Question

Cisco ASA 5510 Access Rules

Asked by: techflavor

I have a Cisco ASA 5510 box setup with the following interfaces:

outside
inside
guest
dmz
management

I need to create some access rules that allow communication from the dmz network to the inside network.  There will be three web servers hosted in the dmz (192.168.10.2 - 192.168.10.4) and will need to be able to access these ports (1433, 1434, 4022 ,135, 2383, 2382) on the inside SQL server (10.1.1.13).  

And at the moment the web servers can ping the router but cannot ping each other.  At this point I'm not sure if the web servers in the dmz will need to talk back and forth, but if so, what would be the proper method?

Also, I have everything setup using OpenDNS instead of the ISP assigned DNS servers, so I need to add an access rule for each interface that allows the OpenDNS to be accessed.

Currently, when connected to the webserver in the dmz (has a static IP address/dns assigned), I am unable to get DNS lookups or even ping an external IP address so apparently outgoing connections are not being allowed.

I'm sure there are a couple more access rules that will be required but this should cover it for now.

Thanks in advanced!

Result of the command: "sh run"
 
: Saved
:
ASA Version 8.0(4) 
!
hostname RouterName
domain-name domainname.com
enable password rjYzxqUFpmwRhVLN encrypted
passwd rjYzxqUFpmwRhVLN encrypted
names
!
interface Ethernet0/0
 speed 10
 nameif outside
 security-level 0
 ip address 64.42.233.229 255.255.255.248 
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/2
 nameif guest
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Ethernet0/3
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 ospf cost 10
 management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup guest
dns domain-lookup management
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name domainname.com
same-security-traffic permit intra-interface
access-list dmz extended permit ip any any inactive 
access-list dmz extended permit ip 192.168.10.0 255.255.255.0 64.42.233.0 255.255.255.0 
access-list guest extended permit ip 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 
access-list VPN-CGY-LocalAccess standard permit host 0.0.0.0 
access-list VPN-CGY-LocalAccess remark VPN Client Local LAN Access
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu guest 1500
mtu management 1500
ip local pool VPN-CGY-VPN2 10.1.2.140-10.1.2.170 mask 255.255.255.0
ip local pool VPN-CGY-VPN 10.1.3.141-10.1.3.170 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any dmz
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 5 64.42.233.225
global (outside) 3 64.42.233.226
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 5 0.0.0.0 0.0.0.0
nat (guest) 3 0.0.0.0 0.0.0.0
access-group dmz in interface dmz
access-group guest in interface guest
route outside 0.0.0.0 0.0.0.0 64.42.233.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.100-172.16.1.150 guest
dhcpd dns 208.67.222.222 208.67.220.220 interface guest
dhcpd lease 7200 interface guest
dhcpd enable guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
 svc enable
 tunnel-group-list enable
group-policy test internal
group-policy test attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol svc 
 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN-CGY-LocalAccess
group-policy VPN-CGY internal
group-policy VPN-CGY attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelall
 split-tunnel-network-list value VPN-CGY-LocalAccess
 webvpn
  url-list none
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol svc 
 webvpn
  svc ask enable default webvpn
username armstrongb password OL0cVv3O/TRiz2X. encrypted privilege 0
username armstrongb attributes
 vpn-group-policy VPN-CGY
username chaney password h56Vp8eDSaHr/tL. encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-CGY-VPN
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias Default disable
 group-alias DfltRA disable
 group-alias RA disable
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN-CGY-VPN
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias DfltWebVPN disable
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
tunnel-group VPN-CGY type remote-access
tunnel-group VPN-CGY general-attributes
 address-pool VPN-CGY-VPN
 default-group-policy VPN-CGY
tunnel-group VPN-CGY webvpn-attributes
 group-alias Calgary enable
tunnel-group VPN-CGY ipsec-attributes
 pre-shared-key *
tunnel-group test type remote-access
tunnel-group test general-attributes
 address-pool VPN-CGY-VPN2
 default-group-policy test
tunnel-group test webvpn-attributes
 group-alias test enable
tunnel-group test ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:fe7e9f31cc640461b19f91b598e8a082
: end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-02 at 20:40:47ID24703526
Tags

