Solved

ASA5505 Configuration Issues

Posted on 2009-07-08
41
954 Views
Last Modified: 2013-11-29
I'm having some difficulty in being able to access the internal network from a server in my dmz. From inside, I can ping and connect remotely to dmz server, but from dmz server, I cannot ping internally. I have tried opening icmp traffic, to no avail.  I'm also looking to open a sqlnet port between the dmz server and an internal server.   This is an ASA5505, Version 8.0(2), with a Security Plus license (20 VLANs, DMZ unrestricted, unlimited inside hosts). Also, when connecting via VPN, I can't ping or connect to anything internally or in the dmz. My configuration is attached.
config.txt
0
Comment
Question by:gauthierv
  • 21
  • 20
41 Comments
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24808781
Hi gauthierv,

In your translation static (INSIDE,dmz) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns should read
static (dmz,inside) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns
Also you have not applied your access-list dmz_to_inside to your interface dmz
access-group dmz_to_inside in interface dmz
Let's try this first and we can continue from there.
0
 

Author Comment

by:gauthierv
ID: 24809296
Ok.  I'm at home now, so I'll try changes first thing tomorrow morning and post the results.  Thank you.
0
 

Author Comment

by:gauthierv
ID: 24812833
I have made the changes as requested, but am still unable to ping from the dmz server to the inside. Also, I made changes last night that affected my ability to ping the dmz server from the inside.  Attached is the latest config.
config2.txt
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24813233
Hi,
When you say "to the inside" you are referring to your your internal network, correct.
From your new config's I still don't see the dmz_to_inside access list to your dmz interface (this access list will allow you to ping the dmz network.) Also you need to add entrys to your access list to permit traffic from you dmz to your internal network.
access-list dmz_to_inside extended permit 172.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0.
Once you apply the access-group to the interface, you can continue to add to the access-list.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24813315
Hi,

I just went through the config's again and noticed (sorry didn't catch it earlier). Please add a 1 in the third octect of the ip addresses 172.168.1.0 255.255.0.0 192.168.1.0 255.255.0.0.


0
 

Author Comment

by:gauthierv
ID: 24813350
Yes, by "inside", I mean the internal network.
I tried this command but the firewall didn't like it:
access-list dmz_to_inside extended permit 172.168.1.0 255.255.0.0 192.168.1.0 255.255.0.0
I've been able to add an ACE that will allow me to ping internally from the dmz server. I'm also trying to allow some rules to all domain services through, but I don't think it's working yet.  Also, I need to open sqlnet between the dmz server and another internal server, but I'm not sure I've done that right either.  Here's the code:

access-list dmz_access_in extended permit icmp 192.168.0.0 255.255.0.0 any
access-list dmz_access_in extended permit icmp any 192.168.0.0 255.255.0.0
access-list dmz_access_in extended permit icmp any 192.168.0.0 255.255.0.0 echo-reply
access-list dmz_access_in extended permit tcp any eq sqlnet host ERP
access-list dmz_access_in extended permit udp 192.168.0.0 255.255.0.0 eq netbios-ns 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit udp 192.168.0.0 255.255.0.0 eq netbios-dgm 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq netbios-ssn 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq domain 172.168.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp 192.168.0.0 255.255.0.0 eq ldap 172.168.0.0 255.255.0.0

static (dmz,outside) tcp eportal-outside www Eportal-Inside www netmask 255.255.255.255  dns
static (INSIDE,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 dns
static (dmz,INSIDE) 172.168.0.0 172.168.0.0 netmask 255.255.0.0 dns
static (dmz,INSIDE) Eportal-Inside eportal-outside netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz


0
 

Author Comment

by:gauthierv
ID: 24813409
By other biggest problem right now is that when I connect via VPN, I cannot ping anything internally, which means I cannot connect remotely to anything either.  I have a vendor who needs to get in to drop some code for a rollout this weekend, so time is of the essence!
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24813723
access-list dmz_access_in extended permit tcp host 172.168.1.10 host (your internal server) eq sqlnet
This will allow your webserver to access your internal server on port 1521 using tcp.
Here is a link from Cisco's site that might help as well;
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/traffic.html#wp1047858

