Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1154
  • Last Modified:

Basic NAT + ACL question. Access from DMZ to inside

HI ...

I have an ASA 5510 with inside, DMZ and outside interfaces. I use one public IP address on the outside interface, that uses PAT to go to the mail and web servers on the DMZ. There's a dynamic NAT for the inside hosts to a different public IP address, so that they can get to the internet. There's also a NAT from the LAN to the DMZ so that the users can read their emails and corporate web pages. The outside interface is full of ACLs permitting only valid traffic to the DMZ servers. Everything works (the configuration is a mess but it works) but now I need to be able to access from one server in the DMZ to a host in the LAN, and I don't really know how to do it. My questions are, when trying to access to the internal IP address from the DMZ server:

1. Should I use the local IP address of the host in the inside network or do I need some kind of static NAT from the LAN to the DMZ so that the host can be seen in the DMZ?. I guess I need a NAT but I'm not sure.

2. Do I need an outgoing ACL on the DMZ interface or an incoming ACL on the inside?. I guess an outgoing on the DMZ but I'm not sure either.

3. I still want users in the inside network to be able to get to the DMZ servers. If I have an ACL to permit traffic from the DMZ server to the inside host, how do I prevent implicitly denying all other hosts to get to the DMZ servers?.

I could post the configuration, but it is an absolute mess and truly embarrassing. I need time to sit down and start from scratch with it.
0
S1stem4s
Asked:
S1stem4s
  • 3
  • 3
2 Solutions
 
ricks_vCommented:
1. Should I use the local IP address of the host in the inside network or do I need some kind of static NAT from the LAN to the DMZ so that the host can be seen in the DMZ?. I guess I need a NAT but I'm not sure.
A. Since they both are on the inside, I would simply use the inside network address.

2. Do I need an outgoing ACL on the DMZ interface or an incoming ACL on the inside?. I guess an outgoing on the DMZ but I'm not sure either.
A. Apply on outgoing ACL on the outside interface.
ACL understanding:
interface inside incoming = LAN   ---->   (inside) ASA (dmz)----- dmz
interface inside outgoing = LAN   <----   (inside) ASA (dmz)----- dmz
interface dmz outgoing = LAN   ----   (inside) ASA (dmz)-----> dmz
interface dmz incoming = LAN   ----   (inside) ASA (dmz)<----- dmz

3. I still want users in the inside network to be able to get to the DMZ servers. If I have an ACL to permit traffic from the DMZ server to the inside host, how do I prevent implicitly denying all other hosts to get to the DMZ servers?.
A. This will not affect the access from LAN to DMZ network.
You will have to modify the dmz outgoing acls to deny host to get to dmz servers.

as always, make sure you make a backup before any changes
good luck
0
 
S1stem4sAuthor Commented:
Thanks but I still have some concerns ...

1. Both machines are not on the inside, just the destination host. The source is the server in the DMZ. I think I need a static NAT but since the inside already has a NAT I don't know if I need a different one or if I can use the same.

2. Why does the outside interface have to be involved in this communication if it is between the DMZ and the inside?. Is that how the ASA works?.

3. I tried it and the only thing that worked was the communication between the inside host and the DMZ server, since only this server is allowed to get into the inside and only to this host. Implicitly denies everything else, that's my big problem I think, I don't know how to write this ACL.

Thanks again!.
0
 
ricks_vCommented:
1. Sorry didnt mean both are on the inside,I meant both are not on the outside.
The LAN already have access to the dmz, so we can leave this.

alternatively, you can issue a static nat command for the single host on the LAN.. This way, you do not need any acl (just use 1 avaiable address on the dmz static nat to single host in the LAN) so the host in dmz will access new created dmz ip address instead of the actual LAN host ip address.

2. Sorry again, i meant apply on outgoing ACL on the INSIDE interface.

3. I will try posting an example config..
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
ricks_vCommented:
if use ACL
#access-list inside_access_out extended permit ip host x.x.x.x host y.y.y.y
note: inside_access_out can be different depends on what you name on access-group

if use NAT
#static (inside,dmz) x.x.x.x y.y.y.ynetmask z.z.z.z 0 0

x=dmz host
y=inside host
z=subnet mask (will be 255.255.255.255 as it's single host)
0
 
S1stem4sAuthor Commented:
The problem is not in the NAT I think. The internal host address is translated to the DMZ correctly. The problem is in the ACL. I do need an ACL since the inside interface has a security level of 90 and the DMZ has only 50. I don't think I need an outgoing ACL in the inside, since the security level of the DMZ is lower and therefore is permitted. I need an outgoing ACL in the DMZ interface so that it's able to communicate with a host in an interface with a higher security level, but if I do so, I'm implicitly denying all possible communications with the inside interface given that the only permitted communication DMZ --> Inside is from the server in the DMZ to the inside host.
0
 
S1stem4sAuthor Commented:
I found the solution myself. The configuration was completely messed up, I started from scratch and everything works now.

1. I had a double NAT in the configuration. When set up correctly, I used the internal IP address of the inside host.

2, 3. I need an incoming rule in the DMZ, permitting traffic to the internal host. Since this rule implicitly denies everything else, I added some ACLs to permit traffic from the DMZ to the outside interface. I don't need an ACL to go to the inside since the traffic will be generated in a higher security level interface. I also don't need an ACL in the inside interface since the problem is in the DMZ, being a lower security level interface.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now