oamal2001
asked on
configure ASA 5510 to pass through SSH sessions
HI,
I have configured two interfaces on ASA 5510,
1- servers zone for servers area
2- banks zone for banks to connect to servers
All users in in the banks zone must onlu connect to the server 10.0.0.2 using ssh port ,
they still cannot connect to the server,even I connot ping the banks zone from the servers zone.
will someone help me?
My configuration is below
ASA Version 7.0(6)
!
hostname YFS-FW1
enable password wrfquXVI4ksJsAhA encrypted
names
dns-guard
!
interface Ethernet0/0
nameif servers
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/1
nameif banks
security-level 30
ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/2
nameif local
security-level 60
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3
security-level 0
ip address 150.150.0.1 255.255.0.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10
access-list 1 extended permit icmp any any
access-list 1 extended permit 22 any any
pager lines 24
mtu servers 1500
mtu banks 1500
mtu local 1500
mtu management 1500
mtu failover 1500
no failover
icmp permit any servers
icmp permit any banks
no asdm history enable
no asdm history enableinterface banksinterfa
global (banks) 1 172.31.1.100-172.31.1.175
nat (servers) 1 10.0.0.0 255.255.255.0 tcp 1 0
static (servers,banks) 172.31.1.10 10.0.0.2 netmask 255.255.255.255
access-group 1 in interface servers
access-group server-access in interface banks
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 servers
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_sqlnet
match port tcp eq ssh
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class class_sqlnet
inspect sqlnet
!
service-policy global_policy global
service-policy global_policy global
Cryptochecksum:dc71c886459
: end
I have configured two interfaces on ASA 5510,
1- servers zone for servers area
2- banks zone for banks to connect to servers
All users in in the banks zone must onlu connect to the server 10.0.0.2 using ssh port ,
they still cannot connect to the server,even I connot ping the banks zone from the servers zone.
will someone help me?
My configuration is below
ASA Version 7.0(6)
!
hostname YFS-FW1
enable password wrfquXVI4ksJsAhA encrypted
names
dns-guard
!
interface Ethernet0/0
nameif servers
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/1
nameif banks
security-level 30
ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/2
nameif local
security-level 60
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3
security-level 0
ip address 150.150.0.1 255.255.0.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10
access-list 1 extended permit icmp any any
access-list 1 extended permit 22 any any
pager lines 24
mtu servers 1500
mtu banks 1500
mtu local 1500
mtu management 1500
mtu failover 1500
no failover
icmp permit any servers
icmp permit any banks
no asdm history enable
no asdm history enableinterface banksinterfa
global (banks) 1 172.31.1.100-172.31.1.175
nat (servers) 1 10.0.0.0 255.255.255.0 tcp 1 0
static (servers,banks) 172.31.1.10 10.0.0.2 netmask 255.255.255.255
access-group 1 in interface servers
access-group server-access in interface banks
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 servers
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_sqlnet
match port tcp eq ssh
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class class_sqlnet
inspect sqlnet
!
service-policy global_policy global
service-policy global_policy global
Cryptochecksum:dc71c886459
: end
actually you have two problems here, MrHusy's solution will not fix the issue, and further, is technically incorrect in several respects.
1) on both ACLs you are allowing IP Protocol 22 (for example, TCP is protocol number 6, UDP is 17 -- 22 is, well, nothing useful). so, you need to change your ACL from allowing protocol 22 to allowing TCP port 22 as the destination port. And you need to make this change to do so:
access-list server-access extended permit tcp host 172.31.1.16 host 172.31.1.10 eq 22
no access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10
2) you have configured an ACL on the high-security interface (access-list 1). configuring an ACL on the high-security interface has the effect of overriding the default "permit any any."
that is, by default a PIX/ASA will allow all connections initiated from a high-sec interface destined for a lower-sec interface (and recording the state of the connection so as to allow the return traffic only coming in the low-sec interface) and deny connections initiated from low-sec to hi-sec. you can override both of these behaviors by applying ACLs to respective interfaces.