0
 

Author Comment

by:gauthierv
ID: 24814049
Okay, that worked.  Thanks! Now I need to get the dmz server to have access to the internet and, more importantly, I need to have access to the dmz server remotely after connecting via VPN.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24814138
Regarding your vpn is your vendor connecting through a client software?
However, you do not have NAT-T  enabled.
Enter the following command to enable IPsec over NAT-T globally on the security appliance.
crypto isakmp nat-traversal natkeepalive 3600 (1hr, I think by default it's 20 seconds)
0
 

Author Comment

by:gauthierv
ID: 24814247
The vendor (and myself) are using the latest Cisco VPN client (5.0.05.0290).  What does "crypto isakmp nat-traversal 3600" allow?  The VPN is working, however, the vendor cannot connect to the server in the DMZ.  Currently, when the vendor connects with an IP from an internal Pool (192.168.1.70), he cannot connect or ping to anything internal.  When he connected with an IP from another Pool (192.168.4.1), he can connect and ping to the internal network.  Is there an issue with the overlap (my internal network is 192.168.0.0)?  How can I get him access to the server in the dmz (172.168.x.x)?
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24814318
To get the dmz server to access the internet apply this
Static (dmz,outside) outside ip 172.168.1.10 netmask 255.255.0.0
Can you ping the dmz server from your internal network?  Your address pool is 192.168.1.70-79 which is your internal network ip so it should work. If your address pool was different (i.e. 10.0.0.0 then you would need an access list allowing that subnet to access any other subnet)
0
 
LVL 1

Assisted Solution

by:Noyan Gonulsen
Noyan Gonulsen earned 400 total points
ID: 24814493
"NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary. This feature is disabled by default.
With the exception of the home zone on the Cisco ASA 5505, the security appliance can simultaneously support standard IPsec, IPsec over TCP, NAT-T, and IPsec over UDP, depending on the client with which it is exchanging data. When both NAT-T and IPsec over UDP are enabled, NAT-T takes precedence. IPsec over TCP, if enabled, takes precedence over all other connection methods.
When you enable NAT-T, the security appliance automatically opens port 4500 on all IPsec enabled interfaces." as per cisco.
How is he connecting with that pool 192.168.4.1 I don't see that pool configured within your configs.
You can add an access list with that allows that traffic to hit your server;  192.168.4.0 to 172.168.1.10
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24814508
can you please post your running configs again
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24814994
If you can send me the 192.168.4.1 address pool then we can Add nonat config for the DMZ interface which should allow you to access the dmz zone. If the VPN Client can communicate to inside hosts but not to hosts on the DMZ zone then nat needs to be disabled on the DMZ interface.
0
 

Author Comment

by:gauthierv
ID: 24815354
Here is the latest running config.  
0
 

Author Comment

by:gauthierv
ID: 24815358
Ooops ... forgot to attach it!  
0
 

Author Comment

by:gauthierv
ID: 24815367
Ok, let's try this again!
config3.txt
0
 
LVL 1

Accepted Solution

by:
Noyan Gonulsen earned 400 total points
ID: 24815728


access-list split_tunnel name permit ip 172.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
nat (dmz) 0 access-list split_tunnel name
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24815749
sorry I meant 192.168.4.0
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:gauthierv
ID: 24815928
Thanks!  That worked.  Now I can connect to my dmz servers through VPN.  One other question ... I have split-tunneling enabled on the VPN connection, but I still cannot access the internet when I am connected via VPN.  What am I missing?
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24816372
Great, good stuff!
Now can you connect through the VPN and right click the lock in the tray and go to Statistics, "Route Details" it should have your work network in the secured routes list. If you don't see that can you enable logging on the device as well.
0
 

Author Comment

by:gauthierv
ID: 24817976
Will test it tonight and post results.  The good news is that my vendor was able to connect and complete the code drop for our weekend implementation.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24818219
Great, glad to hear.
I'm off work tomorrow, heading to a client site. I'll check this weekend for your post and hopefully we can resolve this. Can you access the device remotely through ssh or telnet?
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24873034
Hi Gauthierv,

