Solved

Cisco ASA 5510 Lan2DMZ IPSec tunnel

Posted on 2009-06-29
4
745 Views
Last Modified: 2012-05-07
We are trying to secure the communication between a Windows server on a DMZ and a Windows server on our internal network by using IPSec.   We have enabled esp, isakmp and ah on the ASA and the communication should always be initiated from the DMZ to the LAN.  We are not able to make it work.  We thought we had maybe an IPSec configuration issue, so we did a test by connecting serverA and ServerB to a router allowing all traffic to go through.  The two servers were able to communicate throughm IPSec just fine , so I guess we can assume that it is not the IPSec configuration.  Can someone take a look at our ASA configuration and let us know what might be wrong?  Thanks.

hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx.xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx.xxxxxxxxx encrypted
names
name 192.168.10.219 AppServer
name 192.168.20.3 WebServer
name 192.168.10.36 User1PC
name 192.168.30.3 FTPServer
name 192.168.10.35 User2PC
name 192.168.10.185 User3PC
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 205.x.x.93 255.255.255.248
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.46 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 nameif dmz1
 security-level 50
 ip address 192.168.20.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 description FTP DMZ
 nameif dmz2
 security-level 51
 ip address 192.168.30.1 255.255.255.0
 ospf cost 10
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network LogMeIn
 description Log Me In servers
 network-object host 4.2.2.2
object-group network DM_INLINE_NETWORK_2
 network-object host AppServer
 network-object host User1PC
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq ssh
object-group network DM_INLINE_NETWORK_1
 network-object host User2PC
 network-object host User1PC
object-group network DM_INLINE_NETWORK_4
 network-object host WebServer
 network-object host FTPServer
object-group network DM_INLINE_NETWORK_3
 network-object host User3PC
 network-object host User2PC
object-group service DM_INLINE_SERVICE_1
 service-object esp
 service-object udp eq isakmp
 service-object ah
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object esp
 service-object ah
 service-object udp eq isakmp
access-list outside_access_in extended permit tcp any host 205.x.x.94 eq ssh
access-list outside_access_in remark allow access to the web server from internet
access-list outside_access_in extended permit tcp any host 205.x.x.94 eq https inactive
access-list outside_access_in remark Log Me In servers access to web server
access-list outside_access_in extended permit tcp object-group LogMeIn host WebServer eq

5640 inactive
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 host WebServer

host AppServer
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1

object-group DM_INLINE_NETWORK_4 eq 3389
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host

FTPServer object-group DM_INLINE_TCP_1
access-list inside_access_in remark User3 Test connection to SFTP server
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host

FTPServer eq ssh
access-list inside_access_in extended permit tcp host User1PC host WebServer eq 3389
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
static (dmz1,outside) tcp 205.x.x.94 https WebServer https netmask 255.255.255.255
static (dmz2,outside) tcp 205.x.x.94 ssh FTPServer ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz1
route outside 0.0.0.0 0.0.0.0 205.x.x.88 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum xxxxxx:
end
asdm image disk0:/asdm-61551.bin
asdm location User1PC 255.255.255.255 inside
asdm location User2PC 255.255.255.255 inside
no asdm history enable

0
Comment
Question by:cartereverett
  • 2
  • 2
4 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
If DMZ will initiate communication to the internal LAN, I don't see a static map for any DMZ to inside addresses.  

I only see:
static (dmz1,outside) tcp 205.x.x.94 https WebServer https netmask 255.255.255.255
static (dmz2,outside) tcp 205.x.x.94 ssh FTPServer ssh netmask 255.255.255.255

Those will  static addresses to the outside world.   Since inside interface is on a higher security level than the DMZ1 and 2, you need a static from inside to DMZ  using
static (dmz1,inside) .....    

Then the dmz1 server can communicate with the internal box using the static address.   I see you already have an Access-list built for it (i assume thats it)....   So try that and let me know the results.

0
 

Author Comment

by:cartereverett
Comment Utility
I left out some information that might be helpful.  While testing, we opened up all IP traffic and esp, ah, and isakmp over UDP from the DMZ to the LAN with these entries:

object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object esp
 service-object ah
 service-object udp eq isakmp
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any any

When IPSec is turned off, we are successfully able to make an http request from the Webserver to the Appserver.  This would prove that we do not need to configure any static routing from the dmz to the LAN, correct?
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
name 192.168.10.219 AppServer
name 192.168.20.3 WebServer

When you attempted the Test from Webserver to appserver via http, what IP did you use?   Is it the one listed above?  

I fail to see how packets from 192.168.20 would reach 192.168.10. since there are no statics, no same-security level interfaces defined, no NATing ....    

Something must be routing the packets internally.... and I don't see what it is in this config....  

As far as the DM_inline_service goes....  


This one would fail to send HTTP requests because you don't have TCP 80 defined.... hence no http.
object-group service DM_INLINE_SERVICE_1
 service-object esp
 service-object udp eq isakmp
 service-object ah


This one works because you have all ip defined.  
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object esp
 service-object ah
 service-object udp eq isakmp  

You need to add udp 4500 for NAT traversal as a service object to DM_Inline_service_1 and retest.    I'd be very curious to see if it succeeds.     For my own curiosity, would you provide the output of a SHOW XLATE....
0
 

Accepted Solution

by:
cartereverett earned 0 total points
Comment Utility
This was solved by adding an Access list entry from the LAN back to the DMZ for esp, ah and isakmp over udp and by adding a routing table entry on the App Server (LAN) pointing back to the Web Server (DMZ).  We found that during the IPSec encryption process, during the second part where private keys are exchanged, no packets were traveling back to the DMZ.  Adding these entries fixed that.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now