Question

Locked

Configuring a DMZ using ASA 5520

By Uncle Ramus ·
I am trying to get a DMZ configured . I have allowed the interesting traffic to go from the Inside inteface to the DMZ and vice versa but its still being dropped.

When I do a packet trace it tells me the Implicit deny ACL rule is the cause of my problems but there are rules above it that match my traffic. So I am confused I dont know if there something I am missing.

I have permitted any any for troublehooting purposes but still no dice.

Thanks for your help



Anyone come across this o

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

A config would help

by SYNner In reply to Configuring a DMZ using ...

a partial config would help. :)

Collapse -

partial config

by Uncle Ramus In reply to Configuring a DMZ using ...

My main issue is between inside and dmz interfaces

DMZ interface
*********************************
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!

Inside Interface
*****************************interface GigabitEthernet0/3
description Data Traffic
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.3.5 255.255.255.0


ACLS

access-list DMZ_access_in extended permit icmp 192.168.3.0 255.255.255.0 interface DMZ
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp host 192.168.3.15 interface DMZ eq 50389
access-list inside_access_in extended permit udp host 192.168.3.15 interface DMZ eq 50389
access-list inside_access_in extended permit tcp host 192.168.3.15 interface DM eq 50636
access-list inside_access_in extended permit udp host 192.168.3.15 interface DMZ eq 50636
access-list inside_access_in extended permit tcp host 192.168.3.15 interface DMZ eq 3389
access-list inside_access_in remark SMTP Traffic between DMZ and Mailbox server
access-list inside_access_in extended permit tcp host 192.168.3.15 interface DMZ eq smtp
access-list inside_access_in remark Ping
access-list inside_access_in extended permit icmp 192.168.3.0 255.255.255.0 interface DMZ
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit tcp interface DMZ host 192.168.3.15 eq 50389
access-list inside_access_out extended permit udp interface DMZ host 192.168.3.15 eq 50389
access-list inside_access_out extended permit tcp interface DMZ host 192.168.3.15 eq 50636
access-list inside_access_out extended permit udp interface DMZ host 192.168.3.15 eq 50636
access-list inside_access_out extended permit tcp interface DMZ host 192.168.3.15 eq 3389
access-list inside_access_out remark SMTP Traffic between DMZ and Mailbox server

access-list inside_access_out extended permit tcp interface DMZ host 192.168.3.15 eq smtp
access-list inside_access_out remark Ping
access-list inside_access_out extended permit icmp interface DMZ 192.168.3.0 255.255.255.0
access-list DMZ_access_out extended permit tcp interface DMZ 192.168.3.0 255.255.255.0 eq smtp
access-list DMZ_access_out extended permit icmp interface DMZ 192.168.3.0 255.255.255.0

access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside


If you need anything else let me knoow

Collapse -

nat/global/static

by SYNner In reply to partial config

Since you have an ip any any in there to test and it's still not allowing your traffic, can you post the static, nat and global config statements.

Collapse -

nat/global/static

by Uncle Ramus In reply to nat/global/static

I made some changes and I was able to ping the dmz server IP 192.168.10.10 still unable to ping the external IP I took that rule off. I am trying to let Remote desktop from inside to DMZ server through but it appears to be failing due to the NAT rule.
Below is the Config


interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 64.x.x.100 255.255.255.224
!
interface GigabitEthernet0/1
description Backup circuit
speed 100
nameif backup
security-level 0
ip address 75.x.x.57 255.255.255.248
!
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
description Data Traffic
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.3.5 255.255.255.0
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 192.168.1.2 255.255.255.0
management-only
!
boot system disk0:/asa723-k8.bin
ftp mode passive
clock timezone Central -6
dns server-group DefaultDNS
domain-name dsi
access-list outside_access_in extended permit tcp any host 64.x.x.101 eq www
access-list outside_access_in extended permit tcp any host 64.x.x.101 eq https
access-list outside_access_in extended permit tcp any host 64.x.x.101 eq smtp
access-list dmz_access_in extended permit icmp host 192.168.10.0 host 192.168.3.0
access-list DMZ_access_in extended permit tcp host 192.168.10.10 host 192.168.3.15 eq 50389
access-list DMZ_access_in extended permit udp host 192.168.10.10 host 192.168.3.15 eq 50389
access-list DMZ_access_in extended permit tcp host 192.168.10.10 host 192.168.3.15 eq 50636
access-list DMZ_access_in extended permit udp host 192.168.10.10 host 192.168.3.15 eq 50636
access-list DMZ_access_in extended permit tcp host 192.168.10.10 host 192.168.3.15 eq 3389
access-list DMZ_access_in extended permit tcp host 192.168.10.10 host 192.168.3.15 eq smtp
access-list DMZ_access_in extended permit icmp host 192.168.10.10 host 192.168.3.15 inactive
access-list DMZ_access_in extended permit icmp host 192.168.3.15 host 192.168.10.10 inactive
access-list DMZ_access_in extended permit icmp host 192.168.3.15 host 64.x.x.101 inactive
access-list DMZ_access_in extended permit icmp host 64.x.x.101 host 192.168.3.15 inactive
access-list inside_access_in extended permit icmp host 192.168.3.15 host 192.168.10.10
access-list inside_access_in extended permit tcp host 192.168.3.15 host 192.168.10.10 eq 3389
pager lines 24
logging enable
logging monitor informational
logging buffered informational
logging asdm informational
mtu outside 1500
mtu backup 1492
mtu DMZ 1500
mtu inside 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface backup
monitor-interface DMZ
monitor-interface inside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
global (DMZ) 100 192.168.10.20-192.168.10.30 netmask 255.255.255.0
nat (inside) 100 192.168.3.0 255.255.255.0
static (inside,outside) 64.x.x.101 192.168.10.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 64.x.x.97 1 track 1
route backup 0.0.0.0 0.0.0.0 75.x.x.62 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community DSI
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 216.184.170.132 interface outside
num-packets 3
frequency 20
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset

crypto map clientmap 5 set transform-set myset
crypto map clientmap 5 set reverse-route
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 3
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
!
track 1 rtr 100 reachability
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 45
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global

pre-shared-key *
prompt hostname context
Cryptochecksum:4c8fb1fb65b098381bd9599d9eb836d3
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Collapse -

Bad static statement

by SYNner In reply to nat/global/static

This static config statement is not correct. You are mapping 64.x.x.101 to 192.168.10.10 but 192.168.10.10 is not part of your inside network. 192.168.10.10 is part of the dmz subnetwork.


static (inside,outside) 64.x.x.101 192.168.10.10 netmask 255.255.255.255


Lets start with this change and see what that solves.

Collapse -

Made some changes

by Uncle Ramus In reply to Bad static statement

Can ping 192.168.10.10 cant ping 64..x.x.x

allowed remote desktop tcp 3389 but keep getting reset-0 in syslog. It hits ACL when I do sh access-lists hit counts increasing.


New config

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 64.X.X.100 255.255.255.224
!

!
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
description Data Traffic
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.3.5 255.255.255.0
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 192.168.1.2 255.255.255.0
management-only

ftp mode passive
clock timezone Central -6
dns server-group DefaultDNS
domain-name dsi
access-list outside_access_in extended permit tcp any host 64.x.x.101 eq www
access-list outside_access_in extended permit tcp any host 64.x.x.101 eq https
access-list outside_access_in extended permit tcp any host 64.x.x.101 eq smtp
access-list dmz_access_in extended permit icmp host 192.168.10.0 host 192.168.3.0
access-list DMZ_access_in extended permit tcp host 192.168.10.10 host 192.168.3.15 eq 50389
access-list DMZ_access_in extended permit udp host 192.168.10.10 host 192.168.3.15 eq 50389
access-list DMZ_access_in extended permit tcp host 192.168.10.10 host 192.168.3.15 eq 50636
access-list DMZ_access_in extended permit udp host 192.168.10.10 host 192.168.3.15 eq 50636
access-list DMZ_access_in extended permit tcp host 192.168.10.10 host 192.168.3.15 eq 3389
access-list DMZ_access_in extended permit tcp host 192.168.10.10 host 192.168.3.15 eq smtp
access-list DMZ_access_in extended permit icmp host 192.168.10.10 host 192.168.3.15
access-list DMZ_access_in extended permit icmp host 192.168.3.15 host 192.168.10.10
access-list DMZ_access_in extended permit icmp host 192.168.3.15 host 64.x.x.101
access-list DMZ_access_in extended permit icmp host 64.x.x.101 host 192.168.3.15
access-list inside_access_in extended permit icmp host 192.168.3.15 host 64.x.x.101
access-list inside_access_in extended permit icmp host 192.168.3.15 host 192.168.10.10
access-list inside_access_in extended permit tcp host 192.168.3.15 host 192.168.10.10 eq 3389
access-list inside_access_in extended permit udp host 192.168.3.15 host 192.168.10.10 eq 50389
access-list inside_access_in extended permit tcp host 192.168.3.15 host 192.168.10.10 eq 50389
access-list inside_access_in extended permit udp host 192.168.3.15 host 192.168.10.10 eq 50636
access-list inside_access_in extended permit tcp host 192.168.3.15 host 192.168.10.10 eq 50636
access-list inside_access_in extended permit tcp host 192.168.3.15 host 192.168.10.10 eq smtp
pager lines 24


