Solved: Communication between the DMZ and secure network

FRANCISCO IBARRA · ‎12-29-2011

I have a setup where I have a secure internal network (192.168.1.0/24), a DMZ (192.168.5.0/24) and a public Internet connection. I have the internal network connection to the DMZ and the Internet safe, also I have my internet connection from dmz. But I have no connection to the mysql service from the DMZ to my internal network secure.

This is a piece of code that I think affects this behavior, I am doing wrong?

access-list DMZ_IN extended permit ip any any

access-list DMZ_IN extended permit tcp host 192.168.1.2 host 192.168.5.1 object-group MySql.

access-group DMZ_IN in interface DMZ

nat-control

global (outside) 101 interface

global (DMZ) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 192.168.1.0 255.255.255.0

nat (inside) 101 0.0.0.0 0.0.0.0

static (DMZ,outside) x.x.x.x 192.168.5.1 netmask 255.255.255.255

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

Julio Carvajal · ‎12-29-2011

Hello Francisco,

You said you have internet connection from DMZ

Should be something like nat (dmz) 101 0 0 Right?

Can you add global (inside) 101 interface

If this does not work, can you provide the ip address of the inside SQL server ( I guess is 192.168.1.2)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-29-2011

Hello Francisco,

You said you have internet connection from DMZ

Should be something like nat (dmz) 101 0 0 Right?

Can you add global (inside) 101 interface

If this does not work, can you provide the ip address of the inside SQL server ( I guess is 192.168.1.2)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎12-29-2011

So is the server address is 192.168.1.2

Julio Carvajal · ‎12-29-2011

Hello Francisco,

That is what I am asking you. is that the IP address of the server?

Can you apply the

Global (inside) 101 interface

Also please provide the output of

packet-tracer input dmz tcp xx.x.x.x.x (ipaddressDMZ host) 1025 xx.x.x.x.x ( Ip address inside host) 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎12-30-2011

This is the address of the server:

192.168.1.2

this statement applies is the output of tracer packet:

asa (config) # packet-tracer input dmz tcp 192.168.1.2 1025 192.168.5.1 3306

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

config:

Additional Information:

Found no matching flow, Creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

config:

Additional Information:

in inside 192.168.1.0 255.255.255.0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

config:

access-group DMZ in interface DMZ_IN

DMZ_IN extended access-list permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

config:

Additional Information:

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

config:

static (DMZ, outside) Webserver_Public SerWeb netmask 255.255.255.255

nat-control

match ip outside SerWeb Any DMZ host

static translation to Webserver_Public

translate_hits = 473, untranslate_hits = 1587

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

config:

static (inside, DMZ) 192.168.1.2 192.168.5.252 netmask 255.255.255.255

nat-control

match ip inside host 192.168.1.2 DMZ and Stock

static translation to 192.168.5.252

translate_hits = 0, untranslate_hits = 6

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

This applied both for port 80 to port 3306

Julio Carvajal · ‎12-30-2011

Hello Francisco,

We are not on the same page!

I need you to provide all the information I request in order to help...

So the issue is you cannot access a inside server (192.168.1.2) from a dmz network (192.168.5.0/24)

The packet-tracer you did its wrong.....

It should be

asa (config) # packet-tracer input dmz tcp 192.168.5.15 1025 192.168.5.252 3306

On the packet tracer we are going to see all the rules that the ASA will use to inspect a packet from a dmz host 192.168.5.15 to the 192.168.5.252 witch is the inside server natted to the DMZ..

