Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 355
  • Last Modified:

DMZ access on ASA Firewall

unable to access any devices in my dmz from the outside.

interface GigabitEthernet0/2
 nameif dmz
 security-level 50
 ip address 10.3.0.254 255.255.255.0

access-list outside extended permit tcp any host 207.136.182.30 eq https
access-list outside extended permit tcp any host 207.136.182.30 eq www

access-list dmzTOinside extended permit ip host mail any
access-list dmzTOinside extended permit ip host mail2 any
access-list dmzTOinside extended permit tcp any host 10.1.200.44 eq 1500
access-list dmzTOinside extended permit tcp host kowa2k3 host ktrend02 eq 8080
access-list dmzTOinside extended permit tcp host kowa2k3 host ktrend02 eq 4343
access-list dmzTOinside extended permit tcp host kowa2k3 host ktrend2 eq 8080
access-list dmzTOinside extended permit tcp host kowa2k3 host ktrend2 eq 4343
access-list dmzTOinside extended permit tcp host kowa2k3 host kentmail03 eq www
access-list dmzTOinside extended permit tcp host kowa2k3 host kentmail03 eq 691
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc02 eq ldap
access-list dmzTOinside extended permit tcp host kowa2k3 host 10.1.200.113 eq www
access-list dmzTOinside extended permit tcp host kowa2k3 host 10.1.200.113 eq 8530
access-list dmzTOinside extended permit tcp host kowa2k3 host 10.1.200.113 eq https
access-list dmzTOinside extended permit tcp host kowa2k3 host kentmail04 eq www
access-list dmzTOinside extended permit tcp host kowa2k3 host kentmail04 eq 691
access-list dmzTOinside extended permit udp host kowa2k3 host kdc02 eq 389
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc02 eq 3268
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc02 eq 88
access-list dmzTOinside extended permit udp host kowa2k3 host kdc02 eq 88
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc02 eq domain
access-list dmzTOinside extended permit udp host kowa2k3 host kdc02 eq domain
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc02 eq 135
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc04 eq ldap
access-list dmzTOinside extended permit udp host kowa2k3 host kdc04 eq 389
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc04 eq 3268
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc04 eq 88
access-list dmzTOinside extended permit udp host kowa2k3 host kdc04 eq 88
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc04 eq domain
access-list dmzTOinside extended permit udp host kowa2k3 host kdc04 eq domain
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc04 eq 135
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc03 eq ldap
access-list dmzTOinside extended permit udp host kowa2k3 host kdc03 eq 389
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc03 eq 88
access-list dmzTOinside extended permit udp host kowa2k3 host kdc03 eq 88
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc03 eq 135
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc01 eq ldap
access-list dmzTOinside extended permit udp host kowa2k3 host kdc01 eq 389
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc01 eq 88
access-list dmzTOinside extended permit udp host kowa2k3 host kdc01 eq 88
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc01 eq 135
access-list dmzTOinside extended permit tcp host rowkeeper host ktrend02 eq 8080
access-list dmzTOinside extended permit tcp host rowkeeper host ktrend02 eq 4343
access-list dmzTOinside extended permit tcp host rowkeeper host ktrend2 eq 8080
access-list dmzTOinside extended permit tcp host rowkeeper host ktrend2 eq 4343
access-list dmzTOinside extended permit tcp host cicada host ktrend02 eq 8080
access-list dmzTOinside extended permit tcp host cicada host ktrend02 eq 4343
access-list dmzTOinside extended permit tcp host cicada host ktrend2 eq 8080
access-list dmzTOinside extended permit tcp host cicada host ktrend2 eq 4343
access-list dmzTOinside extended permit tcp host treebenefits host ktrend02 eq 8080
access-list dmzTOinside extended permit tcp host treebenefits host ktrend02 eq 4343
access-list dmzTOinside extended permit tcp host treebenefits host ktrend2 eq 8080
access-list dmzTOinside extended permit tcp host treebenefits host ktrend2 eq 4343
access-list dmzTOinside extended permit tcp host fpl_rowkeeper host ktrend02 eq 8080
access-list dmzTOinside extended permit tcp host fpl_rowkeeper host ktrend02 eq 4343
access-list dmzTOinside extended permit tcp host fpl_rowkeeper host ktrend2 eq 8080
access-list dmzTOinside extended permit tcp host fpl_rowkeeper host ktrend2 eq 4343
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc02 range 1024 65535
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc04 range 1024 65535
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc03 range 1024 65535
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc01 range 1024 65535
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc02 range 137 netbios-ssn
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc04 range 137 netbios-ssn
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc03 range 137 netbios-ssn
access-list dmzTOinside extended permit tcp host kowa2k3 host kdc01 range 137 netbios-ssn
access-list dmzTOinside extended permit tcp host kowa2k3 host kentmail03 range 137 netbios-ssn
access-list dmzTOinside extended permit tcp host kowa2k3 host kentmail04 range 137 netbios-ssn
access-list dmzTOinside extended permit icmp host kowa2k3 any
access-list dmzTOinside extended deny ip any 10.1.0.0 255.255.0.0
access-list dmzTOinside extended permit ip any any