cisco

,

asa

,

5510

,

asdm

,

nat

,

acl

,

pat

Topics

Cisco PIX Firewall

,

Network Routers

,

Enterprise Firewalls

Participating Experts
3
Points
500
Comments
40

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco ASA DMZ question
    We are using the CIsco ASA 5505 IOS version 7.1(1) We have created a DMZ however are unable access the DMZ from the inside? So for example our DMZ is 10.1.3.X and our internal network is 10.1.4.X. I am able to ping a computer 10.1.3.9, however I can not reach it via http://1...
  2. How to DMZ in Cisco ASA 5520?
    What is a DMZ. We are upgrading our Router to a Cisco ASA 5520. The mail server and the FTP server are in a DMZ. I would like to know how to setup a DMZ. Do you setup a DMZ by telling the router that one of the ports on the router is a DMZ or do you setup a DMZ based on the ...
  3. cisco ASA 5505
    How to configure cisco ASA 5505 NAT between two hosts/machines?
  4. Upgrade to CISCO ASA
    I have CISCO PIX 515E with firewall version 6.3 and PDM version 3.0(1) at my two sites. We have site to site VPN. I want to upgrade those both sites to CISCO ASA. Below is my show vesion output. Could you please suggest me which ASA I should go for. And also , is there any sp...
  5. DMZ Cisco ASA
    I have a server with dual nic's and an ASA 5505 with Security Plus License. I want to have one nic on the internal Vlan and the other on the DMZ Vlan. Ultimately I plan to have internal access to the server on nic1 and use a chroot jail for the DMZ on nic2, but for right no...
  6. Cisco ASA DMZ problems
    We have a Cisco ASA 5505 with Security Plus licensing. After researching Cisco's documentation and troubleshooting this issue on this site and others I am at a stopping point. I would like to setup a DMZ and allow the following: Allow inside hosts full connectivity to the ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: nodiscoPosted on 2009-09-02 at 21:10:51ID: 25247818

hi there

To translate your internal network into the DMZ and allow access back:

1433, 1434, 4022 ,135, 2383, 2382

object-group service sql-inside-ports tcp
 description - Ports that Web servers need to access
 port-object eq 1433
 port-object eq 1434
 port-object eq 4022
 port-object eq 135
 port-object eq 2383
 port-object eq 2382
 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13  object-group sql-inside-ports

cheers

 

by: Boilermaker85Posted on 2009-09-03 at 06:13:14ID: 25250273

With that ACL, nodisco, you imply a policy NAT. I prefer the static method and simple PAT.
remove the " nat (inside) 0 access-list inside_nat0_outbound" because it would prevent your sql server from ever going to the internet (which may be by design, but prevents you from getting MS updates directly for example )
Instead, add this:
static (inside,dmz) 10.1.1.13 10.1.1.13 netmask 255.255.255.255

And of course use the rules that nodisco supplied for the dmz acl (not the no-nat acl).

That takes care of the DMZ to SQL server. For the outbound Open DNS, because of the acls of the dmz and guest  interfaces, you'll need this:
access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any 255.255.255.0 eq domain
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any 255.255.255.0 eq 53
access-list guest extended permit udp 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 eq domain
access-list guest extended permit tcp 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 eq 53
 (I used ANY for the destination, but you can use specific IPs for your external DNS)

If you want to ping from DMZ, you need this:
access-list dmz extended permit icmp 192.168.10.0 255.255.255.0 any 255.255.255.0





 

by: techflavorPosted on 2009-09-03 at 11:31:08ID: 25253502

So, just to summarize:

I'm actually not having issues with the SQL server accessing the Internet -- should I be concerned with the suggestions on removing the nat (inside) 0 rule and adding the static (inside,dmz) rule?

Next, in order to get the webservers to communicate to the SQL server, do the following:
object-group service sql-inside-ports tcp
 description - Ports that Web servers need to access
 port-object eq 1433
 port-object eq 1434
 port-object eq 4022
 port-object eq 135
 port-object eq 2383
 port-object eq 2382
 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13  object-group sql-inside-ports


And now to allow outbound DNS for guest and dmz, use the following:
access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any 255.255.255.0 eq domain
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any 255.255.255.0 eq 53
access-list guest extended permit udp 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 eq domain
access-list guest extended permit tcp 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 eq 53

On the above commands, I see that any is used for the dmz destination but guest is only allowed on 64.42.233.0 -- should I also change the guest to any?


And then to ping from DMZ:
access-list dmz extended permit icmp 192.168.10.0 255.255.255.0 any 255.255.255.0


Just wanted to make sure before I applied the changes -- THANKS for the suggestions/help!

