cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1498
Views
0
Helpful
12
Replies

Configure ASA 5505 (Base Licence) - Permit from Inside to DMZ hosts

Daren Matthews
Level 1
Level 1

Please can someone assist me with this quite basic configuration? (forgive the simple question but I am not too familiar with ASAs)

I need to configure an ASA 5505 to allow access from the inside interface to hosts on the DMZ interface (for SSH)

My partial configuration is as follows:

access-list inside_in extended permit tcp host 10.10.1.100 object-group INSIDE-LAN eq ssh

access-list inside_in extended permit tcp object-group INSIDE-LAN host 10.10.1.100 eq ssh

access-group inside_in interface inside

I am not sure whether I need an ACL on the DMZ interface.

I am running ASA version 8.0(3)6

Any help is gratefully received!

12 Replies 12

It's not only then access-list that has to be configured, but also a NAT rule.

The ACL: You only need to specify the initial traffic. As a stateful firewall, the ASA will take care of the return-packets.

If 10.10.1.100 is your DMZ-host, then you don't need your first ACL-line.

NAT: You should exempt the traffic from NAT. That can be done in different ways and depend on your actual config.

Please post the output of "show run nat", "show run global" and "show run static".

A NAT-config that will work in many scenarios (but without knowing the rest of your config, this is probably not the optimum) is the following:

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

In this example 10.1.1.0/24 is your internal network, inside and dmz are the names of the interfaces.

You find more on NAT in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043190

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thank you very much Karsten - I have asked my counterpart in the country where the firewall is to provide this command output.  I have also asked him to configure the NAT statement. What you have said makes sense and I have relayed the information.  I am also trying to gain access to it myself.  Many thanks for your help.

Hi Karsten,

I now have access to the ASA so can respond more easily.  Meanwhile, here is the result of the show commands that you requested:

ASA# show run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0_outbound outside

ASA# show run global

global (inside) 1 82.64.92.12-196.38.92.13 netmask 255.255.255.0

global (outside) 1 interface

ASA# show run static

static (inside,outside) 84.12.54.131 ISI_SRV netmask 255.255.255.255

static (inside,outside) 84.12.54.132 DWA_SRV netmask 255.255.255.255

Thank you very much for the help.  I'll try to repay the community in the future!

Hi Karsten,

See my last post and the fact that I have access to the ASA.  I'll try your NAT rule first I think.

To bypass the NAT you could enter the no nat-control command from global configuration mode.

If you require further assistance please post your full sanitized configuration.

--

Please rate all helpful posts.

--
Please remember to select a correct answer and rate helpful posts

To bypass the NAT you could enter the no nat-control command from global configuration mode.

that won't help as it is very likely that there is a nat-statement for internet-access on the internal interface.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

just add:

eneable

config t

global (dmz) 1 interface

Value our effort and rate the assistance!

Value our effort and rate the assistance!

You cannot bypass NAT if you already have nat (inside) 1 0 0 it will force you to add that global that I mention or configure NAT exemption or a static identity NAT.

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Do you need anything else, do you have any comments??

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Hi Jumora,

Your advice seems sound and I apologise for the delay in replying - it's because since Thursday I have been in London dealing with a problem with, ironically, another Cisco ASA.

I have access to the ASA that is the subject of this problem and tomorrow will be trying out this:

global (dmz) 1 interface

I will reposrt back to this discussion AND can assure everyone that once the problem is overcome I'll update and give closure for anyone else reading this.  There is nothing worse that a discussion that does not get closed.

Thanks again,

Daren

It's ok, I will wait for your update

Value our effort and rate the assistance!

Value our effort and rate the assistance!

First of all I am very sorry for the delay.

In addition to:

global (dmz) 1 interface

This is what I configured:

static (dmz,inside) tcp 10.10.1.100 ssh 10.10.1.100 ssh netmask 255.255.255.                                                 255

access-list inside_access_in extended permit ip any host 10.10.1.100 log

access-group inside_access_in in interface inside

Testing seems to show that an implicit deny is dropping it somehow, if I interpret this correctly:

TESTING

-------------

ASA_Firewall# packet-tracer input inside tcp 172.23.80.37 1026 10.10.1.100 ssh

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (dmz,inside) tcp 10.10.1.100 ssh 10.10.1.100 ssh netmask 255.255.255.255

  match tcp dmz host 10.10.1.100 eq 22 inside any

    static translation to 10.10.1.100/22

    translate_hits = 0, untranslate_hits = 2

Additional Information:

NAT divert to egress interface dmz

Untranslate 10.10.1.100/22 to 10.10.1.100/22 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule     <=================  This is where it fails

Review Cisco Networking for a $25 gift card