arp timeout 14400
nat-control
global (outside) 100 interface
global (DMZ) 100 192.168.10.20-192.168.10.30 netmask 255.255.255.0
nat (DMZ) 100 192.168.3.0 255.255.255.0
nat (inside) 100 192.168.3.0 255.255.255.0
static (DMZ,outside) 64.X.X.101 192.168.10.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 64.X.X97 1 track 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community DSI
snmp-server enable traps snmp authentication linkup linkdown coldstart

lifetime 86400
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 45
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global


Syslog messages below

6 Feb 08 2008 08:33:03 302013 192.168.10.10 192.168.3.15 Built outbound TCP connection 22666 for DMZ:192.168.10.10/3389 (192.168.10.10/3389) to inside:192.168.3.15/4423 (192.168.10.22/4423)


6 Feb 08 2008 08:33:03 302014 192.168.10.10 192.168.3.15 Teardown TCP connection 22666 for DMZ:192.168.10.10/3389 to inside:192.168.3.15/4423 duration 0:00:00 bytes 0 TCP Reset-O

Collapse -

Lets make this change as well...

by SYNner In reply to Made some changes

This NAT statement is incorrect. This statement is saying: allow network 192.168.3.0 from the DMZ zone be natted. HOwever, network 192.168.3.0 does not reside on the DMZ zone.

nat (DMZ) 100 192.168.3.0 255.255.255.0


YOu need a static translation from DMZ to inside.

Your ACLs are pointing to the wrong IPs.

Tell me what you services are in each zone... what needs to be accessed by what... and I'll write a config on my firewall and paste it for you.

Collapse -

Here it Goes

by Uncle Ramus In reply to Lets make this change as ...

Thanks you have been helpful .

I need to have tcp/udp traffic 50636 , 50389 to go both ways between DMZ and internal server.

TCP 25 and tcp 3389 to go both ways between dmz server and internal server

I also need ping to go both ways between
both internal and dmz server


Then allow http , https tcp 25 and tcp 443 between the internet and DMZ server.


Thanks for your help

Collapse -

Config...

by SYNner In reply to Configuring a DMZ using ...

I have attached the configuration I put on my firewall. I don't have the necessary equipment but I was able to test RDP from DMZ to internal server. As far as RDP to the DMZ server, you are going from high security level to low security level so you should not have any problem.


Interface configuration:

!
interface Ethernet0
nameif outside
security-level 0
ip address 64.1.1.100 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.3.5 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!


Access-list:
access-list 100 remark internet-access-dmz-server
access-list 100 extended permit tcp any host 64.1.1.101 eq www
access-list 100 extended permit tcp any host 64.1.1.101 eq https
access-list 100 extended permit tcp any host 64.1.1.101 eq smtp
access-list 101 remark dmz-access-internal-server
access-list 101 extended permit icmp 192.168.10.0 255.255.255.0 host 192.168.10.9
access-list 101 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 50389
access-list 101 extended permit udp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 50389
access-list 101 extended permit udp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 50636
access-list 101 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 50636
access-list 101 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 3389

NATs/global/static:

global (outside) 1 interface
global (dmz) 1 192.168.10.100-192.168.10.132
nat (inside) 1 192.168.3.0 255.255.255.0
nat (dmz) 1 192.168.10.0 255.255.255.0
static (dmz,outside) 64.1.1.101 192.168.10.10 netmask 255.255.255.255
static (inside,dmz) 192.168.10.9 192.168.3.15 netmask 255.255.255.255
access-group 100 in interface outside
access-group 101 in interface dmz

Collapse -

re:Config...

by Uncle Ramus In reply to Config...

Thanks I was a little confused about this access list The IP ADDRESS 192.168.10.9 is on the DMZ shouldn't access list point from the 192.168.10.0 network to 192.168.3.0 network

access-list 101 extended permit icmp 192.168.10.0 255.255.255.0 host 192.168.10.9
access-list 101 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 50389
access-list 101 extended permit udp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 50389
access-list 101 extended permit udp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 50636
access-list 101 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 50636
access-list 101 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.10.9 eq 3389


Also the nat statement you used the 10.9 ip shouldnt I use the 10.10 address.
static (inside,dmz) 192.168.10.9 192.168.3.15 netmask 255.255.255.255

Once again thanks for your assistance.

Back to Networks Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums