[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

ASA DMZ Configuration question

Howdy all.

I have a new ASA 5510 configuration that I would like to run by you guys..the key is a Citrix Web interface server on the DMZ. This server needs access to 192.168.200.5 (on the internal network) on the following ports - 2598;80;443. Also, from the internet, the following ports need to be opened to 10.10.10.10 - 443,80,3389. Since I don't have much downtime for troubleshooting when I install this onsite, I was wondering if you could go through my script and let me know if there are any obvious configuration issues..

a. Is my 'dmz-in' access rules correct?
b. Do I need 'access-list outside-in extended permit tcp any host 1.1.1.219 object-group HTTP-HTTPS' and
'access-list outside-in extended permit tcp any host 1.1.1.219 eq 3389'? - since I have 'dmz-in' already applied for port access?

Thanks a bunch!

***********************************************************************************



hostname acme-FW-ASA5510
domain-name acme.com
names
name 192.168.200.9 acme-UTIL
name 192.168.200.2 acme-MAIL
name 192.168.200.4 acme_FILE
name 192.168.200.5 acme-CITRIX
name 192.168.200.1 acme-SQL
name 192.168.200.3 acme-BACKUP
name 10.10.10.10 WI
name 192.168.200.8 acme-EXCHFE
name 192.168.200.253 BARRACUDA
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.200.254 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 40
 ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 0
 no ip address
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name acme.com
object-group service HTTP-HTTPS tcp
 description Object group for HTTP and HTTPS services
 port-object eq www
 port-object eq https
object-group service PCAW tcp-udp
 description Object group to allow PC AnyWhere
 port-object range 5631 5632
object-group icmp-type PING
 description Object group to allow ping
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachaacmee
 icmp-object source-quench
access-list outside-in remark ACL to acmeock inbound traffic on the outside interface
access-list outside-in extended permit tcp any host 1.1.1.219 object-group HTTP-HTTPS
access-list outside-in extended permit tcp any host 1.1.1.210 object-group HTTP-HTTPS
access-list outside-in extended permit tcp any host 1.1.1.210 object-group PCAW
access-list outside-in extended permit tcp any host 1.1.1.219 eq 3389
access-list outside-in extended permit tcp any host 1.1.1.212 eq smtp
access-list outside-in extended permit tcp any host 1.1.1.212 eq 8000
access-list outside-in extended permit tcp any host 1.1.1.214 eq 3389
access-list outside-in extended permit tcp any host 1.1.1.214 object-group PCAW
access-list outside-in extended permit tcp any host 1.1.1.213 object-group PCAW
access-list outside-in extended permit tcp any host 1.1.1.216 object-group PCAW
access-list outside-in extended permit tcp any host 1.1.1.209 eq 3389
access-list outside-in extended permit tcp any host 1.1.1.209 eq citrix-ica
access-list outside-in extended permit tcp any host 1.1.1.209 eq 2598
access-list outside-in extended permit tcp any host 1.1.1.215 object-group PCAW
access-list outside-in extended permit tcp any host 1.1.1.211 object-group PCAW
access-list outside-in extended permit icmp any any object-group PING
access-list dmz-in extended permit tcp host WI eq 2598 host acme-CITRIX
access-list dmz-in extended permit tcp host WI eq www host acme-CITRIX
access-list dmz-in extended permit tcp host WI eq https host acme-CITRIX
access-list dmz-in extended permit icmp any any object-group PING
access-list dmz-in extended permit udp host WI any eq domain
access-list dmz-in extended permit tcp host WI eq https any
access-list dmz-in extended permit tcp host WI eq www any
access-list dmz-in extended permit tcp host WI any eq www
access-list dmz-in extended permit tcp host WI any eq https
access-list dmz-in extended permit tcp host WI eq 3389 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
ip verify reverse-path interface outside
asdm image disk0:/asdm512.bin
no asdm history enaacmee
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.214 acme-UTIL netmask 255.255.255.255
static (inside,outside) 1.1.1.213 acme-MAIL netmask 255.255.255.255
static (inside,outside) 1.1.1.216 acme_FILE netmask 255.255.255.255
static (inside,outside) 1.1.1.209 acme-CITRIX netmask 255.255.255.255
static (inside,outside) 1.1.1.215 acme-SQL netmask 255.255.255.255
static (inside,outside) 1.1.1.211 acme-BACKUP netmask 255.255.255.255
static (dmz,outside) 1.1.1.219 WI netmask 255.255.255.255
static (inside,outside) 1.1.1.210 acme-EXCHFE netmask 255.255.255.255
static (inside,outside) 1.1.1.212 BARRACUDA netmask 255.255.255.255
static (inside,dmz) acme-CITRIX acme-CITRIX netmask 255.255.255.255
access-group outside-in in interface outside
access-group dmz-in in interface dmz
route outside 0.0.0.0 0.0.0.0 1.1.1.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enaacmee
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enaacmee traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
: end
[OK]
*************************************************************************
0
netman70
Asked:
netman70
  • 3
  • 3
2 Solutions
 
