Solved: Re: Need help with giving devices behind DMZ access to Lan Resou

David Haman · ‎07-06-2010

Heres a little background of my setup, I have 1 Isp which assigns me an Ip via dhcp , i have Patted my inside to outside to receive net access, I have also done the same with my Dmz interface which all devices on the Dmz can access the internet. Inside (vlan1) Outside (vlan2) Dmz (vlan3)

I have sucessfully setup rules to access from outside of my network a couple of security cameras to watch my dogs while i am work, my email server etc , plus i have vpn access. works very well. My only issue is i want dmz devices to be able to access and Use my Dns server that sits on the inside , but i have tried so many access list, rules etc and i continuously receive an error that states denied due to dns query. I also want DMZ devices to beable to access network printers (port 9100) that reside on the inside also but i have been unsucessful with this Of course the only way my dmz devices can access internal recourses is if i set the security level to 100 which i do not want to do . Vlan 3 labled dmz is my wireless segment . (as for now i have a second nic on my dns server that is on the 10.10.3.x network going to vlan 3 ) but that is just temp . I want Dmz computers to be able to access internal Dns and AD..etc..I also was wishing that the ASA could allow me to doa sort of ip helper so my vlan 3 can pull ip addresses from my dhcp server on the dmz network, but for now i have dhcp running on a server for just the inside, and the dmz is pulling dhcp address for clients from the asa dhcp server..I just want the dmz devices to be able to access certain inside resources.

Thanks in advance for any assistance

Here is my config

!
ASA Version 8.3(1)
!
hostname xxxxxxxxx
domain-name xxxxxxxxxxxx.local
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
name 10.10.10.9 foxclone
name 10.10.10.198 netprinter-01
name 10.10.10.14 file-serv
name 10.10.3.190 petcam
name 10.10.10.25 mail-serv
name 10.10.3.191 petcam2
name 10.10.10.254 namesrv0-1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
banner exec Welcome To xxxxxxx
banner login Welcome To xxxxxxx
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server namesrv0-1
domain-name xxxxxxxxx.local
dns server-group vlan3_dns_server
name-server 10.10.3.254(temp)
domain-name dmz.liquidskynet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
description inside network segment
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.192
object network mail-serv-smtp
host 10.10.10.25
object network mail-serv-https
host 10.10.10.25
object network foxclone
host 10.10.10.9
object network Inside_Outside_Dynamic_Pat
subnet 10.10.10.0 255.255.255.0
object network Dmz_Outside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network petcam2-http
host 10.10.3.191
object network petcam-http
host 10.10.3.190
object network petcam2-winstream
host 10.10.3.191
object network namesrv0-1
host 10.10.10.254
object network file-serv
host 10.10.10.14
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
description dmz network segment
object network Dmz_Inside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network namesrv0-1(vlan3)
host 10.10.3.254
object network mail-serv
host 10.10.10.25
object network foxclone-rdp-dmz
host 10.10.10.9
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.3.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list outside_access_in extended permit tcp any object petcam-http eq 8081
access-list outside_access_in extended permit tcp any object mail-serv-https eq https
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq smtp
access-list outside_access_in extended permit tcp any object foxclone eq 7000 inactive
access-list outside_access_in extended permit tcp any object petcam2-http eq 8082
access-list outside_access_in extended permit tcp any object petcam2-winstream eq 81 inactive
pager lines 24
logging enable
logging asdm informational
logging from-address cisco.alerts@liquidskynet.com
logging recipient-address david.haman@liquidskynet.com level alerts
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Vpn-1_Pool 192.168.10.10-192.168.10.34 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-631.bin
asdm location petcam 255.255.255.255 inside
asdm location file-serv 255.255.255.255 inside
asdm location petcam2 255.255.255.255 inside
asdm location 10.10.3.25 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.10.0 obj-192.168.10.0
nat (dmz,outside) source static obj-10.10.3.0 obj-10.10.3.0 destination static obj-192.168.10.0 obj-192.168.10.0
!
object network mail-serv-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network mail-serv-https
nat (inside,outside) static interface service tcp https https
object network foxclone
nat (inside,outside) static interface service tcp 7000 7000
object network Inside_Outside_Dynamic_Pat
nat (inside,outside) dynamic interface
object network Dmz_Outside_Dynamic_Pat
nat (dmz,outside) dynamic interface dns
object network petcam2-http
nat (dmz,outside) static interface service tcp 8082 8082
object network petcam-http
nat (dmz,outside) static interface service tcp 8081 8081
object network petcam2-winstream
nat (dmz,outside) static interface service tcp 81 81
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http server idle-timeout 60
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd dns namesrv0-1 68.87.73.246 interface inside
dhcpd domain liquidskynet.local interface inside
!
dhcpd address 10.10.3.10-10.10.3.30 dmz
dhcpd dns 10.10.3.254 68.87.73.246 interface dmz
dhcpd domain dmz.liquidskynet.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server inside foxclone C:\TFTP-Root
webvpn
group-policy Tunnel-1 internal
group-policy Tunnel-1 attributes
dns-server value 10.10.10.254 10.10.3.254
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel-1_splitTunnelAcl
default-domain value liquidskynet.local
group-policy DfltGrpPolicy attributes
dns-server value 10.10.10.254
ip-comp enable
re-xauth enable
pfs enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value Vpn-1_Pool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
username dhaman password xxxxxxxxxxxxxxxxxxxxx encrypted privilege 15
username dhaman attributes
vpn-group-policy Tunnel-1
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
group-lock none
tunnel-group DefaultRAGroup general-attributes
default-group-policy Tunnel-1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxxxxx
tunnel-group Tunnel-1 type remote-access
tunnel-group Tunnel-1 general-attributes
address-pool Vpn-1_Pool
default-group-policy Tunnel-1
tunnel-group Tunnel-1 ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 10.10.10.25
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Nagaraja Thanthry · ‎07-07-2010

Nice to know that things are working now. Glad that we could help.

