I have a setup where I have a secure internal network (192.168.1.0/24), a DMZ (192.168.5.0/24) and a public Internet connection. I have the internal network connection to the DMZ and the Internet safe, also I have my internet connection from dmz. But I have no connection to the mysql service from the DMZ to my internal network secure.
This is a piece of code that I think affects this behavior, I am doing wrong?
access-list DMZ_IN extended permit ip any any
access-list DMZ_IN extended permit tcp host 192.168.1.2 host 192.168.5.1 object-group MySql.
access-group DMZ_IN in interface DMZ
nat-control
global (outside) 101 interface
global (DMZ) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.1.0 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
static (DMZ,outside) x.x.x.x 192.168.5.1 netmask 255.255.255.255
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
Solved! Go to Solution.
Hello Francisco,
You said you have internet connection from DMZ
Should be something like nat (dmz) 101 0 0 Right?
Can you add global (inside) 101 interface
If this does not work, can you provide the ip address of the inside SQL server ( I guess is 192.168.1.2)
Regards,
Julio
Hello Francisco,
You said you have internet connection from DMZ
Should be something like nat (dmz) 101 0 0 Right?
Can you add global (inside) 101 interface
If this does not work, can you provide the ip address of the inside SQL server ( I guess is 192.168.1.2)
Regards,
Julio
Hello Francisco,
That is what I am asking you. is that the IP address of the server?
Can you apply the
Global (inside) 101 interface
Also please provide the output of
packet-tracer input dmz tcp xx.x.x.x.x (ipaddressDMZ host) 1025 xx.x.x.x.x ( Ip address inside host) 80
Regards,
Julio
This is the address of the server:
192.168.1.2
this statement applies is the output of tracer packet:
asa (config) # packet-tracer input dmz tcp 192.168.1.2 1025 192.168.5.1 3306
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
config:
Additional Information:
Found no matching flow, Creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
config:
Additional Information:
in inside 192.168.1.0 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
config:
access-group DMZ in interface DMZ_IN
DMZ_IN extended access-list permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
config:
static (DMZ, outside) Webserver_Public SerWeb netmask 255.255.255.255
nat-control
match ip outside SerWeb Any DMZ host
static translation to Webserver_Public
translate_hits = 473, untranslate_hits = 1587
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
config:
static (inside, DMZ) 192.168.1.2 192.168.5.252 netmask 255.255.255.255
nat-control
match ip inside host 192.168.1.2 DMZ and Stock
static translation to 192.168.5.252
translate_hits = 0, untranslate_hits = 6
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
This applied both for port 80 to port 3306
Hello Francisco,
We are not on the same page!
I need you to provide all the information I request in order to help...
So the issue is you cannot access a inside server (192.168.1.2) from a dmz network (192.168.5.0/24)
The packet-tracer you did its wrong.....
It should be
asa (config) # packet-tracer input dmz tcp 192.168.5.15 1025 192.168.5.252 3306
On the packet tracer we are going to see all the rules that the ASA will use to inspect a packet from a dmz host 192.168.5.15 to the 192.168.5.252 witch is the inside server natted to the DMZ..
Did you already apply the global (inside) 101 interface
Please provide sh run nat , sh run global, sh run static and the packet-tracer output!!
Regards,
Julio
asa# packet-tracer input dmz tcp 192.168.5.15 1025 192.168.5.252 3306
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
nat-control
match ip inside host 192.168.1.2 DMZ any
static translation to 192.168.5.252
translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.5.252/0 to 192.168.1.2/0 using netmask 255.255.255.255
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_IN in interface DMZ
access-list DMZ_IN extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any outside any
no translation group, implicit deny
policy_hits = 1080
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
nat-control
match ip inside host 192.168.1.2 DMZ any
static translation to 192.168.5.252
translate_hits = 0, untranslate_hits = 7
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
nat-control
match ip inside host 192.168.1.2 DMZ any
static translation to 192.168.5.252
translate_hits = 0, untranslate_hits = 7
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 153554, packet dispatched to next module
Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.2 using egress ifc inside
adjacency Active
next-hop mac address 0021.5e67.c506 hits 10
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
asa# sh run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.1.0 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
asa# sh run global
global (outside) 101 interface
global (inside) 101 interface
global (DMZ) 101 interface
asa# sh run static
static (DMZ,outside) Webserver_Public SerWeb netmask 255.255.255.255
static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255
Hello Francisco,
So now seems to be hitting the right rules, can you test it but first create the following captures and then try the connection
access-list capin permit tcp host 192.168.1.2 host xxx.xxx.xx.xx (inside interface ip address)
access-list capin permit tcp host xxx.xxx.xx.xx (inside interface ip address) host 192.168.1.2
access-list capdmz permit tcp host 192.168.5.252 host 192.168.5.15
access-list capdmz permit tcp host 192.168.5.15 host 192.168.5.252
capture capin access-list capin interface inside
capture capdmz access-list capdmz interface dmz
Can you provide the show cap capin and show cap capdmz
Regards,
Julio
hello
I have concerns with your response:
1. "Inside interface ip address" refers to the IP address that has the ASA on the internal network.
2. These ACLs are applicable or not.
thanks
Hello Francisco
1- Yes the ip address of the inside interface of the asa
2- they are not going to restrict any traffic, do not worry is just for a packet capture.
Can you add the command nat (dmz) 101 0 0
Then generate the traffic and Please provide the show cap capin and show cap capdmz.
These are the results, trying to make a mysql query
Result of the command: "show cap Capin"
0 Packet Capture
0 packet Shown
Result of the command: "show cap capdmz"
0 Packet Capture
0 packet Shown
This is the configuration that I introduced
access-list permit tcp host 192.168.1.2 Capin host 192.168.1.254
access-list permit tcp host 192.168.1.254 Capin host 192.168.1.2
access-list permit tcp host 192.168.5.252 capdmz host 192.168.5.15
access-list permit tcp host 192.168.5.15 capdmz host 192.168.5.252
nat (DMZ) 101 0.0.0.0 0.0.0.0
capture Capin Capin interface access-list inside
capdmz capture interface access-list dmz capdmz
Hello Francisco
Check your last message, did you mean to say the following:
access-list capin permit tcp host 192.168.1.2 host 192.168.1.254
access-list capin permit tcp host 192.168.1.254 host 192.168.1.2
access-list capdmz permit tcp host 192.168.5.252 host 192.168.5.15
access-list capdmz permit tcp host 192.168.5.15 host 192.168.5.252
capture Capin access-list capin interface inside
capture capdmz access-list capdmz interface dmz
You should have it like that...
If you do not get the packets to the DMZ interface then there is a problem into your DMZ host, as the packets are not reaching the DMZ interface.
DMZ host should go to 192.168.5.252, and the ASA should see the packets.
Regards,
Julio
Hello Francisco,
Yeah, that seems to be the problem.
What if the final question ( Si prefieres hacerla en espa;ol no hay problema)
Regards,
Julio
hola:
Mi ultima pregunta es sobre que puertos estan habilitados con esta configuracion, porque ya hice una prueba con los puertos de SQLServer y MySQL y estan abiertos.
Quisiera evitar que la gente que tenga acceso al DMZ pueda entrar a la red segura.
Saludos.
Francisco.