I have not heard back from you, I hope everything is working out for you!
0
 

Author Comment

by:gauthierv
ID: 24873761
Hi kimjc,

I thought I had posted the Route Details.  Only the DMZ network was available.  The internal network was not in the route details.  The two issues I still have are getting the DMZ server access to the internet, and being able to access the internet once connected via VPN.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24874286
When you connected through remote access could you only ping the dmz network? If so, it sounds like remote access is set to the dmz interface, considering there so no internet access from the dmz network out. I have your config's, I'll have a look at them and will post my findings.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24874358
By the way, gauthierv what is your objective here? Do you want remote access to the dmz interface only and be able to access the internet as well? or do want access to the interal network as well the dmz network via remote access? I just want to be clear before I start posting the commands.

Thanks
0
 

Author Comment

by:gauthierv
ID: 24877900
While connected via VPN, I can ping the internal network and access everything in the internal network. I just expected to see the internal network listed in the route details.  The way VPN works now is perfect with the exception of being able to access the internet.  I have split tunneling enabled, but that doesn't seem to be doing what I expected.  The only other thing that is important is getting my dmz server connected to the internet.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24881658
Hi Gauthierv,

Can your external users access your dmzserver on port 80? I came across something interesting, which I haven't seen before, your ISP assigned you a /29 subnet, which indicates 8 usable IP's. 1st IP is usually the network block, a second ip is the default gateway then you have 6 IP's to play with. Your default route is 75.149.137.246 and your external ip address is 75.149.xxx.xxx which is fine but I noticed that the IP of your dmzserver is 75.149.137.242, this could be different in your case as I have not seen this before. Can you confirm with your ISP the block that they have assigned for you? if this is correct, did yo add dzm to the global interface?
0
 

Author Comment

by:gauthierv
ID: 24924761
Sorry for the delay in responding.  No, external users cannot access the dmz server on port 80.  The block of IPs from our ISP is correct, with .246 being the gateway.  What is the command for adding the dmz to the global interface?
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24925690
Hi Gauthierv,
No worries for the delay. The command is  global (dmz) 1 interface
I noticed that your access-list "access-list outside_access_in extended permit tcp any eq www host dmzserver-outside " can you change this to point to dmz-inside. You already have the access-group on the outside interface. After making these changes, let me know if users can access your webserver.
0
 

Author Comment

by:gauthierv
ID: 24927321
Unfortunately, the dmz server is still not accessible after these changes.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24927980
Can you please post your updated config's, I need to look at it in detail, I know I'm missing something and it's driving me crazy. I just want to confirm as it stands right now;
1) The internal network has access to the dmz
2) The dmz zone has access to the internal network
3) You can vpn in and access the internal network and the dmz zone
Issues
1) Dmz has no internet access
2) External users can not access webserver in dmz zone on port 80
3) VPN users do not have internet access.

Thanks,
0
 

Author Comment

by:gauthierv
ID: 24928798
Yes, your summary is correct.  Attached is the updated config.
config4.txt
0
 

Author Comment

by:gauthierv
ID: 24994826
Hi kimjc,
I haven't heard anything since the last config was posted.  Have you been able to look at it?
0
 

Author Comment

by:gauthierv
ID: 25087442
Is there anyone available to assist me with the remaining issues?  I need to get my web server in the dmz to have internet access.  
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 25091325
Hi Gauthierv,

I'm sorry I was away just got back yesterday. If you can give me until Monday, everything here at my office will be back to normal and I can dedicate my time to the outstanding issue.
Again I apologize.
0
 

Author Comment

by:gauthierv
ID: 25091333
no problem.  I certainly appreciate the help!
0
 

Author Comment

by:gauthierv
ID: 25154825
I will be on vacation next week, but am still looking forward to your assistance.
0
 

Author Closing Comment

by:gauthierv
ID: 31601305
Still have some outstanding issues that have not been resolved.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now