cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3574
Views
30
Helpful
16
Replies

DMZ on ASA 5506

marcio.tormente
Level 4
Level 4

Hello Folks!

Is my first time that I´m configurin DMZ on ASA. I create a interface with security level 50, my outside is 0 and inside 100, All intefaces with diferent IP range.

Based on security level the inside should be able to talk to dmz, but is not working, I include some rules to allow the traffic from one to another, even any any and machine from inside can´t talk to dmz.

When I use packetracer on ASDM to see where is the traffic is stopping, he say that is in the ACL. How is possible if there is a rule to allow any any in all interface?

Other probleme, I create a NAT the same as the inside to dmz range, but when I include the IP in the same range that dmz interface in my machine, change the vlan in the switch, I can´t access the internet.

I saw may sites about DMZ, but the almost all of then is old and talk about 5505, some command is different, I know that DMZ don´t have to access everything from inside, but first I just want make sure that the comunication is working, after that make filter.

16 Replies 16

Hi Marcio,

The ASA 5505 minimum license is DMZ restricted, meaning that you are only able to forward traffic to this zone from 1 other zone, could be outside for example. Please check if you maybe have this license restriction ('sh ver').

Regarding the other issue, you could try posting the configuration commands.

Regards,

Thomas

Hello Thomas!

My ASA is 5506, I don´t know if there is the same restriction, follow the sh ver:

likasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.4(1)
Device Manager Version 7.4(3)

Compiled on Sat 21-Mar-15 11:42 PDT by builders
System image file is "disk0:/asa941-lfbff-k8.SPA"
Config file at boot was "startup-config"

likasa up 2 days 18 hours

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8192MB
BIOS Flash unknown @ 0x0, 0KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is e865.49e3.f1e4, irq 255
2: Ext: GigabitEthernet1/2 : address is e865.49e3.f1e5, irq 255
3: Ext: GigabitEthernet1/3 : address is e865.49e3.f1e6, irq 255
4: Ext: GigabitEthernet1/4 : address is e865.49e3.f1e7, irq 255
5: Ext: GigabitEthernet1/5 : address is e865.49e3.f1e8, irq 255
6: Ext: GigabitEthernet1/6 : address is e865.49e3.f1e9, irq 255
7: Ext: GigabitEthernet1/7 : address is e865.49e3.f1ea, irq 255
8: Ext: GigabitEthernet1/8 : address is e865.49e3.f1eb, irq 255
9: Int: Internal-Data1/1 : address is e865.49e3.f1e3, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is e865.49e3.f1e3, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

Serial Number: JAD1922018J
Running Permanent Activation Key: 0x280cc85d 0x442fef6c 0xe0310dac 0x9e64c824 0xc0230ea8
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration last modified by administrator at 17:05:36.257 UTC Thu Mar 31 2016
likasa#

I see, it does not look as if you have this restriction.

Regards,

Thomas

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Marcio,

Could you share the packet-tracer output of the concerned traffic ?

Where did you allow the traffic ?

Are you using any NAT for the traffic ? From inside to DMZ you do not need any rules to permit the traffic.

Also what traffic are you testing, is it icmp ?

If yes you can use fixup protocol icmp.

Regards,

Aditya

Please rate helpful posts.

Hello Aditya,

Follow attached the packet tracer.

I allow the traffic in all interface just to make sure that the problem is not rules.

I´m using NAT as the same I did with inside network (Dynamic NAT - DMZ to Outside)

Hi Marcio,

Could you share the NAT statement ?

I do not see NAT statement hit on the packet tracer.

You told that traffic is not working from DMZ to inside but the packet tracer shows traffic for outside.

Could you let me know that what are we trying to access from DMZ ?

Regards,


Aditya

please rate helpful posts.

Hi Aditya

In fact you was talk to my in other case that thare is relation with this one, I split to do step by step.

The other case is (Ididn´t understand yet):

https://supportforums.cisco.com/discussion/12948051/port-map-nat

Yes, I have both problem, DMZ to internet is not working and from insit to DMZ as well, follow the new tracer and my topology to this service that I´m traying to solve.

NAT

object network Rede_DMZ
subnet 192.168.17.0 255.255.255.0

object network Rede_DMZ
nat (any,outside1) dynamic interface

Hi Marcio,

In the packet tracer I see no route to host.

Could you share the show run of the ASA ?

Regards,

Aditya

Aditya

There is route, because in the ASA have a interface in each network

Follow the configuration as you request.

Thanks for your support

First off I would suggest trying a packet tracer using TCP instead of IP:

packet-tracer input inside tcp 192.168.13.100 12345 192.168.17.100 80 detail

You have two outside interfaces configured (outside and outside1)  What is the difference between these two? I mean what is outside used for and what is outside1 used for.

Your topology map shows only outside as being used in this scenario but in your configuration your dynamic NAT statement for DMZ is only for outside1.

Also, you have a lot of incorrect configuration in your ACLs, or should I say configuration that is not needed. The only time you would add an explicity deny any any on an ACL is if you want to log the traffic.  But none of your statements have the log keyword defined:

access-list outside1_access_in extended permit ip 192.168.17.0 255.255.255.0 any 
access-list DMZ_access_in extended permit ip 192.168.17.0 255.255.255.0 any 
access-list DMZ_access_in extended permit ip 192.168.17.0 255.255.255.0 any 
access-list DMZ_access_in extended permit ip 192.168.17.0 255.255.255.0 any 
access-list outside_access_in extended deny ip any any

Also, open up the Real Time log viewer in ASDM and then monitor it while trying to access the DMZ from the inside network.  It might indicate what is stopping the traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hello Marius!

Frst, thanks for your support.

Yes, I have 02 interfaces to internet, one (outside1) is the primary that I have public IP (only one), this is the main link, the other (outside) is ADLS, I only use this link in case the first is not working because the low speed.

All this rule, I include recently just to make sure that the problema is not rule.

I'll make all the tests that you you request soon, I'll be out of the office for 3 days for health problem, when I can back I'll let you know the result.

Thanks

Hello Marius!

Follow attached the packet tracert as you request.

I collected this command after apply the command: 

nat (dmz,outside1) 1 source dynamic Rede_DMZ interface

This command was suggest by Adytia above.

Thanks

Hi Marcio,

Could you try using this NAT statement and check ?

nat (dmz,outside1) 1 source dynamic Rede_DMZ interface

After using this NAT please share the packet tracer output:

packet-tracer input dmz icmp 192.168.17.5 8 0 8.8.8.8 det

Regards,

Aditya

Please rate helpful posts.

Hello Aditya,

Thanks for your support.

I'll make all the tests that you you request soon, I'll be out of the office for 3 days for health problem, when I can back I'll let you know the result.

Thanks

Marcio

Review Cisco Networking for a $25 gift card