Solved: Routing traffic and setting rules 101

Arvo Bowen · ‎08-01-2011

I have been at this for days and still can not seem to grasp why it will not work for me. First things first...

Layout of my network:

Current Config:

ASA Version 7.2(4)

!

hostname ACS-000-ROU2

domain-name ACS-ATLANTA.LOCAL

enable password xxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxx encrypted

names

name 10.71.1.3 ACS-000-ADS1

name 10.71.5.2 ACS-000-FTP1

name 10.71.1.0 ACS_Atlanta_LAN

name 10.71.5.0 ACS_FTP_DMZ

name 12.125.10.192 Public_Internet_Subnet

name 10.71.5.1 Router_FTP_DMZ_IP

name 12.125.10.206 PublicFTPIP

name 12.125.10.204 PublicRouterIP

name 10.71.1.1 Router_ACS_LAN_IP

!

interface Vlan1

description ACS Atlanta LAN

nameif inside

security-level 100

ip address Router_ACS_LAN_IP 255.255.255.0

ospf cost 10

!

interface Vlan11

description Outside - Public internet

nameif outside

security-level 0

ip address PublicRouterIP 255.255.255.224

ospf cost 10

!

interface Vlan21

description ACS Atlanta FTP DMZ

nameif dmz_ftp

security-level 100

ip address Router_FTP_DMZ_IP 255.255.255.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 11

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 21

!

interface Ethernet0/3

switchport access vlan 31

shutdown

!

interface Ethernet0/4

switchport access vlan 31

shutdown

!

interface Ethernet0/5

switchport access vlan 31

shutdown

!

interface Ethernet0/6

switchport access vlan 31

shutdown

!

interface Ethernet0/7

switchport access vlan 31

shutdown

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup dmz_ftp

dns server-group DefaultDNS

name-server ACS-000-ADS1

domain-name ACS-ATLANTA.LOCAL

object-group icmp-type debug_network

description Pings, Traceroutes, Etc...

icmp-object echo

icmp-object echo-reply

icmp-object time-exceeded

icmp-object traceroute

icmp-object unreachable

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq domain

port-object eq www

object-group service rdp tcp

description Remote Desktop Protocall

port-object eq 3389

access-list dmz_ftp_access_in extended permit icmp any any

access-list dmz_ftp_access_in extended permit icmp any any object-group debug_netwrk

access-list dmz_ftp_access_in extended permit ip any any

access-list dmz_ftp_access_in extended permit tcp ACS_FTP_DMZ 255.255.255.0 host Ruter_FTP_DMZ_IP eq domain inactive

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit icmp any any object-group debug_netwok

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit object-group TCPUDP ACS_Atlanta_LAN 25.255.255.0 any eq www

access-list inside_access_in extended permit object-group TCPUDP ACS_Atlanta_LAN 25.255.255.0 any eq domain

access-list inside_access_in extended permit icmp ACS_Atlanta_LAN 255.255.255.0 an object-group debug_network inactive

access-list outside_access_in remark new - ftp access to dmz

access-list outside_access_in extended permit tcp any host PublicFTPIP eq ftp inacive

access-list outside_access_in remark new - Remote Desktop Access

access-list outside_access_in extended permit tcp any host PublicFTPIP object-grou rdp inactive

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz_ftp 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 ACS_Atlanta_LAN 255.255.255.0

static (inside,dmz_ftp) ACS_Atlanta_LAN ACS_Atlanta_LAN netmask 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_ftp_access_in in interface dmz_ftp

route outside 0.0.0.0 0.0.0.0 12.125.10.193 1

!

router rip

passive-interface outside

version 2

no auto-summary

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http ACS_Atlanta_LAN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh scopy enable

ssh ACS_Atlanta_LAN 255.255.255.0 inside

ssh timeout 60

console timeout 0

username Administrator password xxxxxxxxxxxx encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

Issue:

I'm currently trying to get my DMZed FTP server to be able to talk to the Local LAN (inside) allowing just IMCP (pinging). I have tried many many configs and nothing I do seems to be working. I think it has something to do with the NAT rules but not 100% positive. Any ideas?

creggerd · ‎08-01-2011

Since your inside and dmz interfaces are set for the same security level, wouldn't you need to run the 'same-security-traffic permit inter-interface' command to allow the traffic to pass?