so when you apply ACL 1 to the server interface, you have just allowed ICMP and IP protocol 22, and denied all other traffic originating from the server interface (yes, all outbound server traffic!). if what you really intended to do is allow the servers to respond to allowed SSH connections and originate any ICMP "connections," then all you need to do is:
no access-list 1 extended permit 22 any any
you dont need to add "access-list 1 permit tcp any host 172.31.1.10 eq 22" as MrHusy suggests, for two reasons: 1) the connection is originating from the banks interface, and the ASA will record the state of the connection and allow return traffic from the servers interface dynamically, and 2) the correct (though unneeded) statement would have been "access-list 1 permit tcp host 10.0.0.2 eq ssh any," since being applied to the servers interface you would have needed to specify the server address/ssh port as the source tuple, not the destination, since what you are saying is "allow traffic to ingress the "servers" interface if it is from the host 10.0.0.2 (even though it will later be NATted) to any destination. but again, this statement is unnecessary as it the desired behavior is already accounted for by the "server-access" ACL
assuming you want to allow default behavior (devices on the "servers" interface can initiate any connection to a lower security interface, but NOT vice vs. the correct config (changes only) is attached below.
also, a piece of advice: get used to thinking about ASA ACLs in terms of the interface you apply them to, not the traffic you want to allow. for example, you are applying the ACL to the "banks" interface. even though you are intending to allow access from the banks to the servers, you need to be aware that any ACL applied to that interface will affect access from "banks" devices to any other network. specifically, unless you add an entry (entries) to allow traffic to lower-sec interfaces, it will be denied (e.g., with you config, all traffic originating from "banks" to devices behind interface ethernet0/3 will now be denied, even though e0/3 is a lower-sec interface)
1) on both ACLs you are allowing IP Protocol 22 (for example, TCP is protocol number 6, UDP is 17 -- 22 is, well, nothing useful). so, you need to change your ACL from allowing protocol 22 to allowing TCP port 22 as the destination port. And you need to make this change to do so:
access-list server-access extended permit tcp host 172.31.1.16 host 172.31.1.10 eq 22
no access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10
2) you have configured an ACL on the high-security interface (access-list 1). configuring an ACL on the high-security interface has the effect of overriding the default "permit any any."
that is, by default a PIX/ASA will allow all connections initiated from a high-sec interface destined for a lower-sec interface (and recording the state of the connection so as to allow the return traffic only coming in the low-sec interface) and deny connections initiated from low-sec to hi-sec. you can override both of these behaviors by applying ACLs to respective interfaces.
so when you apply ACL 1 to the server interface, you have just allowed ICMP and IP protocol 22, and denied all other traffic originating from the server interface (yes, all outbound server traffic!). if what you really intended to do is allow the servers to respond to allowed SSH connections and originate any ICMP "connections," then all you need to do is:
no access-list 1 extended permit 22 any any
you dont need to add "access-list 1 permit tcp any host 172.31.1.10 eq 22" as MrHusy suggests, for two reasons: 1) the connection is originating from the banks interface, and the ASA will record the state of the connection and allow return traffic from the servers interface dynamically, and 2) the correct (though unneeded) statement would have been "access-list 1 permit tcp host 10.0.0.2 eq ssh any," since being applied to the servers interface you would have needed to specify the server address/ssh port as the source tuple, not the destination, since what you are saying is "allow traffic to ingress the "servers" interface if it is from the host 10.0.0.2 (even though it will later be NATted) to any destination. but again, this statement is unnecessary as it the desired behavior is already accounted for by the "server-access" ACL
assuming you want to allow default behavior (devices on the "servers" interface can initiate any connection to a lower security interface, but NOT vice vs. the correct config (changes only) is attached below.
