VPN-ACL extended permit udp 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192 eq domain 

access-list RES1 extended permit tcp any any eq domain
access-list RES1 extended permit udp any any eq domain
access-list RES1 extended permit tcp any any eq 8080
access-list RES1 extended permit tcp any any eq smtp
access-list RES1 extended permit tcp any any eq pop3

HQ-FWL:

access-list VPN-ACL extended permit tcp 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128 eq domain
access-list VPN-ACL extended permit udp 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128 eq domain
access-list VPN-ACL extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.67 eq domain
access-list VPN-ACL extended permit udp 172.16.2.0 255.255.255.128 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit udp 172.16.2.0 255.255.255.128 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.67 eq domain
access-list RES extended permit tcp any host 172.16.3.67 eq domain
access-list RES extended permit udp any host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.3.192 255.255.255.224 host 172.16.3.67 eq domain
no access-list DMZ-ACCESS extended permit udp 172.16.3.192 255.255.255.224 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit udp 172.16.4.0 255.255.255.224 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.4.0 255.255.255.224 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.2.128 255.255.255.128 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit udp 172.16.2.128 255.255.255.128 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit tcp 172.16.3.128 255.255.255.252 host 172.16.3.67 eq domain
access-list DMZ-ACCESS extended permit udp 172.16.3.128 255.255.255.252 host 172.16.3.67 eq domain

 

access-list DMZ-ACCESS extended permit tcp any any eq domain
access-list DMZ-ACCESS extended permit udp any any eq domain
access-list DMZ-ACCESS extended permit tcp any any eq www
access-list DMZ-ACCESS extended permit tcp any any eq 443
access-list DMZ-ACCESS extended permit tcp any any eq 8080
access-list DMZ-ACCESS extended permit tcp any any eq smtp
access-list DMZ-ACCESS extended permit tcp any any eq pop3

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

alaas3303
Level 1
Level 1

 

After a lot of experimentation, the following worked for me:
I deleted all the ACL lines and kept the following lines:

BRANCH-FWL:

access-list VPN-ACL extended permit ip 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192

HQ-FWL:

access-list VPN-ACL extended permit ip 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128

access-list RES extended permit icmp 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192

access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.68 eq smtp

access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.69 eq www

access-list RES extended permit tcp host 172.16.3.4 host 172.16.3.69 eq www

access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.68 eq pop3

access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.69 eq 31000

!

!

access-group RES in interface OUTSIDE

View solution in original post

2 Replies 2

Sorry I dont install PT in my PC but I will inform you one tips' 

ACL of IPsec VPN dont work with l4 port

You need to use pure L3 ACL for IPsec VPN

MHM

alaas3303
Level 1
Level 1

 

After a lot of experimentation, the following worked for me:
I deleted all the ACL lines and kept the following lines:

BRANCH-FWL:

access-list VPN-ACL extended permit ip 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192

HQ-FWL:

access-list VPN-ACL extended permit ip 172.16.3.64 255.255.255.192 172.16.2.0 255.255.255.128

access-list RES extended permit icmp 172.16.2.0 255.255.255.128 172.16.3.64 255.255.255.192

access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.68 eq smtp

access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.69 eq www

access-list RES extended permit tcp host 172.16.3.4 host 172.16.3.69 eq www

access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.68 eq pop3

access-list RES extended permit tcp 172.16.2.0 255.255.255.128 host 172.16.3.69 eq 31000

!

!

access-group RES in interface OUTSIDE

Review Cisco Networking for a $25 gift card