stressedout2004Commented:
a. Is my 'dmz-in' access rules correct?

No. You have to indicate port 2598,80 and 443 as destination port and not source ports.


no access-list dmz-in extended permit tcp host WI eq 2598 host acme-CITRIX
no access-list dmz-in extended permit tcp host WI eq www host acme-CITRIX
no access-list dmz-in extended permit tcp host WI eq https host acme-CITRIX

access-list dmz-in extended permit tcp host WI host acme-CITRIX eq 2598
access-list dmz-in extended permit tcp host WI host acme-CITRIX eq www
access-list dmz-in extended permit tcp host WI host acme-CITRIX eq https

b. Do I need 'access-list outside-in extended permit tcp any host 1.1.1.219 object-group HTTP-HTTPS' and
'access-list outside-in extended permit tcp any host 1.1.1.219 eq 3389'? - since I have 'dmz-in' already applied for port access?

Yes, since you need access to these ports from the internet. The traffic would be hitting the outside interface way before it hits
the dmz interface. Also for inbound connection, once you have permitted the traffic on the outside interface, you no longer need to allow the same traffic
on the dmz interface. What you don't need is the following lines:


no access-list dmz-in extended permit tcp host WI eq https any
no access-list dmz-in extended permit tcp host WI eq www any
no access-list dmz-in extended permit tcp host WI eq 3389 any
0
 
netman70Author Commented:
I'm unable to send email with the ASA in place. Get error message "remote server did not respond to connection attempt' in exchange 2003 queue. works fine with the asa removed.

HELP!!
0
 
Cyclops3590Commented:
you need to allow it out
access-list dmz-in permit tcp host WI any eq 25

assuming WI is the Exchange server, if not where is the exchange server.  if its on the inside then it should be allowed, on the dmz sub WI with the ip of the Exchange server
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
netman70Author Commented:
Exchange server is on the INSIDE (LAN) network!!!! Is there a bug with ASA?
0
 
Cyclops3590Commented:
also the ASA's have a reasonable amount of memory, when your trying to see what's going on turn on logging buffer so that you can run show logging and see what is being logged.  Setting it at 4 or 5 should be good enough to see most everything you'll need to see.  This will help id that traffic that is getting denied by an acl and which one.
0
 
Cyclops3590Commented:
here's what I'd do for the exchange issue,
1) log onto the Exchange server and open a cmd window
2) turn on buffer logging on the firewall
3) find out the IP of the mail server the Exchange server failed to and then telnet to it on port 25
then check the firewall while you're doing that and see if you can find anything.
also, when you show logging, you may want to pipe the output to "include <ip of foreign mail server>" to cut down on the lines you have to look thru.
this should give you a picture of the conn building and teardown and anything in between.  Also, if you receive a mail banner thru the telnet session, then the firewall is ok
0
 
netman70Author Commented:
turned out that the exchange issues was unrelated to the ASA....DNS issues on the exchange server.

0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now