02-04-2008 08:10 AM - edited 03-11-2019 04:58 AM
I'm having a problem getting web access from my dmz network. It has a higher security-level than the outside interface, so shouldn't I be able to get outside internet access from the dmz? Inbound access from outside to the DMZ works fine the way I have it w/ PAT.
Does anyone see anything wrong w/ what I've got?
---
5510(config)# sh run
: Saved
:
ASA Version 7.0(7)
!
hostname 5510
enable password ABC87h/3Z9f23JKj6 encrypted
names
name 192.168.3.0 DEV_NET
name 192.168.4.0 DMZ_NET
name 192.168.2.0 CLUSTER_NET
name 199.199.xxx.0 AEW_NET
name 199.199.xxx.14 MY_WAN_IP
name 192.168.1.0 MGMT_NET
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address MY_WAN_IP 255.255.255.0
!
interface Ethernet0/1
nameif dmz
security-level 20
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/2
nameif cluster
security-level 60
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
nameif development
security-level 80
ip address 192.168.3.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group protocol TCP_UDP_ICMP
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group network CLUSTER_GRP
network-object host 192.168.2.10
object-group network DEVELOPMENT_GRP
network-object host 192.168.3.10
object-group network DMZ_GRP
network-object host 192.168.4.10
object-group network INSIDE_GRP
group-object DMZ_GRP
group-object CLUSTER_GRP
group-object DEVELOPMENT_GRP
object-group service DMZ_SERVICES tcp
port-object eq www
port-object eq https
port-object eq 3690
object-group service ALL_SERVICES tcp
port-object eq www
port-object eq https
port-object eq 3690
port-object eq ssh
access-list ANY_ACCESS extended permit ip any any
access-list SSH_ACCESS extended permit tcp any any eq ssh
access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES
access-list DMZ_ACCESS extended permit tcp any interface dmz object-group DMZ_SERVICES
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu management 1500
mtu dmz 1500
mtu cluster 1500
mtu outside 1500
mtu development 1500
no failover
icmp permit any dmz
icmp permit any cluster
icmp permit any development
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (dmz) 1 DMZ_NET 255.255.255.0
nat (cluster) 1 CLUSTER_NET 255.255.255.0
nat (development) 1 DEV_NET 255.255.255.0
static (cluster,outside) tcp interface ssh 192.168.2.10 ssh netmask 255.255.255.255
static (dmz,outside) tcp interface www 192.168.4.10 www netmask 255.255.255.255
static (dmz,outside) tcp interface https 192.168.4.10 https netmask 255.255.255.255
static (dmz,outside) tcp interface 3690 192.168.4.10 3690 netmask 255.255.255.255
static (management,development) MGMT_NET MGMT_NET netmask 255.255.255.0
static (management,cluster) MGMT_NET MGMT_NET netmask 255.255.255.0
static (management,dmz) MGMT_NET MGMT_NET netmask 255.255.255.0
static (development,cluster) DEV_NET DEV_NET netmask 255.255.255.0
static (development,dmz) DEV_NET DEV_NET netmask 255.255.255.0
static (cluster,development) CLUSTER_NET CLUSTER_NET netmask 255.255.255.0
access-group DMZ_ACCESS in interface dmz
access-group SSH_ACCESS in interface cluster
access-group ALL_ACCESS in interface outside
route outside 0.0.0.0 0.0.0.0 139.169.174.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http MGMT_NET 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
...
02-04-2008 08:17 AM
This acl is blocking it, don't forget about the explicit deny ip any any...
access-list DMZ_ACCESS extended permit tcp any interface dmz object-group DMZ_SERVICES
access-list DMZ_ACCESS extended deny ip any any
What is the reason for the above acl? If you don't need it, get rid of it and you will get to the internet. If you need access from the dmz to the inside, you must write the access in this acl.
02-04-2008 08:34 AM
I thought it was allowing only 3 of the 4 services I care about to get into the DMZ and ssh to the others. However, it did work.
I guess it has something to do w/ PAT which I don't quite understand yet. Do access-lists override PAT, was I using them both wrong together?
My only problem now is that my ssh logins take minutes to 'login' to other machines.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide