[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cisco ASA 5510 Lan2DMZ IPSec tunnel

Posted on 2009-06-29
4
Medium Priority
?
773 Views
Last Modified: 2012-05-07
We are trying to secure the communication between a Windows server on a DMZ and a Windows server on our internal network by using IPSec.   We have enabled esp, isakmp and ah on the ASA and the communication should always be initiated from the DMZ to the LAN.  We are not able to make it work.  We thought we had maybe an IPSec configuration issue, so we did a test by connecting serverA and ServerB to a router allowing all traffic to go through.  The two servers were able to communicate throughm IPSec just fine , so I guess we can assume that it is not the IPSec configuration.  Can someone take a look at our ASA configuration and let us know what might be wrong?  Thanks.

hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx.xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx.xxxxxxxxx encrypted
names
name 192.168.10.219 AppServer
name 192.168.20.3 WebServer
name 192.168.10.36 User1PC
name 192.168.30.3 FTPServer
name 192.168.10.35 User2PC
name 192.168.10.185 User3PC
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 205.x.x.93 255.255.255.248
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.46 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 nameif dmz1
 security-level 50
 ip address 192.168.20.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 description FTP DMZ
 nameif dmz2
 security-level 51
 ip address 192.168.30.1 255.255.255.0
 ospf cost 10
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network LogMeIn
 description Log Me In servers
 network-object host 4.2.2.2
object-group network DM_INLINE_NETWORK_2
 network-object host AppServer
 network-object host User1PC
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq ssh
object-group network DM_INLINE_NETWORK_1
 network-object host User2PC
 network-object host User1PC
object-group network DM_INLINE_NETWORK_4
 network-object host WebServer
 network-object host FTPServer
object-group network DM_INLINE_NETWORK_3
 network-object host User3PC
 network-object host User2PC
object-group service DM_INLINE_SERVICE_1
 service-object esp
 service-object udp eq isakmp
 service-object ah
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object esp
 service-object ah
 service-object udp eq isakmp
access-list outside_access_in extended permit tcp any host 205.x.x.94 eq ssh
access-list outside_access_in remark allow access to the web server from internet
access-list outside_access_in extended permit tcp any host 205.x.x.94 eq https inactive
access-list outside_access_in remark Log Me In servers access to web server
access-list outside_access_in extended permit tcp object-group LogMeIn host WebServer eq

5640 inactive
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 host WebServer

host AppServer
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1

object-group DM_INLINE_NETWORK_4 eq 3389
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host

FTPServer object-group DM_INLINE_TCP_1
access-list inside_access_in remark User3 Test connection to SFTP server
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host

FTPServer eq ssh
access-list inside_access_in extended permit tcp host User1PC host WebServer eq 3389
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
static (dmz1,outside) tcp 205.x.x.94 https WebServer https netmask 255.255.255.255
static (dmz2,outside) tcp 205.x.x.94 ssh FTPServer ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz1
route outside 0.0.0.0 0.0.0.0 205.x.x.88 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum xxxxxx:
end
asdm image disk0:/asdm-61551.bin
asdm location User1PC 255.255.255.255 inside
asdm location User2PC 255.255.255.255 inside
no asdm history enable

0
Comment
Question by:cartereverett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24737314
If DMZ will initiate communication to the internal LAN, I don't see a static map for any DMZ to inside addresses.  

I only see:
static (dmz1,outside) tcp 205.x.x.94 https WebServer https netmask 255.255.255.255
static (dmz2,outside) tcp 205.x.x.94 ssh FTPServer ssh netmask 255.255.255.255

Those will  static addresses to the outside world.   Since inside interface is on a higher security level than the DMZ1 and 2, you need a static from inside to DMZ  using
static (dmz1,inside) .....    

Then the dmz1 server can communicate with the internal box using the static address.   I see you already have an Access-list built for it (i assume thats it)....   So try that and let me know the results.

0
 

Author Comment

by:cartereverett
ID: 24738333
I left out some information that might be helpful.  While testing, we opened up all IP traffic and esp, ah, and isakmp over UDP from the DMZ to the LAN with these entries:

object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object esp
 service-object ah
 service-object udp eq isakmp
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any any

When IPSec is turned off, we are successfully able to make an http request from the Webserver to the Appserver.  This would prove that we do not need to configure any static routing from the dmz to the LAN, correct?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24738542
name 192.168.10.219 AppServer
name 192.168.20.3 WebServer

When you attempted the Test from Webserver to appserver via http, what IP did you use?   Is it the one listed above?  

I fail to see how packets from 192.168.20 would reach 192.168.10. since there are no statics, no same-security level interfaces defined, no NATing ....    

Something must be routing the packets internally.... and I don't see what it is in this config....  

As far as the DM_inline_service goes....  


This one would fail to send HTTP requests because you don't have TCP 80 defined.... hence no http.
object-group service DM_INLINE_SERVICE_1
 service-object esp
 service-object udp eq isakmp
 service-object ah


This one works because you have all ip defined.  
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object esp
 service-object ah
 service-object udp eq isakmp  

You need to add udp 4500 for NAT traversal as a service object to DM_Inline_service_1 and retest.    I'd be very curious to see if it succeeds.     For my own curiosity, would you provide the output of a SHOW XLATE....
0
 

Accepted Solution

by:
cartereverett earned 0 total points
ID: 24838985
This was solved by adding an Access list entry from the LAN back to the DMZ for esp, ah and isakmp over udp and by adding a routing table entry on the App Server (LAN) pointing back to the Web Server (DMZ).  We found that during the IPSec encryption process, during the second part where private keys are exchanged, no packets were traveling back to the DMZ.  Adding these entries fixed that.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question