Solved

Allow access from inside interface to new (P) DMZ interface on Cisco ASA 5505

Posted on 2009-06-29
1
819 Views
Last Modified: 2012-06-27
Hi all,

Bit of background on what I'm trying to do. I have a Cisco ASA 5505 firewall with a 20, DMZ unrestricted license (Security Plus, unlimited inside hosts).

I've created an interface called PDMZ for what I will be using as a Production DMZ. The idea is that I will have reverse proxy sitting in here routing requests to the inside network.

I've created the interface, but can not get it to allow certain traffic (like port 80) or icmp back into the inside interface.

I've attached my ASA config below.

Any help will be gratefully received - Mike
: Saved

:

ASA Version 7.2(3) 

!

hostname blah

domain-name ####

enable password #### encrypted

names

name 172.18.231.0 IPVPN

name 172.18.241.5 CONDIR 

name 172.19.0.3 DMZ-SMTP 

name 172.19.0.4 DMZ-SFTP 

name 172.19.0.5 DMZ-FTP 

name 172.18.200.2 RIGEL

name 172.18.200.4 CAPELLA 

name 172.19.0.7 GSTAR 

name 172.18.200.14 CRM

name 172.18.200.13 Sharepoint

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 172.18.0.2 255.255.0.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 123.456.789.111 255.255.255.240 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 172.19.0.2 255.255.255.0 

!

interface Vlan13

 nameif pdmz

 security-level 100

 ip address 172.10.0.2 255.255.0.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 switchport access vlan 3

!

interface Ethernet0/3

 switchport access vlan 13

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd #### encrypted

ftp mode passive

dns domain-lookup dmz

dns server-group DefaultDNS

 domain-name #####

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service StndInternet tcp

 port-object eq ftp

 port-object eq ftp-data

 port-object eq www

 port-object eq https

access-list outside_access_in 

access-list outside_access_in extended deny ip host #### any 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq smtp 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host Sharepoint eq https 

access-list outside_access_in 

access-list outside_access_in  

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 8001 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp-data 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 2773 

access-list outside_access_in extended permit tcp host 123.456.789.111 host 172.18.230.97 range 6000 60063 inactive 

access-list outside_access_in 

access-list outside_access_in extended deny ip host ##### any 

access-list outside_access_in 

access-list outside_access_in 

access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0 

access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any IPVPN 255.255.255.0 

access-list inside_nat0_outbound extended permit ip host CONDIR host #### 

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0 

access-list VPNNET_splitTunnelAcl standard permit host 123.456.789.111 

access-list VPN_splitTunnelAcl standard permit any 

access-list inside_outbound_nat_acl extended permit ip any IPVPN 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip any IPVPN 255.255.255.0 

access-list outside_1_cryptomap extended permit ip host CONDIR host #### 

access-list outside_2_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0 

access-list dmz_access_in extended permit ip any any 

access-list dmz_access_out extended permit ip any any 

access-list pdmz_access_out extended permit tcp any host RIGEL 

access-list acl_pdmz_to_inside extended permit ip any any 

access-list pdmz_in extended permit ip any any 

access-list pdmz_access_out_1 extended permit ip any interface inside inactive 

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply inactive 

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded inactive 

access-list OUTSIDE_IN_ACL extended permit icmp any any echo inactive 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu pdmz 1500

ip local pool IPVPN 172.18.231.1-172.18.231.254

no failover

monitor-interface inside

monitor-interface outside

monitor-interface dmz

monitor-interface pdmz

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.18.0.0 255.255.0.0

nat (dmz) 1 172.19.0.0 255.255.0.0

nat (pdmz) 1 172.10.0.0 255.255.0.0

static (dmz,outside) 123.456.789.111 DMZ-SFTP netmask 255.255.255.255 

static (dmz,outside) 123.456.789.111 DMZ-FTP netmask 255.255.255.255 

static (inside,outside) 123.456.789.111 RIGEL netmask 255.255.255.255 

static (inside,outside) 123.456.789.111 CAPELLA netmask 255.255.255.255 

static (inside,dmz) 123.456.789.111 172.18.0.0 netmask 255.255.0.0 

static (inside,dmz) 123.456.789.111 DMZ-SMTP netmask 255.255.255.255 

static (dmz,outside) 123.456.789.111 GSTAR netmask 255.255.255.255 

static (inside,outside) 123.456.789.111 CRM netmask 255.255.255.255 

static (inside,outside) 123.456.789.111 Sharepoint netmask 255.255.255.255 

static (dmz,outside) 123.456.789.111 172.19.0.2 netmask 255.255.255.255 

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group dmz_access_out out interface dmz

access-group pdmz_in in interface pdmz

access-group pdmz_access_out out interface pdmz

route outside 0.0.0.0 0.0.0.0 123.456.789.111 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

filter java 81 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 

filter activex 813 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 

http server enable

http 172.18.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs 

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs 

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set pfs 

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set pfs 

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set pfs 

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set pfs 

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer ####

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs 

crypto map outside_map 2 set peer ####

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.18.0.3-172.18.1.2 inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect h323 ras 

  inspect pptp 

!

service-policy global_policy global

group-policy NETWORK internal

group-policy NETWORK attributes

 wins-server value 172.18.200.1

 dns-server value 172.18.200.1

 vpn-tunnel-protocol IPSec 
 

 vpn-group-policy NETWORK
 
 

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group NETWORK type ipsec-ra

tunnel-group NETWORK general-attributes

 address-pool IPVPN

 default-group-policy NETWORK

tunnel-group NETWORK ipsec-attributes

 pre-shared-key *

tunnel-group 123.456.789.111 type ipsec-l2l

tunnel-group 123.456.789.111 ipsec-attributes

 pre-shared-key *

tunnel-group 123.456.789.111 type ipsec-l2l

tunnel-group 123.456.789.111 ipsec-attributes

 pre-shared-key *

smtp-server 172.18.200.2

prompt hostname context 

Cryptochecksum:585c0c1b2348587143153660a223357a

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Open in new window

0
Comment
Question by:capcap
1 Comment
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24737051
For same security level to work properly, with PAT in place, you still have to tell it not to NAT the traffic flowing out the inside interface. Add rules to the no nat acl so that it knows not to nat traffic from the inside to the pdmz.

There was a question I worked on a bit ago that was having a similar problem.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24491457.html

Good Luck,

3nerds
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Watchguard Firewall Setup 3 28
Determine Switch and Port for Cisco Switch 1 39
DHCP on ASA 3 22
Access List 2 0
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now