Solved: Re: Please help with ASA5505 configuration

alimovdenis34450 · ‎09-27-2019

Hi guys!

I have ASA 5505. My configuration is:

interface Ethernet0/0
description WANPORT
!
interface Ethernet0/1
description DMZPORT
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
description INSIDEPORT03
switchport access vlan 3
!
interface Ethernet0/4
description INSIDEPORT04
switchport access vlan 3
!
interface Ethernet0/5
description INSIDEPORT05
switchport access vlan 3
!
interface Ethernet0/6
description INSIDEPORT06
switchport access vlan 3
!
interface Ethernet0/7
description INSIDEPORT07
switchport access vlan 3
!
interface Vlan1
nameif outside
security-level 0
ip address 10.10.10.84 255.255.255.0
!
interface Vlan2
nameif dmz
security-level 50
ip address 10.17.19.254 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 10.17.20.254 255.255.255.0
!

dns domain-lookup outside
dns server-group DefaultDNS
domain-name blablabla.com
object network GW-PC
host 10.17.19.1
object network inside-subnet
subnet 10.17.20.0 255.255.255.0
object network dmz-subnet
subnet 10.17.19.0 255.255.255.0
access-list inside_acl extended permit tcp any object dmz-subnet
access-list inside_acl extended permit icmp any object dmz-subnet
access-list inside_acl extended permit udp any object dmz-subnet
access-list inside_acl extended permit ip any object dmz-subnet
access-list dmz_acl extended permit ip any any
access-list dmz_acl extended permit tcp any any
access-list dmz_acl extended permit udp any any
access-list dmz_acl extended permit icmp any any
access-list rdp_acl extended permit tcp any object GW-PC

object network GW-PC
nat (dmz,outside) static interface service tcp https https
object network dmz-subnet
nat (dmz,outside) dynamic interface
access-group rdp_acl in interface outside
access-group dmz_acl in interface dmz
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

Dmz-Outside connection works good. But In dmz-subnet located server GW-PC with ip address 10.17.99.1 and I need to open access to this server from PC 10.17.20.3 which located in inside-subnet. So, I created access list for this connection:

access-list inside_acl extended permit tcp any object dmz-subnet
access-list inside_acl extended permit icmp any object dmz-subnet
access-list inside_acl extended permit udp any object dmz-subnet
access-list inside_acl extended permit ip any object dmz-subnet

access-group inside_acl in interface inside

also access list for dmz-subnet

access-list dmz_acl extended permit ip any any
access-list dmz_acl extended permit tcp any any
access-list dmz_acl extended permit udp any any
access-list dmz_acl extended permit icmp any any

access-group dmz_acl in interface dmz

But I still can not ping GW-PC 10.17.99.1 from inside-subnet from this PC. Please help. Thank you!

alimovdenis34450 · ‎09-27-2019

Hi! You was right, I just added to the network adapter on my PC GATEWAY=10.17.20.254 (it was empty before) and now I can ping from PC (10.17.20.3/.255.255.0.0/10.17.20.254) the GW-PC (10.17.19.1/255.255.0.0/10.17.19.254). It is no need to add special ACL for connection inside -> dmz.

But now I have new problem. I cannot ping from GW_PC (10.17.19.1/255.255.0.0/10.17.19.254) in dmz _subnet the PC (10.17.20.3/.255.255.0.0/10.17.20.254) in inside_subnet. I have to connect GW-PC -> PC by RPD.

Guys how to allow RDP, TCP, UDP traffic from dmz_subnet to inside_subnet?

View solution in original post

bhargavdesai · ‎09-28-2019

You don't need NAT for traffic going from DMZ to INSIDE.
Remove below

nat (inside,dmz) dynamic interface

Sorry i can not go through full configuration as i am on mobile but from your trace output i can say this.
If you have problems please post new packet tracer output.

HTH
### RATE ALL HELPFUL RESPONSES ###

View solution in original post

bhargavdesai · ‎09-27-2019

I think there is a typo in your last sentence, You mean to say 10.17.19.1. Based on that ....

ASA by default allow High Security Level to Low security level traffic. So in your case Inside (100) to DMZ (50) should be allowed by default. No ACL required for the traffic. By default ASA does not inspect ICMP, hence ping will not work for traffic going through firewall. If you want to enable ICMP you need to inspect the ICMP protocol. To do so you need below command.

FIXUP PROTOCOL ICMP.

However, as you mentioned your TCP/UDP traffic should not have any problem as they are inspected by default. Have you tried RDP/HTTP/HTTPS to the GW-PC?

Can you post output of the packet tracer.

packet-tracer input INSIDE tcp 10.17.20.1 80 10.17.19.1 443 detailed

HTH
### RATE ALL HELPFUL RESPONSES ###

alimovdenis34450 · ‎09-27-2019

ivanzrv200 · ‎09-27-2019

You probably need NAT(inside,dmz) to communicate between Inside <-> DMZ .

Use packet-tracer to troubleshoot.

bhargavdesai · ‎09-27-2019

With all due respect, just to clarify your understanding. NAT is not mandatory but optional configuration for this scenario as inside and dmz subnet are directly connected.

