Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3572
Views
30
Helpful
16
Replies

DMZ on ASA 5506

marcio.tormente
Level 4
Level 4

‎04-01-2016 06:13 AM - edited ‎03-12-2019 12:34 AM

Hello Folks!

Is my first time that I´m configurin DMZ on ASA. I create a interface with security level 50, my outside is 0 and inside 100, All intefaces with diferent IP range.

Based on security level the inside should be able to talk to dmz, but is not working, I include some rules to allow the traffic from one to another, even any any and machine from inside can´t talk to dmz.

When I use packetracer on ASDM to see where is the traffic is stopping, he say that is in the ACL. How is possible if there is a rule to allow any any in all interface?

Other probleme, I create a NAT the same as the inside to dmz range, but when I include the IP in the same range that dmz interface in my machine, change the vlan in the switch, I can´t access the internet.

I saw may sites about DMZ, but the almost all of then is old and talk about 5505, some command is different, I know that DMZ don´t have to access everything from inside, but first I just want make sure that the comunication is working, after that make filter.

1 person had this problem
Labels:
0 Helpful
16 Replies 16

Thomas Bille Joergensen
Level 1
Level 1

‎04-01-2016 07:14 AM

Hi Marcio,

The ASA 5505 minimum license is DMZ restricted, meaning that you are only able to forward traffic to this zone from 1 other zone, could be outside for example. Please check if you maybe have this license restriction ('sh ver').

Regarding the other issue, you could try posting the configuration commands.

Regards,

Thomas

marcio.tormente
Level 4
Level 4
In response to Thomas Bille Joergensen

‎04-01-2016 07:21 AM

Hello Thomas!

My ASA is 5506, I don´t know if there is the same restriction, follow the sh ver:

likasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.4(1)
Device Manager Version 7.4(3)

Compiled on Sat 21-Mar-15 11:42 PDT by builders
System image file is "disk0:/asa941-lfbff-k8.SPA"
Config file at boot was "startup-config"

likasa up 2 days 18 hours

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8192MB
BIOS Flash unknown @ 0x0, 0KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is e865.49e3.f1e4, irq 255
2: Ext: GigabitEthernet1/2 : address is e865.49e3.f1e5, irq 255
3: Ext: GigabitEthernet1/3 : address is e865.49e3.f1e6, irq 255
4: Ext: GigabitEthernet1/4 : address is e865.49e3.f1e7, irq 255
5: Ext: GigabitEthernet1/5 : address is e865.49e3.f1e8, irq 255
6: Ext: GigabitEthernet1/6 : address is e865.49e3.f1e9, irq 255
7: Ext: GigabitEthernet1/7 : address is e865.49e3.f1ea, irq 255
8: Ext: GigabitEthernet1/8 : address is e865.49e3.f1eb, irq 255
9: Int: Internal-Data1/1 : address is e865.49e3.f1e3, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is e865.49e3.f1e3, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

Serial Number: JAD1922018J
Running Permanent Activation Key: 0x280cc85d 0x442fef6c 0xe0310dac 0x9e64c824 0xc0230ea8
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration last modified by administrator at 17:05:36.257 UTC Thu Mar 31 2016
likasa#

0 Helpful

Thomas Bille Joergensen
Level 1
Level 1
In response to marcio.tormente

‎04-02-2016 02:09 AM

I see, it does not look as if you have this restriction.

Regards,

Thomas

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-01-2016 07:24 AM

Hi Marcio,

Could you share the packet-tracer output of the concerned traffic ?

Where did you allow the traffic ?

Are you using any NAT for the traffic ? From inside to DMZ you do not need any rules to permit the traffic.

Also what traffic are you testing, is it icmp ?

If yes you can use fixup protocol icmp.

Regards,

Aditya

Please rate helpful posts.

marcio.tormente
Level 4
Level 4
In response to Aditya Ganjoo

‎04-01-2016 07:55 AM

Hello Aditya,

Follow attached the packet tracer.

I allow the traffic in all interface just to make sure that the problem is not rules.

I´m using NAT as the same I did with inside network (Dynamic NAT - DMZ to Outside)

Preview file
257 KB
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to marcio.tormente

‎04-01-2016 08:14 AM

Hi Marcio,

Could you share the NAT statement ?

I do not see NAT statement hit on the packet tracer.

You told that traffic is not working from DMZ to inside but the packet tracer shows traffic for outside.

Could you let me know that what are we trying to access from DMZ ?

Regards,


Aditya

please rate helpful posts.

marcio.tormente
Level 4
Level 4
In response to Aditya Ganjoo

‎04-01-2016 08:31 AM

Hi Aditya

In fact you was talk to my in other case that thare is relation with this one, I split to do step by step.

The other case is (Ididn´t understand yet):

https://supportforums.cisco.com/discussion/12948051/port-map-nat

Yes, I have both problem, DMZ to internet is not working and from insit to DMZ as well, follow the new tracer and my topology to this service that I´m traying to solve.

NAT

object network Rede_DMZ
subnet 192.168.17.0 255.255.255.0

object network Rede_DMZ
nat (any,outside1) dynamic interface

Preview file
50 KB
Preview file
236 KB
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to marcio.tormente

‎04-01-2016 10:53 AM

Hi Marcio,

In the packet tracer I see no route to host.

Could you share the show run of the ASA ?

Regards,

Aditya

0 Helpful

marcio.tormente
Level 4
Level 4
In response to Aditya Ganjoo

‎04-01-2016 11:14 AM

Aditya

There is route, because in the ASA have a interface in each network

Follow the configuration as you request.

Thanks for your support

Preview file
19 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to marcio.tormente

‎04-02-2016 12:52 AM

First off I would suggest trying a packet tracer using TCP instead of IP:

packet-tracer input inside tcp 192.168.13.100 12345 192.168.17.100 80 detail

You have two outside interfaces configured (outside and outside1)  What is the difference between these two? I mean what is outside used for and what is outside1 used for.

Your topology map shows only outside as being used in this scenario but in your configuration your dynamic NAT statement for DMZ is only for outside1.

Also, you have a lot of incorrect configuration in your ACLs, or should I say configuration that is not needed. The only time you would add an explicity deny any any on an ACL is if you want to log the traffic.  But none of your statements have the log keyword defined:

access-list outside1_access_in extended permit ip 192.168.17.0 255.255.255.0 any 

access-list DMZ_access_in extended permit ip 192.168.17.0 255.255.255.0 any 

access-list DMZ_access_in extended permit ip 192.168.17.0 255.255.255.0 any 

access-list DMZ_access_in extended permit ip 192.168.17.0 255.255.255.0 any 

access-list outside_access_in extended deny ip any any

Also, open up the Real Time log viewer in ASDM and then monitor it while trying to access the DMZ from the inside network.  It might indicate what is stopping the traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

marcio.tormente
Level 4
Level 4
In response to Marius Gunnerud

‎04-03-2016 07:21 PM

Hello Marius!

Frst, thanks for your support.

Yes, I have 02 interfaces to internet, one (outside1) is the primary that I have public IP (only one), this is the main link, the other (outside) is ADLS, I only use this link in case the first is not working because the low speed.

All this rule, I include recently just to make sure that the problema is not rule.

I'll make all the tests that you you request soon, I'll be out of the office for 3 days for health problem, when I can back I'll let you know the result.

Thanks

0 Helpful

marcio.tormente
Level 4
Level 4
In response to Marius Gunnerud

‎04-06-2016 11:04 AM

Hello Marius!

Follow attached the packet tracert as you request.

I collected this command after apply the command: 

nat (dmz,outside1) 1 source dynamic Rede_DMZ interface

This command was suggest by Adytia above.

Thanks

Preview file
5 KB
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to marcio.tormente

‎04-01-2016 08:23 PM

Hi Marcio,

Could you try using this NAT statement and check ?

nat (dmz,outside1) 1 source dynamic Rede_DMZ interface

After using this NAT please share the packet tracer output:

packet-tracer input dmz icmp 192.168.17.5 8 0 8.8.8.8 det

Regards,

Aditya

Please rate helpful posts.

marcio.tormente
Level 4
Level 4
In response to Aditya Ganjoo

‎04-03-2016 07:23 PM

Hello Aditya,

Thanks for your support.

I'll make all the tests that you you request soon, I'll be out of the office for 3 days for health problem, when I can back I'll let you know the result.

Thanks

Marcio

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card