also, a piece of advice: get used to thinking about ASA ACLs in terms of the interface you apply them to, not the traffic you want to allow. for example, you are applying the ACL to the "banks" interface. even though you are intending to allow access from the banks to the servers, you need to be aware that any ACL applied to that interface will affect access from "banks" devices to any other network. specifically, unless you add an entry (entries) to allow traffic to lower-sec interfaces, it will be denied (e.g., with you config, all traffic originating from "banks" to devices behind interface ethernet0/3 will now be denied, even though e0/3 is a lower-sec interface)
clear config access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10
clear config access-list 1 extended permit icmp any any
access-list BANK_ACCESS extended permit tcp any host 172.31.1.10 eq 22
access-list BANK_ACCESS extended permit icmp any host 172.31.1.10
no access-group 1 in interface servers
no access-group server-access in interface banks
access-group BANK_ACCESS in int banks
!---if you want to deny all server-intiated traffic except ICMP, delete this line and all "!" below
! access-list SERVER_ACCESS ext perm icmp any any
! access-group SERVER_ACCESS in int servers
oops, corrected config below
no access-group 1 in interface servers
no access-group server-access in interface banks
clear config access-list server-access
clear config access-list 1
access-list BANK_ACCESS extended permit tcp any host 172.31.1.10 eq 22
access-list BANK_ACCESS extended permit icmp any host 172.31.1.10
access-group BANK_ACCESS in int banks
!---if you want to deny all server-intiated traffic except ICMP, delete this line and all "!" below
! access-list SERVER_ACCESS ext perm icmp any any
! access-group SERVER_ACCESS in int servers
ASKER
HI,
Thanks, I wiil rearrange the configuration today,the programmer now is asking me to allow specific servers on the banks zone to access the database server on the servers zone on a specified port for example:
1- server 172.16.1.1 to access 10.0.0.2 on port 8001
2-server 172.16.15.1 to access 10.0.0.2 on port 8002
of course all are accessing through a cisco 3845 router.,Can I use the same procedure you recommended before?
Thanks,
Thanks, I wiil rearrange the configuration today,the programmer now is asking me to allow specific servers on the banks zone to access the database server on the servers zone on a specified port for example:
1- server 172.16.1.1 to access 10.0.0.2 on port 8001
2-server 172.16.15.1 to access 10.0.0.2 on port 8002
of course all are accessing through a cisco 3845 router.,Can I use the same procedure you recommended before?
Thanks,
ASKER
Sorry
I forgot to ask:
Do I need to remove the nat
global (banks) 1 172.31.1.100-172.31.1.175
nat (servers) 1 10.0.0.0 255.255.255.0 tcp 1 0
An is it possible to to a second nat for the same sever,for example 10.0.0.2--172.31.1.10--10.
And do you think it will improve security?
Thanks,
I forgot to ask:
Do I need to remove the nat
global (banks) 1 172.31.1.100-172.31.1.175
nat (servers) 1 10.0.0.0 255.255.255.0 tcp 1 0
An is it possible to to a second nat for the same sever,for example 10.0.0.2--172.31.1.10--10.
And do you think it will improve security?
Thanks,
"2) the correct (though unneeded) statement would have been "access-list 1 permit tcp host 10.0.0.2 eq ssh any,"
no it is not the correct statement of my ACL, it can be easly understood that I just missed the interface :) so correction is the following
no access-group 1 in interface servers
access-group 1 in interface banks
No you shouldnt delete your global command and NAT.
Would you please explain what you mean by "An is it possible to to a second nat for the same sever,for example 10.0.0.2--172.31.1.10--10.
Regards
no it is not the correct statement of my ACL, it can be easly understood that I just missed the interface :) so correction is the following
no access-group 1 in interface servers
access-group 1 in interface banks
No you shouldnt delete your global command and NAT.
Would you please explain what you mean by "An is it possible to to a second nat for the same sever,for example 10.0.0.2--172.31.1.10--10.
Regards
ASKER
Thanks all
OK,
I mean if I did static nat for server 10.0.0.2 to 172.31.1.10 which I already made on the ASA and then I did a nat for 172.31.1.10 on the router that connects the banks interface,in case i want to give a different IP address for the server for each bank,Do you think it will work?
Thanks,
OK,
I mean if I did static nat for server 10.0.0.2 to 172.31.1.10 which I already made on the ASA and then I did a nat for 172.31.1.10 on the router that connects the banks interface,in case i want to give a different IP address for the server for each bank,Do you think it will work?
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
no access-list 1 extended permit 22 any any
access-list 1 permit tcp any host 172.31.1.10 eq ssh
regards