Solved: ASA Routing INSIDE, DMZ, OUTSIDE

woodjl16501 · ‎02-12-2017

I need some help, I have my web server on my DMZ interface, but that it doesn't have access to the internet. Unable to the get a ping from inside to the DMZ. Not sure what I am missing, my goal is to have access to the internet from the DMZ and my inside subnet access to the DMZ and Internet.

192.168.10.0/24 > Inside

192.168.12.0/28 > DMZ

IP setting on Web Server

192.168.12.2 > WebServer Connected directly to F0/3 on the ASA

255.255.255.250 > Netmask

192.168.10.1 > Gateway

ASA Version 9.1(6)

Current Config:

ASAHome# show run

: Saved

:

: Serial Number: JMX1302L1QL

: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

:

ASA Version 9.1(6)

!

hostname ASAHome

domain-name twinkie710.ddns.net

enable password 7rhyV6SC2srI9RYo encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool VPNUsers 192.168.11.10-192.168.11.50 mask 255.255.255.192

!

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 0

ip address 192.168.12.1 255.255.255.240

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.11.1 255.255.255.252

!

boot system disk1:/asa916-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

name-server 192.168.10.15

name-server 8.8.8.8

name-server 4.2.2.2

name-server 8.8.4.4

domain-name twinkie710.ddns.net

same-security-traffic permit intra-interface

object network inside-subnet

subnet 192.168.10.0 255.255.255.0

object network dmz-subnet

subnet 192.168.12.0 255.255.255.240

object network webserver-external-ip

host 192.168.12.10

object network webserver

host 192.168.12.2

object network dns-server

host 192.168.10.15

object network LAN

subnet 192.168.10.0 255.255.255.0

object network DMZ

subnet 192.168.12.0 255.255.255.240

object network NETWORK_OBJ_192.168.11.0_26

subnet 192.168.11.0 255.255.255.192

object network VPNPOOL

subnet 192.168.11.0 255.255.255.192

access-list outside_acl extended permit tcp any object webserver eq www

access-list dmz_acl extended permit udp any object dns-server eq domain

access-list dmz_acl extended deny ip any object inside-subnet

access-list dmz_acl extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-751.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static inside-subnet inside-subnet destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup

!

object network inside-subnet

nat (inside,outside) dynamic interface

object network dmz-subnet

nat (DMZ,outside) dynamic interface

object network webserver

nat (DMZ,outside) static webserver-external-ip service tcp www www

!

nat (outside,outside) after-auto source dynamic VPNPOOL interface

access-group outside_acl in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.10.0 255.255.255.0 inside

snmp-server group Admins v3 priv

snmp-server host inside 192.168.10.11 community *****

snmp-server host inside 192.168.10.12 community *****

snmp-server host inside 192.168.10.2 community *****

snmp-server location Office

snmp-server contact Jonathan

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DMZ_map interface DMZ

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev1 enable outside

crypto ikev1 enable inside

crypto ikev1 enable DMZ

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access management

dhcpd address 192.168.10.50-192.168.10.200 inside

dhcpd dns 192.168.10.15 interface inside

dhcpd domain twinkie710.ddns.net interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 38.229.71.1 source outside

ntp server 209.208.79.69 source outside

ntp server 108.59.2.24 source outside

ntp server 45.79.111.114 source outside prefer

group-policy VPN_Users internal

group-policy VPN_Users attributes

dns-server value 192.168.10.15 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

default-domain value twinkie710.ddns.net

split-tunnel-all-dns enable

username woodjl1650 password IYD1wu7sEjGmHAyj encrypted privilege 15

tunnel-group VPN_Users type remote-access

tunnel-group VPN_Users general-attributes

address-pool VPNUsers

default-group-policy VPN_Users

tunnel-group VPN_Users ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class class-default

user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:e6125cf0a468ec6ad3f580aa3d861ffa

: end

Francesco Molino · ‎02-13-2017

Yes you have that error because you're using port https on your asa for asdm and vpn.

