Solved: Jon, Thank you for pointing

Balloonhead · ‎09-14-2015

Trying to setup a isolated vlan as a dmz environment on my asa. Below is the VLAN config. I can ping out to the internet but I am unable to resolve any ip addresses so no web access. I have enabled dynamic NAT on the address range. Any help would be great! The security level is at 50 so I am a bit confused why I am unable to use google for dns. Security plus license is installed so not a limitation issue. When I set a port on the asa to vlan 100 it can ping anything on the internet but no dns. Let me know if you need more info. Scrubbed config posted below.

: Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)
!
hostname ciscoasa
domain-name *
enable password * encrypted
names
ip local pool RAVPNPOOL 10.0.1.1-10.0.1.10 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
!
interface Ethernet0/6
description VoIP
!
interface Ethernet0/7
description UPLINK2SWITCH
switchport trunk allowed vlan 1,100
switchport trunk native vlan 1
switchport mode trunk
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
mac-address ac22.0b52.54b5
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan100
description VLAN-4-APPLIANCES
nameif DMZ
security-level 50
ip address 10.0.100.1 255.255.255.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 10.0.0.50
domain-name think4yourself.int
object network INSIDE_SUBNET
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.1.0_28
subnet 10.0.1.0 255.255.255.240
object network NETWORK_OBJ_192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object network DMZ_Addresses
subnet 10.0.100.0 255.255.255.0
object-group icmp-type ALLOW_ICMP
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object traceroute
access-list INBOUND extended permit icmp any any object-group ALLOW_ICMP
access-list INBOUND remark Torrent downloading rule.
access-list INBOUND extended permit ip any 10.0.0.0 255.255.255.0 inactive
access-list SPLIT_TUNNEL_LIST standard permit 10.0.0.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip interface inside 192.168.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_access_in extended permit icmp any any object-group ALLOW_ICMP
pager lines 30
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging mail emergencies
logging from-address Firewall@think4yourself.int
logging device-id hostname
logging host inside 10.0.0.50
logging class auth mail emergencies
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 10.0.0.50 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-733.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.1.0_28 NETWORK_OBJ_10.0.1.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_192.168.0.0_16 NETWORK_OBJ_192.168.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
!
object network INSIDE_SUBNET
nat (inside,outside) dynamic interface
object network DMZ_Addresses
nat (any,outside) dynamic interface
access-group INBOUND in interface outside
access-group DMZ_access_in in interface DMZ
router eigrp 99
auto-summary
network 10.0.0.0 255.0.0.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Firewall protocol radius
aaa-server Firewall (inside) host 10.0.0.50
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
snmp-server host inside 10.0.0.50 community ***** version 2c
snmp-server location Home
snmp-server contact
snmp-server community *****
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer *
crypto map outside_map 1 set ikev1 phase1-mode aggressive
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-SHA-TRANS
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer *
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 match address outside_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer *
crypto map outside_map 3 set ikev1 phase1-mode aggressive
crypto map outside_map 3 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-SHA-TRANS
crypto map outside_map 3 set ikev2 ipsec-proposal AES256
crypto map outside_map 3 set ikev2 pre-shared-key *****
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=10.0.0.1,CN=ciscoasa
keypair ASDM_Launcher_Access_TrustPoint_0
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair ASDM_Launcher_Access_TrustPoint_0
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ciscoasa
serial-number
crl configure
crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 84600
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 10.0.0.50 10.0.0.6
dhcpd wins 10.0.0.50
dhcpd domain Littlewing.int
dhcpd auto_config outside
!
dhcpd address 10.0.0.10-10.0.0.25 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
ntp server 128.138.141.172 source inside
ntp server 131.107.13.100 source inside prefer
ssl encryption aes256-sha1 aes128-sha1 dhe-aes256-sha1 dhe-aes128-sha1 rc4-sha1
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.10010-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.10010-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.10010-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.10010-k9.pkg 4
anyconnect profiles RAVPN_client_profile disk0:/RAVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_RAVPN internal
group-policy GroupPolicy_RAVPN attributes
wins-server none
dns-server value 8.8.8.8 10.0.0.6
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL_LIST
default-domain value littlewing.int
webvpn
anyconnect profiles value RAVPN_client_profile type user
group-policy GroupPolicy_* internal
group-policy GroupPolicy_* attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_* internal
group-policy GroupPolicy_* attributes
vpn-tunnel-protocol ikev1 ikev2
username Administrator password encrypted privilege 15
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool RAVPNPOOL
default-group-policy GroupPolicy_RAVPN
tunnel-group RAVPN webvpn-attributes
group-alias RAVPN enable
tunnel-group * type ipsec-l2l
tunnel-group * general-attributes
default-group-policy GroupPolicy_*
tunnel-group * ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group * type ipsec-l2l
tunnel-group * general-attributes
default-group-policy GroupPolicy_*
tunnel-group * ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
description flow_export_class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description flow_export_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class global-class
flow-export event-type all destination 10.0.0.50
class class-default
user-statistics accounting
!
service-policy global_policy global
smtp-server 10.0.0.50
prompt hostname context
no call-home reporting anonymous
call-home

Jon Marshall · ‎09-15-2015

Traffic is allowed by default from a higher to lower security level.

However as soon as you apply an acl to an interface then the security level does not come into it ie. your acl then controls which traffic is allowed or not. (same security level interfaces are slightly different but that is not the case here).

So you have an acl applied to the DMZ interface only allowing ICMP which is why you can only ping internet IPs.

So either -

1) remove the acl from the DMZ interface but if you want to be able to control what traffic is allowed from the DMZ to either the inside or the internet then you can't do that

or

2) add whatever else you want to allow to the acl

Jon

View solution in original post

Jon Marshall · ‎09-15-2015

Traffic is allowed by default from a higher to lower security level.

However as soon as you apply an acl to an interface then the security level does not come into it ie. your acl then controls which traffic is allowed or not. (same security level interfaces are slightly different but that is not the case here).

So you have an acl applied to the DMZ interface only allowing ICMP which is why you can only ping internet IPs.

So either -

1) remove the acl from the DMZ interface but if you want to be able to control what traffic is allowed from the DMZ to either the inside or the internet then you can't do that

or

2) add whatever else you want to allow to the acl

Jon

Balloonhead · ‎09-16-2015

Jon,

Thank you for pointing out my ignorance. I forgot that I had added that to to the dmz interface by mistake. Thanks for the second set of eyes. :)

5505 DMZ DNS issues