 

by: Boilermaker85Posted on 2009-09-03 at 12:10:02ID: 25253892

Yeah, I must have copied the wrong lines. Yes the dest on the access-list guest lines should be ANY.

yes to the dmz acl for SQL using object group object-group sql-inside-ports.

However, let me explain the nat0 a bit more. you have in your config:

global (outside) 1 interface
global (outside) 5 64.42.233.225
global (outside) 3 64.42.233.226
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 5 0.0.0.0 0.0.0.0
nat (guest) 3 0.0.0.0 0.0.0.0
access-group dmz in interface dmz
access-group guest in interface guest

Note that you don't have a global for the DMZ, so the nat  statements are referring only to the inside-to-outside transition. having nat-0 (no nat) to outside from a private address of 10.1.1.x means your ISP will drop it. Since the DMZ is security 50 and the inside is 100, you need static statement and ACLs. ANytime you go from lower security to higher security level you need a static.


 

by: Boilermaker85Posted on 2009-09-03 at 12:11:21ID: 25253900

and that static statement, as I said before, is:
static (inside,dmz) 10.1.1.13 10.1.1.13 netmask 255.255.255.255

 

by: techflavorPosted on 2009-09-03 at 12:25:52ID: 25254038

ok great -- added that to the list..

And since I'm adding that static statement, should I be removing the other statement you were referring to?  

"remove the "nat (inside) 0 access-list inside_nat0_outbound" because it would prevent your sql server from ever going to the internet (which may be by design, but prevents you from getting MS updates directly for example )" -- as mentioned above, I haven't had connectivity issues from the inside to the outside

 

by: Boilermaker85Posted on 2009-09-03 at 12:47:01ID: 25254252

I looked at it closer and I see your current no nat statements are used for the VPN stuff. So don't remove them. But the one provided by nodisco does not apply to the DMZ to sql communication "access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0" and in fact does nothing that I can see. So I would not add that.

 

by: Boilermaker85Posted on 2009-09-03 at 12:48:14ID: 25254266

and leave in the nat (inside) 0 access-list inside_nat0_outbound

 

by: nodiscoPosted on 2009-09-03 at 12:56:37ID: 25254329

@Boilermaker
<<With that ACL, nodisco, you imply a policy NAT. I prefer the static method and simple PAT.
remove the " nat (inside) 0 access-list inside_nat0_outbound" because it would prevent your sql server from ever going to the internet (which may be by design, but prevents you from getting MS updates directly for example )
Instead, add this:
static (inside,dmz) 10.1.1.13 10.1.1.13 netmask 255.255.255.255>>

The static will do the job ok but what you have written here is not true.  the nat 0  will not prevent the sql box going to the internet.  All it does is not nat any traffic that matches the inside_nat0_outbound acl.
e.g.
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0
All attempts from 10.1.1.0 to 192.168.10.0 will not be subject to natting.  Outbound internet for all inside clients including the sql box are natted by nat ID 5 as normal.  Therefore, the sql box will nat as its own internal ip in the dmz range and the acl i supplied lets the traffic back.

Yes - the static will do the job, but I wanted to clear this up.

 

by: techflavorPosted on 2009-09-03 at 12:56:50ID: 25254331

Ok thanks for the clarification -- will get those applied in a few minutes and will let you know the turn out!

Boilermaker, thanks for staying on top of this question -- it is greatly appreciated.  The more help I get with ACLs, the more I am learning..

After this setup, I will definitely be signing up for some Cisco classes.

 

by: nodiscoPosted on 2009-09-03 at 12:57:51ID: 25254337

FYI - read last comment :-)

 

by: techflavorPosted on 2009-09-03 at 12:58:04ID: 25254340

You too, nodisco, thanks a bunch!

 

by: Boilermaker85Posted on 2009-09-03 at 12:59:53ID: 25254352

You are right nodisco. I blew it. That was an extended acl and you did have a dest of the DMZ net. sorry.!!!    

 

by: nodiscoPosted on 2009-09-03 at 13:01:02ID: 25254365

no worries - just want to make sure the asker is clear.  As I said, the static does the job too.

 

by: Boilermaker85Posted on 2009-09-03 at 13:03:42ID: 25254384

quesion though. the inside_nat0_outbound as you described would insure that sessions initiated from inside to dmz would get passed UNnatted. But does that necessarily overcome the need for a static since the dmz interface security is lower?