You have 2 solutions:

1. Use another port for your server like 8443 redirected internally to your server port 443

Or

2. Change your ASA port.

For accessing your dmz through VPN you'll need to add the following command:

nat (DMZ,outside) source static dmz-subnet dmz-subnet destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎02-12-2017

Hi

You've setup a deny on your acl for dmz_acl. For testing purpose, let's remove it and when everything will work you can add acl to filter access from inside to dmz.

For internet you're missing a command.

Here the config you should apply:

no access-list dmz_acl line 2 extended deny ip any object inside-subnet

access-list dmz_acl line 2 extended permit ip any object inside-subnet

!

access-group dmz_acl in interface DMZ

!

same-security-traffic permit inter-interface

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

woodjl16501 · ‎02-12-2017

Ok, so I had a power outage, and no UPS. I lost my working config from the earlier post. I removed and added what you suggested, but I can't ping from my laptop on the 192.168.10.0 subnet to the DMZ sever on 192.168.12.0 subnet.

What else am I missing? Thanks again for the help and sorry about the config change. I have a back up now... lesson learned.

Francesco Molino · ‎02-12-2017

Let's assume your laptop has IP 192.168.10.2 and server has IP 192.168.12.2.. on the below command change IPs with real one and paste the output:

1. packet-tracer input inside icmp 192.168.10.2 8 0 192.168.12.2

2. packet-tracer input DMZ icmp 192.168.12.2 8 0 192.168.10.2

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

woodjl16501 · ‎02-12-2017

Attached is the output.

Francesco Molino · ‎02-12-2017

I didn't saw it on your config but you've a nat statement issue:

nat (DMZ,inside) after-auto source dynamic any interface

I guess you wanted to type:

nat (DMZ,outside) after-auto source dynamic any interface

Remove the nat DMZ to inside and add nat DMZ to outside and test it back

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

woodjl16501 · ‎02-13-2017

Here are the results after making that modification above. I still don't get a reply from the ping test on my laptop, could that just be the ASA denying ICMP requests?

Francesco Molino · ‎02-13-2017

Could you paste your config?

If you changed the nat statement it should work. I've tested your config.

Also your 1st packet-trace isn't good:

packet-tracer input inside icmp 192.168.12.2 8 0 192.168.10.129

You need to do:

packet-tracer input DMZ icmp 192.168.12.2 8 0 192.168.10.129

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

woodjl16501 · ‎02-13-2017

Gotacha ya, overlooked that.

Good news, my DMZ server has internet access, but I still can't SSH into it from the 192.168.10.0 subnet.

Updated Packet Tracer Info and Config are attached.

Francesco Molino · ‎02-13-2017

What is your server IP in the DMZ zone?

Could you run the below command and paste the output in a txt file? (change IP addresses if they aren't correct)

packet-tracer input inside tcp 192.168.10.129 22 192.168.12.2 22

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

woodjl16501 · ‎02-13-2017

I received these errors when apply the NAT rules:

ASAHome# config t

ASAHome(config)# object network webserver-HTTP

ASAHome(config-network-object)# host 192.168.12.2

ASAHome(config-network-object)# nat (DMZ,outside) static 68.102.214.123 servic$

ERROR: Address 68.102.214.123 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

ASAHome(config-network-object)# object network webserver-HTTPS

ASAHome(config-network-object)# host 192.168.12.2

ASAHome(config-network-object)# nat (DMZ,outside) static 68.102.214.123 servic$

ERROR: Address 68.102.214.123 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

Francesco Molino · ‎02-13-2017

If you have only 1 public IP then replace YOUR-PUBLIC-IP by INTERFACE

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

woodjl16501 · ‎02-13-2017

I get this error when applying the HTTPS

ERROR: NAT unable to reserve ports.

Current config attached

Unable to access from outside of network (tested with iPhone on LTE, no WiFi)

Francesco Molino · ‎02-13-2017

Yes you have that error because you're using port https on your asa for asdm and vpn.

You have 2 solutions:

1. Use another port for your server like 8443 redirected internally to your server port 443

Or

2. Change your ASA port.

For accessing your dmz through VPN you'll need to add the following command:

nat (DMZ,outside) source static dmz-subnet dmz-subnet destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

woodjl16501 · ‎02-20-2017

How would I redirect so if I access via the VPN from the outside I can access my server via my IP and port 8443?

Sorry, still newish to this. Thanks for your help.