Did you already apply the global (inside) 101 interface

Please provide sh run nat , sh run global, sh run static and the packet-tracer output!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎12-30-2011

asa# packet-tracer input dmz tcp 192.168.5.15 1025 192.168.5.252 3306

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

nat-control

match ip inside host 192.168.1.2 DMZ any

static translation to 192.168.5.252

translate_hits = 0, untranslate_hits = 7

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.5.252/0 to 192.168.1.2/0 using netmask 255.255.255.255

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ_IN in interface DMZ

access-list DMZ_IN extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (DMZ) 0 0.0.0.0 0.0.0.0

nat-control

match ip DMZ any outside any

no translation group, implicit deny

policy_hits = 1080

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

nat-control

match ip inside host 192.168.1.2 DMZ any

static translation to 192.168.5.252

translate_hits = 0, untranslate_hits = 7

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

nat-control

match ip inside host 192.168.1.2 DMZ any

static translation to 192.168.5.252

translate_hits = 0, untranslate_hits = 7

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 153554, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.1.2 using egress ifc inside

adjacency Active

next-hop mac address 0021.5e67.c506 hits 10

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

asa# sh run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 192.168.1.0 255.255.255.0

nat (inside) 101 0.0.0.0 0.0.0.0

asa# sh run global

global (outside) 101 interface

global (inside) 101 interface

global (DMZ) 101 interface

asa# sh run static

static (DMZ,outside) Webserver_Public SerWeb netmask 255.255.255.255

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

Julio Carvajal · ‎12-30-2011

Hello Francisco,

So now seems to be hitting the right rules, can you test it but first create the following captures and then try the connection

access-list capin permit tcp host 192.168.1.2 host xxx.xxx.xx.xx (inside interface ip address)

access-list capin permit tcp host xxx.xxx.xx.xx (inside interface ip address) host 192.168.1.2

access-list capdmz permit tcp host 192.168.5.252 host 192.168.5.15

access-list capdmz permit tcp host 192.168.5.15 host 192.168.5.252

capture capin access-list capin interface inside

capture capdmz access-list capdmz interface dmz

Can you provide the show cap capin and show cap capdmz

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎12-30-2011

hello

I have concerns with your response:

1. "Inside interface ip address" refers to the IP address that has the ASA on the internal network.

2. These ACLs are applicable or not.

thanks

Julio Carvajal · ‎12-30-2011

Hello Francisco

1- Yes the ip address of the inside interface of the asa

2- they are not going to restrict any traffic, do not worry is just for a packet capture.

Can you add the command nat (dmz) 101 0 0

Then generate the traffic and Please provide the show cap capin and show cap capdmz.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎12-30-2011

These are the results, trying to make a mysql query

Result of the command: "show cap Capin"

0 Packet Capture

0 packet Shown

Result of the command: "show cap capdmz"

0 Packet Capture

0 packet Shown

This is the configuration that I introduced

access-list permit tcp host 192.168.1.2 Capin host 192.168.1.254

access-list permit tcp host 192.168.1.254 Capin host 192.168.1.2

access-list permit tcp host 192.168.5.252 capdmz host 192.168.5.15

access-list permit tcp host 192.168.5.15 capdmz host 192.168.5.252

nat (DMZ) 101 0.0.0.0 0.0.0.0

capture Capin Capin interface access-list inside

capdmz capture interface access-list dmz capdmz

Julio Carvajal · ‎12-30-2011

Hello Francisco

Check your last message, did you mean to say the following:

access-list capin permit tcp host 192.168.1.2 host 192.168.1.254

access-list capin permit tcp host 192.168.1.254 host 192.168.1.2

access-list capdmz permit tcp host 192.168.5.252 host 192.168.5.15

access-list capdmz permit tcp host 192.168.5.15 host 192.168.5.252

capture Capin access-list capin interface inside

capture capdmz access-list capdmz interface dmz

You should have it like that...

If you do not get the packets to the DMZ interface then there is a problem into your DMZ host, as the packets are not reaching the DMZ interface.

DMZ host should go to 192.168.5.252, and the ASA should see the packets.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎12-30-2011

You are right, and check and if you can make a connection. thanks

I have only one last question that will be open ports with this configuration.

Julio Carvajal · ‎12-30-2011

Hello Francisco,

Yeah, that seems to be the problem.

What if the final question ( Si prefieres hacerla en espa;ol no hay problema)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎12-30-2011

hola:

Mi ultima pregunta es sobre que puertos estan habilitados con esta configuracion, porque ya hice una prueba con los puertos de SQLServer y MySQL y estan abiertos.

Quisiera evitar que la gente que tenga acceso al DMZ pueda entrar a la red segura.

Saludos.

Francisco.