 

by: techflavorPosted on 2009-09-03 at 13:07:27ID: 25254410

when trying to setup the guest/dmz for outbound dns, I got the following error:

ERROR: % Invalid Hostname

 

by: nodiscoPosted on 2009-09-03 at 13:10:04ID: 25254431

Its nat exemption.  The first of the nat commands which does translate traffic between interfaces but just doesn't change their source ips.

Statics are second.

If you have a look here, it explains the nat order on PIXs/ASAs

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

Read the Order of NAT commands section for detail.

 

by: nodiscoPosted on 2009-09-03 at 13:20:12ID: 25254524


Holdup - These won't work.

<<access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any 255.255.255.0 eq domain
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any 255.255.255.0 eq 53
access-list guest extended permit udp 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 eq domain
access-list guest extended permit tcp 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 eq 53>>

Are you just looking to do outbound dns?

firstly you just need udp 53.
there is no reason to have any 255.255.255.0 as a destination as its a /24 mask - you should be allowing any mask too.
You don't want to send this traffic to your public ip range either.
And if you just allow access to port 53 for the guest subnet, no one on that subnet will be able to do anything on the internet except dns resolution.

*IF* you don't have an internal DNS server, to get the dmz subnet working with external dns:

access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any  eq 53


techflavor - you have a few things I would tidy up on this firewall - a class would def be helpful to understand what some of these changes will do.  I reckon lets look at the  dmz subnet first and get this sql issue working.

hth



 

by: techflavorPosted on 2009-09-03 at 13:27:22ID: 25254608

for the guest / dmz -- I would really just like full outbound internet access enabled, not just dns

right now dmz or guest cannot get out onto the internet


I held off on applying the other rules -- once I get outbound access on guest / dmz working, then I plan on adding the rules for the dmz to inside sql access

 

by: nodiscoPosted on 2009-09-03 at 13:57:41ID: 25254870

Ok

In that case - to get these 2 working, lets fix up the access-lists
First - verify that you can get outbound using the existing nat statements, so we will remove the acls temporarily

no access-group dmz in interface dmz
no access-group guest in interface guest

when you have done this, try internet access from the guest and dmz networks.

 

by: techflavorPosted on 2009-09-03 at 14:18:03ID: 25255047

ok now have access to the internet from guest / dmz

 

by: techflavorPosted on 2009-09-03 at 14:45:50ID: 25255288

I'm not going to proceed with the dmz to inside (sql) access until you give the thumbs up -- that way we know what steps have been completed and which haven't.

When someone is holding my hand through an entire process like this, I sure would like to give more than just points (i.e. money ;d...)

 

by: nodiscoPosted on 2009-09-03 at 15:49:34ID: 25255672

:-)

Ok so to explain the situation here with acls and how they work -
you now have the guest and dmz access to internet working ok.  Thats because your nat and global commands are correct and you have no acl in place.  
Its important to note that you don't need to have an acl in place to do either of these as, any traffic once natted properly can access a less secure interface.  e.g. guest to outside, dmz to outside.
So unless you need to put in something specific, remove the access-list on the guest interface - you don't need it.
no access-list guest extended permit ip 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0

Now.  
Re the dmz, you need to allow traffic from the dmz webserver to the internal sql server.  But!!!! If you allow just this and not specify anything else, you will stop all outbound webtraffic.  The reason is that all acls have an implict deny at the end so that if you have an acl with just "permit web server to sql server"  then  the acl denies all other traffic.

To allow this properly - do the following:
clear configure access-list dmz
object-group service sql-inside-ports tcp
 description - Ports that Web servers need to access
 port-object eq 1433
 port-object eq 1434
 port-object eq 4022
 port-object eq 135
 port-object eq 2383
 port-object eq 2382

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended deny ip any 10.1.1.0 255.255.255.0
access-list dmz extended permit ip any any

access-group dmz in interface dmz

Ok to explain.  The object-group groups the sql ports.  The inside_nat0_outbound implies nat 0 so that your internal network is translated to the dmz without changing its ips.  
the access-list allows the 3 web servers access to your sql server on the sql ports range
you then deny all other access from the dmz to the inside network
You then permit all other ip traffic (i.e. traffic to the internet)

Now - I have to point out this is a basic config thats just doing exactly what you are asking.  but it can be secured far more than this - you can restrict certain ports etc.