Sent from Cisco Technical Support iPad App

View solution in original post

varrao · ‎08-01-2011

Hi Arvo,

You would need the following:

static (inside,dmz_ftp)

nat (dmz_ftp) 2 0.0.0.0 0.0.0.0

global (inside) 2 interface

if this still doesn't work then, take th output of :

packet-tracer input dmz_ftp icmp 8 0 detailed

also you would need a route :

route inside 0.0.0.0 0.0.0.0 1

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

Jon Marshall · ‎08-01-2011

Varun

static (inside,dmz_ftp)

that is actually in there, the config is just using names in the static.

route inside 0.0.0.0 0.0.0.0 1

the 10.71.1.x is directly connected so it wouldn't need a route

nat (dmz_ftp) 2 0.0.0.0 0.0.0.0

global (inside) 2 interface

can you explain this for my clarification because as i asked in the other thread, why do you need this as you don't need to nat internet addresses coming in from outside to either a dmz or the inside.

Many thanks

Jon

Arvo Bowen · ‎08-01-2011

Jon,

Was that a question for Varun?

Jon Marshall · ‎08-01-2011

Arvo

Yes it was.

Jon

creggerd · ‎08-01-2011

Since your inside and dmz interfaces are set for the same security level, wouldn't you need to run the 'same-security-traffic permit inter-interface' command to allow the traffic to pass?

Sent from Cisco Technical Support iPad App

Arvo Bowen · ‎08-02-2011

Opps!!! I didn't mean for the dmz_ftp to be security level 100

I ment to have it at 50... But I was trying to avoid depending on any of the security levels for rules... The ASDM removed the rules allowing the interfaces to talk to the lower security interfaces as soon as I set up my first rule anyway... :/

Arvo Bowen · ‎08-02-2011

Creggerd wrote:

Since your inside and dmz interfaces are set for the same security level, wouldn't you need to run the 'same-security-traffic permit inter-interface' command to allow the traffic to pass?

Sent from Cisco Technical Support iPad App

Credderd,

When I add that rule though I now get a new deny message...

2 Aug 02 2011 12:40:17 106016 Deny IP spoof from (ACS-000-FTP1) to Router_ACS_LAN_IP on interface dmz_ftp

It used to just say denied packet, now it says IP spoof...

Arvo Bowen · ‎08-02-2011

Ok so an update... I got all of the issues above worked out thanks to creggerd's comment.

I found out that if both the inside and dmz are the same security level then you MUST use...

"same-security-traffic permit inter-interface"

...to allow the traffic to flow from the interfaces. In my case I ended up NOT using that setting and simply setting the dmz vlan to security level 50 and keeping the inside at 100. That along with the nat rule...

static (inside,dmz_ftp) 10.71.1.0 10.71.1.0 netmask 255.255.255.0

...My traffic started flowing nicely!

Now on to something else... Same config but I have an issue with my security rules... I have NO rules at all in the security policy area yet I can go strait through the router with my FTP server (10.71.5.2) and browse a share on my AD Server (10.71.1.3). The funny thing is I can control traceroutes, pings, dns, http (or so it seems at least) traffic by creating rules to allow that type of traffic. When I delete those rules the traffic is no longer aloud through (this is what I expect). But for some reason it lets windows domain shares have all the traffic it wants...

Ideas?

Arvo Bowen · ‎08-02-2011

Actually I found out that problem too LOL... I had other interfaces on those two machines allowing me to remote connect without issues while I was configuring my router remotely...

Everything seems to be working as it should now. Thanks for all your help guys!

creggerd · ‎08-02-2011

Glad I was able to help!

Sent from Cisco Technical Support iPhone App