Internet-only guest VLAN access to DMZ Webserver with 4-port ASA

Dale Green · ‎02-22-2012

Community, this is probably an easy one for someone out there who knows what he's doing.

Setup:

============

I have an ASA5510 with 4 interfaces:

outside 1.2.3.107 (sec level 0)

inside 10.0.0.251 (sec level 100)

guest 172.31.255.0 (sec level 10)

dmz 10.0.255.0 (sec level 10)

-Web server with DMZ address = 10.0.255.10, outside address = 1.2.3.101 static translation

-guest network gets DHCP addresses in the 172.31.255.x range

-same-security-traffic permit inter-interface _and_ intra-interface

-I have a static statement for DNS rewriting that seems to be working. An nslookup of corporate.com from a guest address (172.31.255.98, say) resolves to the DNS rewritten address of 10.0.255.10. So far so good.

The problem:

============

I'd like for guests with 172.31.255.x addresses to be able to browse corporate.com, served from the DMZ address above (10.0.255.10), but it just doesn't seem to be working. I'm getting the error

"

3

Feb 21 2012

16:58:41

305006

10.0.255.10

80

portmap translation creation failed for tcp src guest:172.31.255.98/49247 dst dmz:10.0.255.10/80

"
A theoretical packet trace from 172.31.255.98 to 10.0.255.10 across port 80 succeeds. So I'm not sure what to do next.

I could post the entire config for anyone who is interested, but these are the highlights - DG.

Julio Carvajal · ‎02-22-2012

Hello Dale,

So access from the Guest interface to the DMZ server using its private address is what you are looking for!

Please provide the full packet tracer.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dale Green · ‎02-23-2012

Thanks jcarvaja,

I guess that's what I'm looking for. I've tried a number of things to make that happen, too many to list here, but I think that's more or less my goal. I've tried generating an exportable packet trace, but so far with no luck. I'm not really sure how to use the wizard in ASDM it appears. Let me get back to you on that.

DG.

Matt Lang · ‎02-22-2012

Dale,

I'm almost positive you will still need to either do NAT exemption or create a static translation from the guest segment to the DMZ segment.

Matt

Dale Green · ‎02-23-2012

And thanks also to you Matt,

1. NAT exemption sounds promising. I've read a number of posts that suggest the same thing, but I'm not totally sure how to go about generating the statement to make that happen. Or why for that matter.

2. As for creating a static translation, here are the existing static translations, whose purpose I think I understand, except maybe the first one that does something to the inside network traffic. Not so sure about that one.

=======

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

static (dmz,outside) 1.2.3.102 10.0.255.85 netmask 255.255.255.255

static (dmz,outside) 1.2.3.100 10.0.255.100 netmask 255.255.255.255

static (dmz,outside) 1.2.3.97 10.0.255.83 netmask 255.255.255.255

static (dmz,outside) 1.2.3.101 10.0.255.10 netmask 255.255.255.255 dns (<-- this is the Web server in question)

=======

Pretty sure these statements tell the 5510 how traffic sent to an outside address are to traverse into the dmz subnet. Assuming the dmz = 10.0.255.x and the guest subnet = 172.31.255.x, what would a static translation for the entire subnet look like?

Matt Lang · ‎02-23-2012

Dale,

The following translation should do the trick...

static (guest,dmz) 172.31.255.0 172.31.255.0 netmask 255.255.255.0

The first static you listed in your previous post basically tells the ASA to translate any traffic with a source of 10.0.x.x which is coming from the inside and going to the dmz to be translated to the same 10.x.x.x address. For example, a device with an IP address of 10.1.2.3 that is going to a server in the dmz will be translated to its same IP address of 10.1.2.3.

You can achieve the same result with NAT exemption by doing the following.

access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list nonat

Matt

Dale Green · ‎02-24-2012

Again, thanks Matt for your replies. Very specific, useful and relevant.

I've implemented that static translation statement and it appears to have cleared up the previous error about portmap translation creation, but now I'm getting a different error, which is an improvement. New errors are progress. What do you think about this little tidbit from the logs?

===========start log quote

3 Feb 24 2012 14:21:30 305005 10.0.255.10 80 No translation group found for tcp src guest:172.31.255.102/49419 dst dmz:10.0.255.10/80

===========end log quote

Here are some lines from the config that might be helpful, might not:

===========start config quote

access-group aclGuestAccess in interface guest

access-list aclGuestAccess extended permit tcp 172.31.255.0 255.255.255.0 host 10.0.255.10 eq www

access-list aclGuestAccess extended deny ip any 10.0.0.0 255.255.255.0

access-list aclGuestAccess extended deny ip any 192.168.0.0 255.255.255.0

access-list aclGuestAccess extended permit ip 172.31.255.0 255.255.255.0 any

===========end config quote

Any thoughts?

Dale Green · ‎03-09-2012

OK, in case anyone is interested in this thread still, here's the line that turned out to be the crux move:

==============start config quote

static (dmz,guest) 10.0.255.10 10.0.255.10 netmask 255.255.255.255

==============end config quote

which provides a static translation for the DMZ address (10.0.255.10) of the Web server from the guest network. Now the guest network can browse Websites served from this DMZ address.

DG.

Internet-only guest VLAN access to DMZ Webserver with 4-port ASA5510