You can use the static that Boilermaker suggested earlier instead of the nat0 command.  the reason I used the nat0 is that it means any user on your inside can access your dmz, and if you want to allow further changes from dmz to inside - you don't need further statics - just amendments to your acls.

cheers





 

by: techflavorPosted on 2009-09-03 at 16:02:18ID: 25255767

Ok I think I now have everything added as you are suggesting.  

Now I will just need to test the sql port communications from dmz to the sql server on the inside.


what would be the proper command to allow the dmz hosts to ping the inside just to verify things are communicating?  I plan on removing this after everything is pinging back and forth (to help show the other guys).  Because right now all icmp's from dmz to inside are being dropped.


Thanks again for all your help and the explanation of what those commands are doing.

I pasted the current config for your review since I've added your recommendations.

Result of the command: "sh run"
 
: Saved
:
ASA Version 8.0(4) 
!
hostname RouterName
domain-name domainname.com
enable password rjYzxqUFpmwRhVLN encrypted
passwd rjYzxqUFpmwRhVLN encrypted
names
!
interface Ethernet0/0
 speed 10
 nameif outside
 security-level 0
 ip address 64.42.233.229 255.255.255.248 
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/2
 nameif guest
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Ethernet0/3
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 ospf cost 10
 management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup guest
dns domain-lookup management
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name domainname.com
same-security-traffic permit intra-interface
object-group service sql-inside-ports tcp
 description - Ports that Web servers need to access
 port-object eq 1433
 port-object eq 1434
 port-object eq 4022
 port-object eq 135
 port-object eq 2383
 port-object eq 2382
access-list dmz extended permit ip any any 
access-list dmz extended permit ip 192.168.10.0 255.255.255.0 64.42.233.0 255.255.255.0 
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended deny ip any 10.1.1.0 255.255.255.0 
access-list guest extended permit ip 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 
access-list VPN-CGY-LocalAccess standard permit host 0.0.0.0 
access-list VPN-CGY-LocalAccess remark VPN Client Local LAN Access
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu guest 1500
mtu management 1500
ip local pool VPN-CGY-VPN2 10.1.2.140-10.1.2.170 mask 255.255.255.0
ip local pool VPN-CGY-VPN 10.1.3.141-10.1.3.170 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any dmz
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 5 64.42.233.225
global (outside) 3 64.42.233.226
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 5 0.0.0.0 0.0.0.0
nat (guest) 3 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.42.233.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.100-172.16.1.150 guest
dhcpd dns 208.67.222.222 208.67.220.220 interface guest
dhcpd lease 7200 interface guest
dhcpd enable guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
 svc enable
 tunnel-group-list enable
group-policy test internal
group-policy test attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol svc 
 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN-CGY-LocalAccess
group-policy VPN-CGY internal
group-policy VPN-CGY attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelall
 split-tunnel-network-list value VPN-CGY-LocalAccess
 webvpn
  url-list none
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol svc 
 webvpn
  svc ask enable default webvpn
username armstrongb password OL0cVv3O/TRiz2X. encrypted privilege 0
username armstrongb attributes
 vpn-group-policy VPN-CGY
username chaney password h56Vp8eDSaHr/tL. encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-CGY-VPN
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias Default disable
 group-alias DfltRA disable
 group-alias RA disable
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN-CGY-VPN
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias DfltWebVPN disable
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
tunnel-group VPN-CGY type remote-access
tunnel-group VPN-CGY general-attributes
 address-pool VPN-CGY-VPN
 default-group-policy VPN-CGY
tunnel-group VPN-CGY webvpn-attributes
 group-alias Calgary enable
tunnel-group VPN-CGY ipsec-attributes
 pre-shared-key *
tunnel-group test type remote-access
tunnel-group test general-attributes
 address-pool VPN-CGY-VPN2
 default-group-policy test
tunnel-group test webvpn-attributes
 group-alias test enable
tunnel-group test ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:40fc5681abf3f716bf0dbbfe4802c9bc
: end
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:

Select allOpen in new window

 

by: techflavorPosted on 2009-09-03 at 16:11:06ID: 25255818

And I just tried to telnet into port 1433 from webserv2 (192.168.10.3) to DBSRV1 (10.1.1.13) and got this:
Inbound TCP connection denied from 192.168.10.3/49192 to 10.1.1.13/1433 flags SYN  on interface dmz

 

by: nodiscoPosted on 2009-09-03 at 16:11:29ID: 25255819

Problem time

access-list dmz extended permit ip any any
access-list dmz extended permit ip 192.168.10.0 255.255.255.0 64.42.233.0 255.255.255.0
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13 object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13 object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13 object-group sql-inside-ports
access-list dmz extended deny ip any 10.1.1.0 255.255.255.0

