12-29-2011 05:03 PM - edited 03-11-2019 03:08 PM
I have a setup where I have a secure internal network (192.168.1.0/24), a DMZ (192.168.5.0/24) and a public Internet connection. I have the internal network connection to the DMZ and the Internet safe, also I have my internet connection from dmz. But I have no connection to the mysql service from the DMZ to my internal network secure.
This is a piece of code that I think affects this behavior, I am doing wrong?
access-list DMZ_IN extended permit ip any any
access-list DMZ_IN extended permit tcp host 192.168.1.2 host 192.168.5.1 object-group MySql.
access-group DMZ_IN in interface DMZ
nat-control
global (outside) 101 interface
global (DMZ) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.1.0 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
static (DMZ,outside) x.x.x.x 192.168.5.1 netmask 255.255.255.255
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
Solved! Go to Solution.
12-29-2011 05:12 PM
Hello Francisco,
You said you have internet connection from DMZ
Should be something like nat (dmz) 101 0 0 Right?
Can you add global (inside) 101 interface
If this does not work, can you provide the ip address of the inside SQL server ( I guess is 192.168.1.2)
Regards,
Julio
12-29-2011 05:12 PM
Hello Francisco,
You said you have internet connection from DMZ
Should be something like nat (dmz) 101 0 0 Right?
Can you add global (inside) 101 interface
If this does not work, can you provide the ip address of the inside SQL server ( I guess is 192.168.1.2)
Regards,
Julio
12-29-2011 05:18 PM
12-29-2011 05:32 PM
Hello Francisco,
That is what I am asking you. is that the IP address of the server?
Can you apply the
Global (inside) 101 interface
Also please provide the output of
packet-tracer input dmz tcp xx.x.x.x.x (ipaddressDMZ host) 1025 xx.x.x.x.x ( Ip address inside host) 80
Regards,
Julio
12-30-2011 07:56 AM
This is the address of the server:
192.168.1.2
this statement applies is the output of tracer packet:
asa (config) # packet-tracer input dmz tcp 192.168.1.2 1025 192.168.5.1 3306
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
config:
Additional Information:
Found no matching flow, Creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
config:
Additional Information:
in inside 192.168.1.0 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
config:
access-group DMZ in interface DMZ_IN
DMZ_IN extended access-list permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
config:
static (DMZ, outside) Webserver_Public SerWeb netmask 255.255.255.255
nat-control
match ip outside SerWeb Any DMZ host
static translation to Webserver_Public
translate_hits = 473, untranslate_hits = 1587
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
config:
static (inside, DMZ) 192.168.1.2 192.168.5.252 netmask 255.255.255.255
nat-control
match ip inside host 192.168.1.2 DMZ and Stock
static translation to 192.168.5.252
translate_hits = 0, untranslate_hits = 6
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
This applied both for port 80 to port 3306
12-30-2011 10:42 AM
Hello Francisco,
We are not on the same page!
I need you to provide all the information I request in order to help...
So the issue is you cannot access a inside server (192.168.1.2) from a dmz network (192.168.5.0/24)
The packet-tracer you did its wrong.....
It should be
asa (config) # packet-tracer input dmz tcp 192.168.5.15 1025 192.168.5.252 3306
On the packet tracer we are going to see all the rules that the ASA will use to inspect a packet from a dmz host 192.168.5.15 to the 192.168.5.252 witch is the inside server natted to the DMZ..
Did you already apply the global (inside) 101 interface
Please provide sh run nat , sh run global, sh run static and the packet-tracer output!!