Regards,

NT

Note: Do not forget to rate the useful posts.

View solution in original post

Nagaraja Thanthry · ‎07-07-2010

When you configured the NAT rule, you basically met one of the criterion required to enable communication between the inside and the DMZ. The requirement is that when you want to communicate between the higher security interface (inside) to lower security interface (DMZ), you need to have a NAT rule specified for the higher security hosts. In your case, since you want to open connection from the DMZ side, you need to have a static rule configured that will allow DMZ host to establish a connection that will be translated correctly to the inside address. If you want to make it more granular, please try the following:

access-list dmz_access_in line 1 permit udp any host 10.10.10.254 eq 53

no access-list dmz_access_in permit ip any host 10.10.10.254

This will ensure that only UDP port 53 traffic is allowed from DMZ to inside and all other traffic initiated by the DMZ towards inside will be blocked.

Hope this answers your questions.

Regards,

NT

Note: Do not forget to rate useful posts.

View solution in original post

Nagaraja Thanthry · ‎07-06-2010

Seems like you are missing access-list on the DMZ interface. Since DMZ interface is on lower security than the inside, you need exclusive rules to allow DMZ to inside communication.Please try adding an access-list rule allowing traffic from DMZ network to inside and see if that helps. Also, I do not see any NAT rules from inside to DMZ. You might need to add identity NAT to allow DMZ devices to access the inside servers. Hope this helps.

Regards,

NT

David Haman · ‎07-06-2010

Could you give an example, at first i did have a an access list for this but it did not seem to help.

I upgraded from an older version of asa to this 8.3 version and in the asdm it is a lot more granular than before.

i have tried such access list as

access-list dmz_access_in extended permit tcp any object namesrv0-1 eq domain

but still doesnt work

Nagaraja Thanthry · ‎07-06-2010

You could use something like:

access-list dmz_access_in permit ip any host

The access list you have seems incorrect as most commonly DNS uses UDP but your access-list is for TCP. Hope this helps.

Regards,

NT

David Haman · ‎07-06-2010

Thank you for your assistance

i ran the following command

access-list dmz_access_in permit ip any host 10.10.10.254

I still have been receiving the following error when ever i try to have a dmz host use the Dns server in the inside ..im at a loss here

This is the error i receive

Deny inbound UDP from 10.10.3.11/62073 to 10.10.10.254/53 due to DNS Query

Nagaraja Thanthry · ‎07-06-2010

Have you already added the NAT rule from inside to DMZ? Can you try using the packet-tracer and see at what point the firewall is blocking the access?

packet-tracer input dmz udp 1024 53 detailed

This should tell us the exact place where the packets are getting blocked. Hope this helps.

Regards,

NT

David Haman · ‎07-07-2010

I have a ststic nat rule from source inside (inside network 10.10.10.0/24) to destination dmz

(dmz network 10.10.3.0/24) im not undestanding why i would need this though since my indside can already see

everything behind the dmz , its that the dmz cant see speccific services like dns behind the inside. o

r maybe i have it backwards?

i have added the staic nat as you suggested inside to dmz, and created an access rule to allow inbound to my dns server but udp/53 is still being dropped

Nagaraja Thanthry · ‎07-07-2010

Can you post the output of the packet tracer here?

packet-tracer input dmz udp 1024 53 detailed

Regards,

NT

David Haman · ‎07-07-2010

Here are the results of

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac10428, priority=1, domain=permit, deny=false
        hits=8287, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=dmz, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST

Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac10c48, priority=0, domain=permit, deny=true
        hits=236, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Nagaraja Thanthry · ‎07-07-2010

Seems like the access-list is not applied to the interface. The traffic is getting dropped due to implicit rule. Can you please apply the ACL to the interface?

access-group in interface DMZ

Hope this helps to fix the issue.

Regards,

NT

David Haman · ‎07-07-2010

After running these commands

access-list dmz_access_in permit ip any host 10.10.10.254
access-group dmz_access_in in interface DMZ

i receive the following error

petcam2 1132 72.14.204.103 80 Deny tcp src dmz:petcam2/1132 dst outside:72.14.204.103/80 by access-group "dmz_access_in" [0x0, 0x0]

David Haman · ‎07-07-2010

Hello

I have attached a screenshot of my asdm setups , acl, access rules and Nat, maybe this could help clear up my issue

Thank you very much

Nagaraja Thanthry · ‎07-07-2010

Can you add the following lines to the access-list? Also, when you had that access-list, I am assuming you were able to get to the DNS server.

access-list dmz_access_in permit ip any host 10.10.10.254

access-list dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list dmz_access_in permit ip any any

Hope this helps.

Regards,

NT

David Haman · ‎07-07-2010

Hello,

I added the access list that you suggested but i still receive this error

DNSDeny inbound UDP from petcam2/64204 to 10.10.10.254/53 due to DNS Query

Nagaraja Thanthry · ‎07-07-2010

Hello David,

At this point, I think the issue could be due to a bug in Cisco code. But before we go there, can you post the latest "show run" output (with the DMZ access-lists) and also the packet-tracer output

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Regards,

NT

Need help with giving devices behind DMZ access to Lan Resources