Access-lists read from the top down.  In this acl, everything will work on it as you are allowing everything on line 1 - you need to remove the access-list and repaste it in the correct order -
Its also not applied to the interface:

e.g

clear configure access-list dmz
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13  object-group sql-inside-ports
access-list dmz extended deny ip any 10.1.1.0 255.255.255.0
access-list dmz extended permit ip any any

access-group dmz in interface dmz

 

by: techflavorPosted on 2009-09-03 at 16:17:33ID: 25255852

Ok so it looks like I forgot the last command:

access-group dmz in interface dmz


So since that's added, here is my latest config

Result of the command: "sh run"
 
: Saved
:
ASA Version 8.0(4) 
!
hostname RouterName
domain-name domainname.com
enable password rjYzxqUFpmwRhVLN encrypted
passwd rjYzxqUFpmwRhVLN encrypted
names
!
interface Ethernet0/0
 speed 10
 nameif outside
 security-level 0
 ip address 64.42.233.229 255.255.255.248 
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/2
 nameif guest
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Ethernet0/3
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 ospf cost 10
 management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup guest
dns domain-lookup management
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name domainname.com
same-security-traffic permit intra-interface
object-group service sql-inside-ports tcp
 description - Ports that Web servers need to access
 port-object eq 1433
access-list dmz extended permit ip any any 
access-list dmz extended permit ip 192.168.10.0 255.255.255.0 64.42.233.0 255.255.255.0 
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended deny ip any 10.1.1.0 255.255.255.0 
access-list guest extended permit ip 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 
access-list VPN-CGY-LocalAccess standard permit host 0.0.0.0 
access-list VPN-CGY-LocalAccess remark VPN Client Local LAN Access
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu guest 1500
mtu management 1500
ip local pool VPN-CGY-VPN2 10.1.2.140-10.1.2.170 mask 255.255.255.0
ip local pool VPN-CGY-VPN 10.1.3.141-10.1.3.170 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any dmz
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 5 64.42.233.225
global (outside) 3 64.42.233.226
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 5 0.0.0.0 0.0.0.0
nat (guest) 3 0.0.0.0 0.0.0.0
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 64.42.233.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.100-172.16.1.150 guest
dhcpd dns 208.67.222.222 208.67.220.220 interface guest
dhcpd lease 7200 interface guest
dhcpd enable guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
 svc enable
 tunnel-group-list enable
group-policy test internal
group-policy test attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol svc 
 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN-CGY-LocalAccess
group-policy VPN-CGY internal
group-policy VPN-CGY attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelall
 split-tunnel-network-list value VPN-CGY-LocalAccess
 webvpn
  url-list none
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol svc 
 webvpn
  svc ask enable default webvpn
username armstrongb password OL0cVv3O/TRiz2X. encrypted privilege 0
username armstrongb attributes
 vpn-group-policy VPN-CGY
username chaney password h56Vp8eDSaHr/tL. encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-CGY-VPN
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias Default disable
 group-alias DfltRA disable
 group-alias RA disable
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN-CGY-VPN
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias DfltWebVPN disable
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
tunnel-group VPN-CGY type remote-access
tunnel-group VPN-CGY general-attributes
 address-pool VPN-CGY-VPN
 default-group-policy VPN-CGY
tunnel-group VPN-CGY webvpn-attributes
 group-alias Calgary enable
tunnel-group VPN-CGY ipsec-attributes
 pre-shared-key *
tunnel-group test type remote-access
tunnel-group test general-attributes
 address-pool VPN-CGY-VPN2
 default-group-policy test
tunnel-group test webvpn-attributes
 group-alias test enable
tunnel-group test ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:40fc5681abf3f716bf0dbbfe4802c9bc
: end
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:

Select allOpen in new window

 

by: techflavorPosted on 2009-09-03 at 16:18:28ID: 25255858

Didn't see your latest post until now -- so removing and reapplying in correct order then will paste config

 

by: techflavorPosted on 2009-09-03 at 16:21:57ID: 25255872

Removed and then repasted commands in your correct order:

Result of the command: "sh run"
 