global (outside) 1 interface
nat (inside) 0 access-list nonat-vpn
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat-vpn
nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) 207.136.182.4 mail2 netmask 255.255.255.255 dns
static (dmz,outside) 207.136.182.3 mail netmask 255.255.255.255 dns
static (dmz,outside) 207.136.182.7 ftp.davey.com netmask 255.255.255.255
static (dmz,outside) 207.136.182.8 10.3.0.7 netmask 255.255.255.255
static (dmz,outside) 207.136.182.21 rowkeeper netmask 255.255.255.255
static (dmz,outside) 207.136.182.22 cicada netmask 255.255.255.255
static (dmz,outside) 207.136.182.24 treebenefits netmask 255.255.255.255 dns
static (dmz,outside) 207.136.182.25 fpl_rowkeeper netmask 255.255.255.255 dns
static (dmz,outside) 207.136.182.30 kowa2k3 netmask 255.255.255.255 dns

access-group dmzTOinside in interface dmz








0
dtadmin
Asked:
dtadmin
  • 4
  • 4
1 Solution
 
dtadminAuthor Commented:
207.136.182.30 is what I am focusing on. If I can figure out why I cannot access that, then the othe rdevices will more than likely work as well.
0
 
nodiscoCommented:
hi there

From what you have posted, you don't have the outside acl applied to anything yet
Where "outside" is the name of your ASA outside interface:
access-group [acl-name] direction interface [interface name]

e.g.
access-group outside in interface outside

hth
0
 
dtadminAuthor Commented:
access-group outside in interface outside

I did have it applied just not posted...sorry.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
nodiscoCommented:
Are you testing it from inside your ASA?  your acls are configured correctly.
Test it externally first as it replies me ok on https.


0
 
dtadminAuthor Commented:
i just built an acl called "dmz"

access-list dmz extended permit ip any any and applied to the dmz interface. Now access works.

not sure why my acl doesn't work. I moved from a pix515 to an asa5520 with the same config. does the asa do something different than the pix in relation to acl's?

0
 
nodiscoCommented:
Most likely something in your existing dmz acl is stopping the traffic - If you put back your old acl and try it again, check the logs on the denies you are seeing - it will tell you what is stopping.  The new acl you have put in is allowing all out so its not stopping the traffic back out.

Typically, I setup dmz to allow the required ports inside and block everything else inside and then allow all else outside (unless the machines should only have specific access)
0
 
dtadminAuthor Commented:
how do I check the logs for the denies?
0
 
nodiscoCommented:
Turn on logging, set the logging level and :
sh log

This will show the logging level and the recent events.  Best bet would be to setup a syslog server - kiwi syslog and output the detail to it but for a quick look - as long as your logging is on and using the right logging level
Informational will show you what all that is happening with sessions
Notifications is just denies etc - easier to find your traffic.

e.g.
logging on
logging timestamp
logging monitor errors
logging buffered notifications

Use the old acl
when it doesn't work, type sh log real quick and you will find your acl deny

hth
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now