Solved

Allow access from inside interface to new (P) DMZ interface on Cisco ASA 5505

Posted on 2009-06-29
1
857 Views
Last Modified: 2012-06-27
Hi all,

Bit of background on what I'm trying to do. I have a Cisco ASA 5505 firewall with a 20, DMZ unrestricted license (Security Plus, unlimited inside hosts).

I've created an interface called PDMZ for what I will be using as a Production DMZ. The idea is that I will have reverse proxy sitting in here routing requests to the inside network.

I've created the interface, but can not get it to allow certain traffic (like port 80) or icmp back into the inside interface.

I've attached my ASA config below.

Any help will be gratefully received - Mike
: Saved
:
ASA Version 7.2(3) 
!
hostname blah
domain-name ####
enable password #### encrypted
names
name 172.18.231.0 IPVPN
name 172.18.241.5 CONDIR 
name 172.19.0.3 DMZ-SMTP 
name 172.19.0.4 DMZ-SFTP 
name 172.19.0.5 DMZ-FTP 
name 172.18.200.2 RIGEL
name 172.18.200.4 CAPELLA 
name 172.19.0.7 GSTAR 
name 172.18.200.14 CRM
name 172.18.200.13 Sharepoint
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.18.0.2 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 123.456.789.111 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.19.0.2 255.255.255.0 
!
interface Vlan13
 nameif pdmz
 security-level 100
 ip address 172.10.0.2 255.255.0.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 13
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd #### encrypted
ftp mode passive
dns domain-lookup dmz
dns server-group DefaultDNS
 domain-name #####
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service StndInternet tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
access-list outside_access_in 
access-list outside_access_in extended deny ip host #### any 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq smtp 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host Sharepoint eq https 
access-list outside_access_in 
access-list outside_access_in  
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 8001 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp-data 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 2773 
access-list outside_access_in extended permit tcp host 123.456.789.111 host 172.18.230.97 range 6000 60063 inactive 
access-list outside_access_in 
access-list outside_access_in extended deny ip host ##### any 
access-list outside_access_in 
access-list outside_access_in 
access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any IPVPN 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host CONDIR host #### 
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0 
access-list VPNNET_splitTunnelAcl standard permit host 123.456.789.111 
access-list VPN_splitTunnelAcl standard permit any 
access-list inside_outbound_nat_acl extended permit ip any IPVPN 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip any IPVPN 255.255.255.0 
access-list outside_1_cryptomap extended permit ip host CONDIR host #### 
access-list outside_2_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0 
access-list dmz_access_in extended permit ip any any 
access-list dmz_access_out extended permit ip any any 
access-list pdmz_access_out extended permit tcp any host RIGEL 
access-list acl_pdmz_to_inside extended permit ip any any 
access-list pdmz_in extended permit ip any any 
access-list pdmz_access_out_1 extended permit ip any interface inside inactive 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply inactive 
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded inactive 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo inactive 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu pdmz 1500
ip local pool IPVPN 172.18.231.1-172.18.231.254
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface pdmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.18.0.0 255.255.0.0
nat (dmz) 1 172.19.0.0 255.255.0.0
nat (pdmz) 1 172.10.0.0 255.255.0.0
static (dmz,outside) 123.456.789.111 DMZ-SFTP netmask 255.255.255.255 
static (dmz,outside) 123.456.789.111 DMZ-FTP netmask 255.255.255.255 
static (inside,outside) 123.456.789.111 RIGEL netmask 255.255.255.255 
static (inside,outside) 123.456.789.111 CAPELLA netmask 255.255.255.255 
static (inside,dmz) 123.456.789.111 172.18.0.0 netmask 255.255.0.0 
static (inside,dmz) 123.456.789.111 DMZ-SMTP netmask 255.255.255.255 
static (dmz,outside) 123.456.789.111 GSTAR netmask 255.255.255.255 
static (inside,outside) 123.456.789.111 CRM netmask 255.255.255.255 
static (inside,outside) 123.456.789.111 Sharepoint netmask 255.255.255.255 
static (dmz,outside) 123.456.789.111 172.19.0.2 netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
access-group pdmz_in in interface pdmz
access-group pdmz_access_out out interface pdmz
route outside 0.0.0.0 0.0.0.0 123.456.789.111 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
filter java 81 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
filter activex 813 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
http server enable
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs 
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs 
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs 
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs 
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs 
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer ####
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer ####
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.18.0.3-172.18.1.2 inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect h323 ras 
  inspect pptp 
!
service-policy global_policy global
group-policy NETWORK internal
group-policy NETWORK attributes
 wins-server value 172.18.200.1
 dns-server value 172.18.200.1
 vpn-tunnel-protocol IPSec 
 
 vpn-group-policy NETWORK
 
 
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group NETWORK type ipsec-ra
tunnel-group NETWORK general-attributes
 address-pool IPVPN
 default-group-policy NETWORK
tunnel-group NETWORK ipsec-attributes
 pre-shared-key *
tunnel-group 123.456.789.111 type ipsec-l2l
tunnel-group 123.456.789.111 ipsec-attributes
 pre-shared-key *
tunnel-group 123.456.789.111 type ipsec-l2l
tunnel-group 123.456.789.111 ipsec-attributes
 pre-shared-key *
smtp-server 172.18.200.2
prompt hostname context 
Cryptochecksum:585c0c1b2348587143153660a223357a
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Open in new window

0
Comment
Question by:capcap
1 Comment
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24737051
For same security level to work properly, with PAT in place, you still have to tell it not to NAT the traffic flowing out the inside interface. Add rules to the no nat acl so that it knows not to nat traffic from the inside to the pdmz.

There was a question I worked on a bit ago that was having a similar problem.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24491457.html

Good Luck,

3nerds
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question