: Saved
:
ASA Version 8.0(4) 
!
hostname RouterName
domain-name domainname.com
enable password rjYzxqUFpmwRhVLN encrypted
passwd rjYzxqUFpmwRhVLN encrypted
names
!
interface Ethernet0/0
 speed 10
 nameif outside
 security-level 0
 ip address 64.42.233.229 255.255.255.248 
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/2
 nameif guest
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Ethernet0/3
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 ospf cost 10
 management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup guest
dns domain-lookup management
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name domainname.com
same-security-traffic permit intra-interface
object-group service sql-inside-ports tcp
 description - Ports that Web servers need to access
 port-object eq 1433
 port-object eq 1434
 port-object eq 4022
 port-object eq 135
 port-object eq 2383
 port-object eq 2382
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13 object-group sql-inside-ports 
access-list dmz extended deny ip any 10.1.1.0 255.255.255.0 
access-list dmz extended permit ip any any 
access-list guest extended permit ip 172.16.1.0 255.255.255.0 64.42.233.0 255.255.255.0 
access-list VPN-CGY-LocalAccess standard permit host 0.0.0.0 
access-list VPN-CGY-LocalAccess remark VPN Client Local LAN Access
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu guest 1500
mtu management 1500
ip local pool VPN-CGY-VPN2 10.1.2.140-10.1.2.170 mask 255.255.255.0
ip local pool VPN-CGY-VPN 10.1.3.141-10.1.3.170 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any dmz
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 5 64.42.233.225
global (outside) 3 64.42.233.226
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 5 0.0.0.0 0.0.0.0
nat (guest) 3 0.0.0.0 0.0.0.0
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 64.42.233.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.100-172.16.1.150 guest
dhcpd dns 208.67.222.222 208.67.220.220 interface guest
dhcpd lease 7200 interface guest
dhcpd enable guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
 svc enable
 tunnel-group-list enable
group-policy test internal
group-policy test attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol svc 
 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN-CGY-LocalAccess
group-policy VPN-CGY internal
group-policy VPN-CGY attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelall
 split-tunnel-network-list value VPN-CGY-LocalAccess
 webvpn
  url-list none
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol svc 
 webvpn
  svc ask enable default webvpn
username armstrongb password OL0cVv3O/TRiz2X. encrypted privilege 0
username armstrongb attributes
 vpn-group-policy VPN-CGY
username chaney password h56Vp8eDSaHr/tL. encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-CGY-VPN
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias Default disable
 group-alias DfltRA disable
 group-alias RA disable
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN-CGY-VPN
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias DfltWebVPN disable
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
tunnel-group VPN-CGY type remote-access
tunnel-group VPN-CGY general-attributes
 address-pool VPN-CGY-VPN
 default-group-policy VPN-CGY
tunnel-group VPN-CGY webvpn-attributes
 group-alias Calgary enable
tunnel-group VPN-CGY ipsec-attributes
 pre-shared-key *
tunnel-group test type remote-access
tunnel-group test general-attributes
 address-pool VPN-CGY-VPN2
 default-group-policy test
tunnel-group test webvpn-attributes
 group-alias test enable
tunnel-group test ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:40fc5681abf3f716bf0dbbfe4802c9bc
: end
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:

Select allOpen in new window

 

by: nodiscoPosted on 2009-09-03 at 16:25:06ID: 25255890

Ok you should still have dmz internet access and should have access to the sql server from the dmz now - can you try?

 

by: techflavorPosted on 2009-09-03 at 16:43:02ID: 25255989

Yep sorry will be able to test in a couple minutes -- just got kicked out the office so now relocating to the house and will be able to let you know the results.

/me bows to nodisco

 

by: Boilermaker85Posted on 2009-09-03 at 21:35:32ID: 25256875

Techflavor, I am going to drop out of this thread. NODISCO can help you finish up.  I had more time this morning, but have been away from computer for hours. While  I tried to help, I did give several very pport examples of ACLs by not looking at what I wrote and afterwards saw they were wrong. So rather than try to outdo the master, I am going to let you work with him, and I'll get back to work. Have a great day. And if you ever do need some help on another Cisco Pix/ASA issue, you can ask on Experts Exchange or email me at wkskinner@comcast.net.  I work with ASAs every day.

 

by: techflavorPosted on 2009-09-04 at 07:14:48ID: 25259848

nodisco -- sorry it took me long to post the outcome of the test.  Internet connectivity is still enabled for the guest / dmz and now dmz can access the inside SQL server on port 1433.  So thank you very much for that!  

