Unable to get to the Internet from DMZ

Hello - I am a novice with firewalls and DMZ's, and am having trouble configuring a Cisco ASA 5510 firewall to allow an application server connected to the ASA to access the Internet, as well as for a server inside the firewall to communicate with the server in the DMZ.  I am attaching the current configuration of ASA for review.  Any help on this would be much appreciated, as I am dead in the water on this issue.

Thank you,
Damian
Cisco-Config-after-changes.txt
Damian_GardnerAsked:
Who is Participating?
 
palinitrConnect With a Mentor Commented:
Damian

Just noticed, we've not declared the access group, you need to do:

access-group dmz_access_in in interface dmz

0
 
palinitrCommented:
Whats the IP address of your application server in the DMZ, and the IP address of the server inside your firewall ?  
Do you want to restrict the ports that the server inside your firewall uses when talking to the server in the DMZ ?
Does your app server in the DMZ only need to talk to the outside world on port 80 ?
0
 
Damian_GardnerAuthor Commented:
Thanks for helping Palinitr.  The IP of the app server in the DMZ is currently 192.168.5.2, and there are 2 servers inside the network that need to talk with this machine - 192.168.1.25, and also a backup server 192.168.1.16.  At the moment, I don't know that we need to restrict port communication between the inside and outside servers, unless there's a big security risk to the one on the inside?  The app server needs to relay information from a database server inside the network to users loggin into the application server in the DMZ.  Did I answer your questions adequately?

Thanks,
Damian
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
palinitrCommented:
Yes, you did.  I'll print off your config and will post the necessary changes soon.
0
 
Damian_GardnerAuthor Commented:
Much appreciated sir.

Thank you
0
 
palinitrCommented:
Damian

Try adding, these lines

object-group network InsideServers
 network-object 192.168.1.16 255.255.255.255
 network-object 192.168.1.25 255.255.255.255

access-list inside_access_in extended permit tcp object-group InsideServers host 192.168.5.2 any
access-list dmz_access_in extended permit tcp host 192.168.5.2 object-group InsideServers any
static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255

0
 
Damian_GardnerAuthor Commented:
Ok.  Will these changes allow outside access to the Internet also?

Thanks
0
 
palinitrCommented:
Oops, sorry forgot to add that:

access-list dmz_access_in extended permit tcp host 192.168.5.2 any eq http

This will give 192.168.5.2 access to the internet over port 80
0
 
Damian_GardnerAuthor Commented:
Some of the commands worked, while others didn't, it seems.  Here's what I'm seeing:

Password: ******                                                                
LACOASA# conf t                                                                
LACOASA(config)# object-group network InsideServers                            
LACOASA(config-network)#  network-object 192.168.1.16 255.255.255.255          
LACOASA(config-network)#  network-object 192.168.1.25 255.255.255.255          
LACOASA(config-network)# access-list inside_access_in extended permit tcp obje$
                                                                               
access-list inside_access_in extended permit tcp object-group InsideServers host
 192.168.5.2 any                                                                
             ^                                                                  
ERROR: % Invalid input detected at '^' marker.                                  
LACOASA(config-network)# access-list dmz_access_in extended permit tcp host 19$
                                                                               
access-list dmz_access_in extended permit tcp host 192.168.5.2 object-group Insi
deServers any                                                                  
          ^                                                                    
ERROR: % Invalid input detected at '^' marker.                                  
LACOASA(config-network)# static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 2$
LACOASA(config)#                                                                
0
 
Damian_GardnerAuthor Commented:
Ok - I added the extra line for HTTP access.  I am not sure - do I need to save these changes or execute any other commands after these are executed, or do the changes take effect right away?

Thanks
0
 
palinitrCommented:
ooops, too much beer, lol, try

access-list inside_access_in extended permit tcp object-group InsideServers 192.168.5.2 255.255.255.255 any
access-list dmz_access_in extended permit tcp 192.168.5.2 255.255.255.255 object-group InsideServers any
0
 
palinitrCommented:
Changes will take effect immediately, only save once you are sure they are right
0
 
Damian_GardnerAuthor Commented:
Hmm - for some reason it doesn't like the ANY word or something:

access-list inside_access_in extended permit tcp object-group InsideServers 192.
168.5.2 255.255.255.255 any                                                    
                        ^                                                      
ERROR: % Invalid input detected at '^' marker.                                  
LACOASA(config)#                                                                


(The marker is actually under the word ANY, although it doesn't appear this way here)
0
 
palinitrCommented:
Damian

Is this urgent ? The reason I ask, is that I will do this on our ASA at work tomorrow (its 11pm in the UK at the moment) and will then post the config.  I was doing this off the top of my head and obviously getting it wrong somewhere.

Adrian
0
 
Damian_GardnerAuthor Commented:
Oh - most certainly take your time, Adrian.  Yes - is you have an ASA you can test on, by all means please give it a try and let me know your findings when convenient.  

I appreciate your time today.