Regards,
Julio
12-30-2011 11:14 AM
asa# packet-tracer input dmz tcp 192.168.5.15 1025 192.168.5.252 3306
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
nat-control
match ip inside host 192.168.1.2 DMZ any
static translation to 192.168.5.252
translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.5.252/0 to 192.168.1.2/0 using netmask 255.255.255.255
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_IN in interface DMZ
access-list DMZ_IN extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any outside any
no translation group, implicit deny
policy_hits = 1080
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
nat-control
match ip inside host 192.168.1.2 DMZ any
static translation to 192.168.5.252
translate_hits = 0, untranslate_hits = 7
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
nat-control
match ip inside host 192.168.1.2 DMZ any
static translation to 192.168.5.252
translate_hits = 0, untranslate_hits = 7
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 153554, packet dispatched to next module
Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.2 using egress ifc inside
adjacency Active
next-hop mac address 0021.5e67.c506 hits 10
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
asa# sh run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.1.0 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
asa# sh run global
global (outside) 101 interface
global (inside) 101 interface
global (DMZ) 101 interface
asa# sh run static
static (DMZ,outside) Webserver_Public SerWeb netmask 255.255.255.255
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
12-30-2011 11:35 AM
Hello Francisco,
So now seems to be hitting the right rules, can you test it but first create the following captures and then try the connection
access-list capin permit tcp host 192.168.1.2 host xxx.xxx.xx.xx (inside interface ip address)
access-list capin permit tcp host xxx.xxx.xx.xx (inside interface ip address) host 192.168.1.2
access-list capdmz permit tcp host 192.168.5.252 host 192.168.5.15
access-list capdmz permit tcp host 192.168.5.15 host 192.168.5.252
capture capin access-list capin interface inside
capture capdmz access-list capdmz interface dmz
Can you provide the show cap capin and show cap capdmz
Regards,
Julio
12-30-2011 12:57 PM
hello
I have concerns with your response:
1. "Inside interface ip address" refers to the IP address that has the ASA on the internal network.
2. These ACLs are applicable or not.
thanks
12-30-2011 02:34 PM
Hello Francisco
1- Yes the ip address of the inside interface of the asa
2- they are not going to restrict any traffic, do not worry is just for a packet capture.
Can you add the command nat (dmz) 101 0 0
Then generate the traffic and Please provide the show cap capin and show cap capdmz.
12-30-2011 03:12 PM
These are the results, trying to make a mysql query
Result of the command: "show cap Capin"
0 Packet Capture
0 packet Shown
Result of the command: "show cap capdmz"
0 Packet Capture
0 packet Shown
This is the configuration that I introduced
access-list permit tcp host 192.168.1.2 Capin host 192.168.1.254
access-list permit tcp host 192.168.1.254 Capin host 192.168.1.2
access-list permit tcp host 192.168.5.252 capdmz host 192.168.5.15
access-list permit tcp host 192.168.5.15 capdmz host 192.168.5.252
nat (DMZ) 101 0.0.0.0 0.0.0.0
capture Capin Capin interface access-list inside
capdmz capture interface access-list dmz capdmz
12-30-2011 03:26 PM
Hello Francisco
Check your last message, did you mean to say the following:
access-list capin permit tcp host 192.168.1.2 host 192.168.1.254
access-list capin permit tcp host 192.168.1.254 host 192.168.1.2
access-list capdmz permit tcp host 192.168.5.252 host 192.168.5.15
access-list capdmz permit tcp host 192.168.5.15 host 192.168.5.252
capture Capin access-list capin interface inside
capture capdmz access-list capdmz interface dmz
You should have it like that...
If you do not get the packets to the DMZ interface then there is a problem into your DMZ host, as the packets are not reaching the DMZ interface.
DMZ host should go to 192.168.5.252, and the ASA should see the packets.
Regards,
Julio
12-30-2011 04:46 PM
12-30-2011 05:46 PM
Hello Francisco,
Yeah, that seems to be the problem.
What if the final question ( Si prefieres hacerla en espa;ol no hay problema)
Regards,
Julio
12-30-2011 05:54 PM
hola:
Mi ultima pregunta es sobre que puertos estan habilitados con esta configuracion, porque ya hice una prueba con los puertos de SQLServer y MySQL y estan abiertos.
Quisiera evitar que la gente que tenga acceso al DMZ pueda entrar a la red segura.
Saludos.
Francisco.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide