Solved: How to config firewall if accessing from dmz to inside lan

riderfaiz · ‎04-11-2013

Hi everyone,

Hope you can help on this.

We have a ASA with IOS 8.44. We just configured a dmz zone. Now we try to access a share of a windows server in INSIDE interface from another windows server in dmz, So on the server in DMZ, I will type \\INSIDE_Server\SharedName (or \\ip_of_inside server\SharedName) to access the share.

On the firewall, I open tcp port 137, 138, 139, and 445 to allow from DMZ to access to Inside server. But I failed. So what do I need to configure so that I can complete my task?

Also, we have some internal DNS in INSIDE interface. How do I make my DMZ server to use the inside DNS servers for dns resolution?

Hope you can help. Thank you!

Takami Chiro

Jouni Forss · ‎04-11-2013

Hi,

The above output tells us that you have a rule/ACL that blocks any traffic to the network 10.0.0.0/8

Can you please share the ACL named dmz2_acl?

Use the command

show access-list dmz2_acl

Or you can just allow DNS traffic with the following commands

access-list dmz2_acl line 1 remark Permit DNS from DMZ to INSIDE

access-list dmz2_acl line 2 permit udp host 172.20.0.49 host 10.10.0.9 eq 53

This will allow DNS between the 2 host IP addresses. Do notice that this just allows DNS and it might be that further configurations might be needed for your connections to work.

- Jouni

View solution in original post

Julio Carvajal · ‎04-11-2013

Hello Bobson,

Great to see that we ran the command,

access-list dmz2_acl extended deny ip any 10.0.0.0 255.0.0.0

As we can see here you might be permitting icmp traffic and some of the SMB traffic but at least UDP/53 is being denied so that being said you must modify the acl as Jouni said,

Afterwards DNS should work, run the packet tracer after the changes and post the results

regards

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎04-11-2013

Hi,

Wihtout seeing the current configuration its hard to say what the problem is.

Have you monitored the ASA logs while connecting from DMZ to INSIDE? Have you tried to test the connection by first allow all traffic between the servers in the ACL.

Are the actual servers configured so that this connection is even possible?

With regards to the DNS use since we are talking about servers I would imagine that you define the INSIDE DNS server in the settings of the actual DMZ server.

- Jouni

riderfaiz · ‎04-11-2013

Ho Jouni, thank you for your response. In fact, you are right, I should have checked my syslog as well.... how dumb I am.

What do you mean the question "Are the actual servers configured so that this connection is even possible"? I do not understand what means....

Thank you again

Takami

Jouni Forss · ‎04-11-2013

Hi,

I mean that could the INSIDE server have some own firewall software that blocks the attempt from the DMZ to open the shared folder or something along those lines?

I think the best bet is to check the logs through the ASDM and see if anything gets blocked when you try to form the connection. If you cant see anything blocked on the firewall then the problem might be somewhere else than the firewall.

But again I have to say since we dont see the ASA configurations we cant confirm all the settings.

You should confirm atleast that

The routing between the hosts is ok
That NAT doesnt stop the communication between the networks
That no ACL blocks the traffic

- Jouni

riderfaiz · ‎04-11-2013

Hi Jouni, I will definitely reveiw my syslog in a moment. The ping from the dmz to the inside server ip is ok.... and we also have some other servers in there so I think the route should be fine. One thing for sure.... is that I am not sure if the ports I open for this connection is correct. It is because I could nto see any counters rolling for the ports... HOpefully I can review the syslog info and see what is being blocked...that way everything should be clear. Thank you for reminding me that.

I will keep posted here. Thank you again for your help.

Takami

Julio Carvajal · ‎04-11-2013

Hello Bob,

so you are using a domain name, first thing would be to check that DNS resolution is working fine from dmz to inside,

A packet-tracer would let us know that

packet-tracer input dmz udp x.x.x.x ( DMZ client ip address) y.y.y (inside DNS) server 53

post the results to check them

Also just to check

packet-tracer input dmz udp x.x.x. y.y.y 139

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

riderfaiz · ‎04-11-2013

Hi JCarvaja,

Thank you for your response. I tried to run the packet tracer command. It did not let me input the inside ip.Here is the result

##############

packet-tracer input dmz udp 172.20.0.49 10.10.0.9 server 53

^

ERROR: % Invalid input detected at '^' marker.

##############

10.10.0.9 is one of our internal dns.

Please correct me if I mistype something... thanks

Julio Carvajal · ‎04-11-2013

Hello,

is dmz the name you have for that interface

you cn do

packet-tracer input ? to check the available names and then set the one required

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

riderfaiz · ‎04-11-2013

JCarvaja...sorry keep bugging you.

Ok... You are correct. My interface is dmz2 indeed.

So if I type in "

packet-tracer input dmz udp 172.20.0.49 10.10.0.9 ?". It will tell me unrecognized command. If I typed in "

packet-tracer input dmz udp 172.20.0.49 ?"...I see a bunch of commands, including udp port numbers.

So what do I need to type after the ip address there? My guess is "

packet-tracer input dmz udp 172.20.0.49 purt_number destination_ip port_number" ?

Thank you again for your help!

Julio Carvajal · ‎04-11-2013

Hello

packet-tracer input dmz udp 172.20.0.49 1025 10.10.0.9 53

The first port is the random port

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

riderfaiz · ‎04-11-2013

Hi Jcarvaja,

Thank you very much. Finally I could run the command for the troubleshoot. And the following is the result:

esult of the command: "packet-tracer input dmz2 udp 172.20.0.49 1025 10.10.0.9 53"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.0.0 255.255.0.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group dmz2_acl in interface dmz2

access-list dmz2_acl extended deny ip any 10.0.0.0 255.0.0.0

Additional Information:

Result:

input-interface: dmz2

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

#########################

So to do so...does it mean I need to allow tcp 53 from dmz that server to inside the DNS server?

Thank you very much again...

Jouni Forss · ‎04-11-2013

Hi,

The above output tells us that you have a rule/ACL that blocks any traffic to the network 10.0.0.0/8

Can you please share the ACL named dmz2_acl?

Use the command

show access-list dmz2_acl

Or you can just allow DNS traffic with the following commands

access-list dmz2_acl line 1 remark Permit DNS from DMZ to INSIDE

access-list dmz2_acl line 2 permit udp host 172.20.0.49 host 10.10.0.9 eq 53

This will allow DNS between the 2 host IP addresses. Do notice that this just allows DNS and it might be that further configurations might be needed for your connections to work.

- Jouni

Julio Carvajal · ‎04-11-2013

Hello Bobson,

Great to see that we ran the command,

access-list dmz2_acl extended deny ip any 10.0.0.0 255.0.0.0

As we can see here you might be permitting icmp traffic and some of the SMB traffic but at least UDP/53 is being denied so that being said you must modify the acl as Jouni said,

Afterwards DNS should work, run the packet tracer after the changes and post the results

regards

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

riderfaiz · ‎04-12-2013

HI Jouni, and Jcarvaja,

Thank you for the details. I will add the accesslist to fix the DNS issue. But may I ask....how I can do so that my server in dmz can access the share in one of the server in INSDE?

No matter what, thank you very much for your help!

Takami

Jouni Forss · ‎04-12-2013

Hi,

You could always consider allow all traffic between the 2 servers and then trying the connection if it works. This would atleast tell if the problem is on the firewall settings or actually on the servers.

And again, we cant take everything into consideration when we dont have any idea how your network is built and how the firewall is configured. It would help to see the configurations.

- Jouni