HTH
### RATE ALL HELPFUL RESPONSES ###

alimovdenis34450 · ‎09-27-2019

Hi! You was right, I just added to the network adapter on my PC GATEWAY=10.17.20.254 (it was empty before) and now I can ping from PC (10.17.20.3/.255.255.0.0/10.17.20.254) the GW-PC (10.17.19.1/255.255.0.0/10.17.19.254). It is no need to add special ACL for connection inside -> dmz.

But now I have new problem. I cannot ping from GW_PC (10.17.19.1/255.255.0.0/10.17.19.254) in dmz _subnet the PC (10.17.20.3/.255.255.0.0/10.17.20.254) in inside_subnet. I have to connect GW-PC -> PC by RPD.

Guys how to allow RDP, TCP, UDP traffic from dmz_subnet to inside_subnet?

ivanzrv200 · ‎09-27-2019

Troubleshoot with packet tracer

packet-tracer input dmz _subnet tcp 10.17.19.1 123 10.17.20.1 443 detailed

post the output of the packet tracer

alimovdenis34450 · ‎09-28-2019

Guys, I added ACL rules to the ASA config

access-list dmz_acl extended permit ip host 10.17.19.1 host 10.17.20.3
access-list dmz_acl extended permit tcp host 10.17.19.1 host 10.17.20.3
access-list dmz_acl extended permit udp host 10.17.19.1 host 10.17.20.3

access-group dmz_acl in interface dmz

But I still cannot connect from 10.17.20.3 (dmz) to 10.17.19.1 (inside)

Trace log:

Lucky(cfg-call-home)# packet-tracer input dmz tcp 10.17.19.1 123 10.17.20.3 443 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.17.20.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_acl in interface dmz
access-list dmz_acl extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3ea578, priority=13, domain=permit, deny=false
hits=809, user_data=0xc94fb030, cs_id=0x0, use_real_addr, flags=0x0, pro
tocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=dmz, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3e0e80, priority=0, domain=inspect-ip-options, deny=true
hits=1219, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=dmz, output_ifc=any

Phase: 4
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network inside-subnet
nat (inside,dmz) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb3c0da8, priority=6, domain=nat-reverse, deny=false
hits=87, user_data=0xc85f9e98, cs_id=0x0, use_real_addr, flags=0x0, prot
ocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.17.20.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=dmz, output_ifc=inside

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Full config from ASA

interface Ethernet0/0
description WANPORT
!
interface Ethernet0/1
description DMZPORT
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
description INSIDEPORT03
switchport access vlan 3
!
interface Ethernet0/4
description INSIDEPORT04
switchport access vlan 3
!
interface Ethernet0/5
description INSIDEPORT05
switchport access vlan 3
!
interface Ethernet0/6
description INSIDEPORT06
switchport access vlan 3
!
interface Ethernet0/7
description INSIDEPORT07
switchport access vlan 3
!
interface Vlan1
nameif outside
security-level 0
ip address 10.10.10.84 255.255.255.0
!
interface Vlan2
nameif dmz
security-level 50
ip address 10.17.19.254 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 10.17.20.254 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name blablabla.com
object network GW-PC
host 10.17.19 .1
object network inside-subnet
subnet 10.17.20.0 255.255.255.0
object network dmz-subnet
subnet 10.17.19.0 255.255.255.0
access-list inside_acl extended permit tcp any object dmz-subnet
access-list inside_acl extended permit icmp any object dmz-subnet
access-list inside_acl extended permit udp any object dmz-subnet
access-list inside_acl extended permit ip any object dmz-subnet
access-list dmz_acl extended permit ip any any
access-list dmz_acl extended permit tcp any any
access-list dmz_acl extended permit udp any any
access-list dmz_acl extended permit icmp any any
access-list dmz_acl extended permit ip host 10.17.19.1 host 10.17.20.3
access-list dmz_acl extended permit tcp host 10.17.19.1 host 10.17.20.3
access-list dmz_acl extended permit udp host 10.17.19.1 host 10.17.20.3
access-list rdp_acl extended permit tcp any object GW-PC
!
object network GW-PC
nat (dmz,outside) static interface service tcp https https
object network inside-subnet
nat (inside,dmz) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
access-group rdp_acl in interface outside
access-group dmz_acl in interface dmz
access-group inside_acl in interface inside

bhargavdesai · ‎09-28-2019

You don't need NAT for traffic going from DMZ to INSIDE.
Remove below

nat (inside,dmz) dynamic interface

Sorry i can not go through full configuration as i am on mobile but from your trace output i can say this.
If you have problems please post new packet tracer output.

HTH
### RATE ALL HELPFUL RESPONSES ###

bhargavdesai · ‎09-27-2019

According to you first post the subnet mask was /24 and here you mentioned /16 which i think is typo. And the answer is based on /24.

As i already stated that high to low security level traffic is allowed but to allow traffic from low to high security level you need to configure ACLs.
Just an example

access-list DMZ_in extended permit ip host 10.17.19.1 host 10.17.20.1
Access-group DMZ_IN in interface DMZ

You should modify the ACL according to your need for TCP and UDP ports you want to allow.

HTH
### RATE ALL HELPFUL RESPONSES ###

bhargavdesai · ‎09-27-2019

My typo mistake

access-list DMZ_in extended permit ip host 10.17.19.1 host 10.17.20.3
Access-group DMZ_IN in interface DMZ

Please update this