• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 446
  • Last Modified:

Problems with DMZ Access

I'm trying to allow my internal users to be able to RDP to our DMZ as well as allow HTTPS access between our inside network and DMZ and vice versa.  I'm assuming i would need a NAT between the two?


:
ASA Version 7.2(4)
!
hostname
domain-name
enable password  encrypted
passwd  encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
banner exec  
boot system disk0:/asa724-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 64.80.223.226
 name-server 10.0.0.6
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SMB tcp
 description SMB TCP
 port-object eq 445
 port-object eq netbios-ssn
object-group service SMBUDP udp
 description SMB UDP
 port-object eq netbios-dgm
 port-object eq netbios-ns
 port-object eq 445
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list Outside_access_in remark NTP UDP
access-list Outside_access_in remark NTP TCP
access-list Outside_access_in remark Ping
access-list Outside_access_in remark SMB TCP
access-list Outside_access_in extended permit tcp any object-group SMB any object-

group SMB
access-list Outside_access_in remark SMB UDP
access-list Outside_access_in extended permit udp any object-group SMBUDP any object-

group SMBUDP
access-list Outside_access_in remark SMTP
access-list Outside_access_in remark Terminal Services
access-list Outside_access_in extended permit tcp any host  eq www
access-list Outside_access_in extended permit tcp any host  eq domain
access-list Outside_access_in extended permit tcp any host  eq 8800
access-list Outside_access_in extended permit tcp any host  eq 2703
access-list Outside_access_in extended permit tcp any host  eq 6277
access-list Outside_access_in extended permit tcp any host  eq ftp
access-list Outside_access_in extended permit udp any host  eq domain
access-list Outside_access_in extended permit udp any host  eq ntp
access-list Outside_access_in extended permit tcp any host  eq ftp
access-list Outside_access_in extended permit tcp any host  eq 3389
access-list Outside_access_in extended permit ip 170.0.0.0 255.0.0.0 10.0.0.0

255.255.255.0
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any host  eq smtp
access-list Outside_access_in extended permit tcp any host  eq https
access-list Outside_access_in extended permit tcp any host  eq 3389
access-list capin extended permit tcp any any eq smtp
access-list capin extended permit ip any host 170.30.108.138
access-list capin extended permit ip host 170.30.108.138 any
access-list capin extended permit icmp any any
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 170.30.0.0 255.255.0.0
access-list capout2 extended permit ip any host 63.138.90.180
access-list capout2 extended permit ip host 63.138.90.180 any
access-list capout2 extended permit icmp any any
access-list capin5 extended permit ip host 10.0.0.252 any
access-list capin5 extended permit ip any host 10.0.0.252
access-list capout5 extended permit ip any host
access-list capout5 extended permit ip host  any
access-list DMZ_access_in extended permit tcp any host 172.16.0.20 eq https
access-list DMZ_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Outside_access-in extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0

255.0.0.0
access-list Outside_access-in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging asdm informational
logging from-address
logging recipient-address  level errors
logging recipient-address  level errors
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
icmp permit any DMZ
asdm image disk0:/pdm
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (Inside) 1 interface
nat (Inside) 1 10.0.0.0 255.255.255.0
static (Inside,Outside) tcp  www 10.0.0.6 www netmask 255.255.255.255
static (Inside,Outside) tcp  domain 10.0.0.6 domain netmask

255.255.255.255
static (Inside,Outside) udp  domain 10.0.0.6 domain netmask

255.255.255.255
static (Inside,Outside) tcp  2703 10.0.0.6 2703 netmask 255.255.255.255
static (Inside,Outside) tcp  6277 10.0.0.6 6277 netmask 255.255.255.255
static (Inside,Outside) udp  ntp 10.0.0.6 ntp netmask 255.255.255.255
static (Inside,Outside) tcp  ftp 10.0.0.4 ftp netmask 255.255.255.255
static (Inside,Outside) tcp  ftp 10.0.0.201 ftp netmask 255.255.255.255
static (Inside,Outside) tcp  smtp 10.0.0.6 smtp netmask 255.255.255.255
static (Inside,Outside) tcp  3389 10.0.0.252 3389 netmask 255.255.255.255
static (DMZ,Outside) tcp  https 172.16.0.20 https netmask 255.255.255.255
static (Inside,Inside) 10.10.108.138  netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0  1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 192.168.1.0 255.255.255.0 management
http 10.0.0.19 255.255.255.255 Inside
http 10.0.0.77 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
telnet 0.0.0.0 0.0.0.0 Outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 20
console timeout 0
management-access Outside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server 192.5.41.41 source Outside prefer
username root password  encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 10.0.0.6
prompt hostname context
Cryptochecksum:
: end


0
EODJack
Asked:
EODJack
  • 3
  • 2
1 Solution
 
batry_boyCommented:
Yes, you will need to NAT between the interfaces.  Try this:

static (Inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

See if that helps...
0
 
EODJackAuthor Commented:
Would it be:

static (Inside, DMZ) 172.16.0.0 10.0.0.0 netmask 255.255.255.0

?
0
 
EODJackAuthor Commented:
After I added the NAT for RDP I would simply need to add an ACL to the DMZ_access_In to permit RDP correct?
0
 
batry_boyCommented:
No, because that statement would perform a one-to-one static translation for every host on the inside network, in other words:

10.0.0.1 -> 172.16.0.1
10.0.0.2 -> 172.16.0.2
.
.
10.0.0.254 -> 172.16.0.254

The statement I gave would actually translate each 10.0.0.x inside address back to itself when sending traffic to the DMZ interface:

10.0.0.1 -> 10.0.0.1
etc. etc.

Any host on the DMZ would see traffic coming from a 10.0.0.x host and then be able to send return traffic back to it...make sense?
0
 
batry_boyCommented:
Yes, if you want RDP and HTTPS to be allowed inbound from the DMZ to the inside, then you would need an ACL allowing this traffic.  For instance, if there was a host 10.0.0.10 on the inside that you wanted to allow RDP from the DMZ host 172.16.0.20, then you would use:

access-list DMZ_access_in permit tcp host 172.16.0.20 host 10.0.0.10 eq 3389
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now