Thanks,
Damian
0
 
palinitrCommented:
Damian

Here you are:

Declare a group for your inside servers (saves repeating access-lists later)

object-group network InsideServers
 network-object host 192.168.1.16
 network-object host 192.168.1.25

The following will give the inside servers full access to your server in the DMZ and the server in the DMZ full access to your inside servers, these would need changing if you want to restrict ports

access-list inside_access_in extended permit ip object-group InsideServers host 192.168.5.2
access-list dmz_access_in extended permit ip host 192.168.5.2 object-group InsideServers

You must NAT the server in the DMZ to your inside network, you must also make sure that there is
a route defined on your inside servers to get to this IP address.

static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255


The following will give the server in the DMZ full access ato the outside world, this would need changing if you want to restrict which ports the server in the dmz can use to access the outside world

access-list dmz_access_in extended permit ip host 192.168.5.2 any

Adrian
0
 
Damian_GardnerAuthor Commented:
It looks like the first couple of commands are failing for some reason:

LACOASA(config)# object-group network InsideServers                            
LACOASA(config-network)#  network-object host 192.168.1.16                      
Adding obj (network-object host 192.168.1.16) to grp (InsideServers) failed; obs
LACOASA(config-network)#  network-object host 192.168.1.25                      
Adding obj (network-object host 192.168.1.25) to grp (InsideServers) failed; obs
LACOASA(config-network)# object-group network InsideServers                    
LACOASA(config-network)# network-object host 192.168.1.16                      
Adding obj (network-object host 192.168.1.16) to grp (InsideServers) failed; obs
LACOASA(config-network)#                                                        


The STATIC command is failing because it looks like it already exists?  

LACOASA(config)# static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.2$
ERROR: mapped-address conflict with existing static                            
  dmz:192.168.5.2 to inside:192.168.5.2 netmask 255.255.255.255                


The last one worked -  however it's still not getting out.  One thing I'm noticing is I am unable to ping the Cisco ASA, even though it is physically connected to a port on the back.  I wonder if perhaps I simply do not have the NIC on the server configured correctly?  Here's the current settings:

IP = 192.168.5.2
Mask = 255.255.255.0
Gateway = 192.168.5.254
DNS=8.8.8.8

The connection status is 100% connected, strong signal.

Not sure what's wrong, but it's definitely a problem that it can't even ping the ASA, right?

Thanks Adrian,
Damian

0
 
palinitrCommented:
From the ASA, can you ping 192.168.5.2 ?

I take it there's only one NIC in the server ? Can you do a route print on the server and post the results here please.
0
 
Damian_GardnerAuthor Commented:
Well - something is wrong, because even the ASA cannot see this machine:

LACOASA# ping 192.168.5.2                                              
Sending 5, 100-byte ICMP Echos to 192.168.5.2, timeout is 2 seconds:  
?????                                                                  
Success rate is 0 percent (0/5)                                        
LACOASA#                                                              

C:\Documents and Settings\dgardner>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1e 0b 1e 5b 74 ...... HP NC373i Multifunction Gigabit Server Adapter #
2 - Teefer2 Miniport
0x3 ...00 1e 0b 1e 5b 72 ...... HP NC373i Multifunction Gigabit Server Adapter -
 Teefer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.5.254      192.168.5.2     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.5.0    255.255.255.0      192.168.5.2      192.168.5.2     20
      192.168.5.2  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.5.255  255.255.255.255      192.168.5.2      192.168.5.2     20
        224.0.0.0        240.0.0.0      192.168.5.2      192.168.5.2     20
  255.255.255.255  255.255.255.255      192.168.5.2      192.168.5.2      1
  255.255.255.255  255.255.255.255      192.168.5.2                3      1
Default Gateway:     192.168.5.254
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\dgardner>


There are 2 NICs on the server. The other is unplugged.

Thanks
0
 
palinitrCommented:
Is the cable between your server and the asa a cross over or straight through ?

What model is your asa, I'm in my mobile now, so can't look at your config at the moment.
0
 
Damian_GardnerAuthor Commented:
the cable is a straight patch cable - not a crossover.  could that be the issue?  The ASA is a 5510 Cisco
0
 
Damian_GardnerAuthor Commented:
Ok - I did that, and then tried pinging the server from the ASA.  It still can't see the server:

LACOASA(config)# access-group dmz_access_in in interface dmz        
LACOASA(config)# ping 192.168.5.2                                    
Sending 5, 100-byte ICMP Echos to 192.168.5.2, timeout is 2 seconds:
?????                                                                
Success rate is 0 percent (0/5)                                      
LACOASA(config)#                                                    
0
 
Damian_GardnerAuthor Commented:
Palinitr - I ended up contacting Cisco to have them take a look at the ASA, and it turns out I need to be plugged into port #2, not #3, as the DMZ was configured on a different port on the ASA.  Can't beleive it.  anyway - once I moved the cable to port 2, it worked fine.  Thanks very much for your help, and I'll award you the points for all your help.

Thanks,
Damian
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.