And now, just to make sure I have the format correct, so if I wanted to allow access from 192.168.1.2 to 10.1.1.17 for smtp, I would do the following:

access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13 eq smtp


Thanks again nodisco and Boilermaker for the assistance.


 

by: Boilermaker85Posted on 2009-09-04 at 07:20:31ID: 25259899

Yes, you could, but you want to place it in the right order among your other DMZ rules. It would have to be before the deny any to 10.1.1.0 statement:
access-list dmz extended permit tcp host 192.168.10.2 host 10.1.1.13 object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.3 host 10.1.1.13 object-group sql-inside-ports
access-list dmz extended permit tcp host 192.168.10.4 host 10.1.1.13 object-group sql-inside-ports
access-list dmz extended deny ip any 10.1.1.0 255.255.255.0
access-list dmz extended permit ip any any

If you do a 'show access-list dmz' you will see each of the lines above get a line number. The Deny statement is #4. So in order to insert your line into the ACL, do this format:
access-list dmz line 4 permit tcp host 192.168.10.2 host 10.1.1.13 eq smtp

That pushes the previous line 4 down to line 5.


 

by: Boilermaker85Posted on 2009-09-04 at 07:24:19ID: 25259947

Also, you can comment your ACLs to give them better readability, and the comments get line numbers. When you view them with the ASDM, a preceeding Remark will show up in the rule as the comment field.

access-list dmz line 1 remark **Allow webservers to sql db**
access-list dmz line 5 remark **Allow one web server to send mail **
access-list dmz line 7 remark **Deny all else from DMZ to internal**

Now show access-list dmz and it gives you a commented acl.

 

by: Boilermaker85Posted on 2009-09-04 at 07:30:46ID: 25260034

Note that I put the line numbers in those remarks and assumed they were entered in that order because after adding the first remark, everything drops down one line.  I have found that when you insert lines, I display the acl first, then insert lines starting from the highest line numbers first to keep things in order.
So from this:
access-list dmz line 1 permit tcp host 192.168.10.2 host 10.1.1.13 object-group sql-inside-ports
access-list dmz line 2permit tcp host 192.168.10.3 host 10.1.1.13 object-group sql-inside-ports
access-list dmz line 3 permit tcp host 192.168.10.4 host 10.1.1.13 object-group sql-inside-ports
access-list dmz line 4 permit tcp host 192.168.10.2 host 10.1.1.13 eq smtp
access-list dmz line 5 deny ip any 10.1.1.0 255.255.255.0
access-list dmz line 6 permit ip any any
I then insert these comments in reverse order to insure my specific line #s don't change as I enter...
access-list dmz line 5 remark **Deny all else from DMZ to internal**
access-list dmz line 4 remark **Allow one web server to send mail **
access-list dmz line 1 remark **Allow webservers to sql db**

 

by: techflavorPosted on 2009-09-04 at 07:53:08ID: 31624252

Thanks a bunch nodisco and Boilermaker85!

 

by: techflavorPosted on 2009-09-04 at 08:13:37ID: 25260459

Thanks again, both of you.

Also, I appreciate the suggestion for how to add a remark to each line item--that will help now and in the future.

 

by: nodiscoPosted on 2009-09-06 at 00:14:56ID: 25269013

good stuff.  I was away for the weekend.  Cheers b85 for steppin back in

 

by: eduguerra90Posted on 2011-01-25 at 15:38:35ID: 34697567

I have the same problem techflavor had. I am relatively new at cisco devices. Here's my config. no ping response from inside. Pinging Outside interface have response. How can i have internet from inside ifs

Saved
:
ASA Version 8.3(1)
!
hostname asafchavez
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 200.87.200.163 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/2
 nameif Inside1
security-level 100
 ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
 domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in remark Salida puerto 100.0
access-list outside_access_in extended permit object-group TCPUDP 192.168.100.0
access-list outside_access_out remark Salidas puerto 100.0
access-list outside_access_out extended permit ip 192.168.100.0 255.255.255.0 a
access-list outside_access_out extended permit ip host 192.168.100.11 any
access-list Inside1_access_out extended permit ip host 192.168.100.0 host 192.1
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu Inside1 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (management,inside) source dynamic any interface
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group Inside1_access_out out interface Inside1
route outside 0.0.0.0 0.0.0.0 200.87.200.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.100.0 255.255.255.0 Inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.100.0 255.255.255.0 Inside1
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 Inside1
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b5bbfc3905b64f2b2b2d45e5afa17633
: end


Thanks in advanced!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...