?
Solved

Unable to get to the Internet from DMZ

Posted on 2009-12-16
23
Medium Priority
?
561 Views
Last Modified: 2013-11-16
Hello - I am a novice with firewalls and DMZ's, and am having trouble configuring a Cisco ASA 5510 firewall to allow an application server connected to the ASA to access the Internet, as well as for a server inside the firewall to communicate with the server in the DMZ.  I am attaching the current configuration of ASA for review.  Any help on this would be much appreciated, as I am dead in the water on this issue.

Thank you,
Damian
Cisco-Config-after-changes.txt
0
Comment
Question by:Damian_Gardner
  • 12
  • 11
23 Comments
 
LVL 6

Expert Comment

by:palinitr
ID: 26066592
Whats the IP address of your application server in the DMZ, and the IP address of the server inside your firewall ?  
Do you want to restrict the ports that the server inside your firewall uses when talking to the server in the DMZ ?
Does your app server in the DMZ only need to talk to the outside world on port 80 ?
0
 

Author Comment

by:Damian_Gardner
ID: 26066667
Thanks for helping Palinitr.  The IP of the app server in the DMZ is currently 192.168.5.2, and there are 2 servers inside the network that need to talk with this machine - 192.168.1.25, and also a backup server 192.168.1.16.  At the moment, I don't know that we need to restrict port communication between the inside and outside servers, unless there's a big security risk to the one on the inside?  The app server needs to relay information from a database server inside the network to users loggin into the application server in the DMZ.  Did I answer your questions adequately?

Thanks,
Damian
0
 
LVL 6

Expert Comment

by:palinitr
ID: 26066716
Yes, you did.  I'll print off your config and will post the necessary changes soon.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Damian_Gardner
ID: 26066745
Much appreciated sir.

Thank you
0
 
LVL 6

Expert Comment

by:palinitr
ID: 26067079
Damian

Try adding, these lines

object-group network InsideServers
 network-object 192.168.1.16 255.255.255.255
 network-object 192.168.1.25 255.255.255.255

access-list inside_access_in extended permit tcp object-group InsideServers host 192.168.5.2 any
access-list dmz_access_in extended permit tcp host 192.168.5.2 object-group InsideServers any
static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255

0
 

Author Comment

by:Damian_Gardner
ID: 26067408
Ok.  Will these changes allow outside access to the Internet also?

Thanks
0
 
LVL 6

Expert Comment

by:palinitr
ID: 26067472
Oops, sorry forgot to add that:

access-list dmz_access_in extended permit tcp host 192.168.5.2 any eq http

This will give 192.168.5.2 access to the internet over port 80
0
 

Author Comment

by:Damian_Gardner
ID: 26067474
Some of the commands worked, while others didn't, it seems.  Here's what I'm seeing:

Password: ******                                                                
LACOASA# conf t                                                                
LACOASA(config)# object-group network InsideServers                            
LACOASA(config-network)#  network-object 192.168.1.16 255.255.255.255          
LACOASA(config-network)#  network-object 192.168.1.25 255.255.255.255          
LACOASA(config-network)# access-list inside_access_in extended permit tcp obje$
                                                                               
access-list inside_access_in extended permit tcp object-group InsideServers host
 192.168.5.2 any                                                                
             ^                                                                  
ERROR: % Invalid input detected at '^' marker.                                  
LACOASA(config-network)# access-list dmz_access_in extended permit tcp host 19$
                                                                               
access-list dmz_access_in extended permit tcp host 192.168.5.2 object-group Insi
deServers any                                                                  
          ^                                                                    
ERROR: % Invalid input detected at '^' marker.                                  
LACOASA(config-network)# static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 2$
LACOASA(config)#                                                                
0
 

Author Comment

by:Damian_Gardner
ID: 26067510
Ok - I added the extra line for HTTP access.  I am not sure - do I need to save these changes or execute any other commands after these are executed, or do the changes take effect right away?

Thanks
0
 
LVL 6

Expert Comment

by:palinitr
ID: 26067530
ooops, too much beer, lol, try

access-list inside_access_in extended permit tcp object-group InsideServers 192.168.5.2 255.255.255.255 any
access-list dmz_access_in extended permit tcp 192.168.5.2 255.255.255.255 object-group InsideServers any
0
 
LVL 6

Expert Comment

by:palinitr
ID: 26067540
Changes will take effect immediately, only save once you are sure they are right
0
 

Author Comment

by:Damian_Gardner
ID: 26067562
Hmm - for some reason it doesn't like the ANY word or something:

access-list inside_access_in extended permit tcp object-group InsideServers 192.
168.5.2 255.255.255.255 any                                                    
                        ^                                                      
ERROR: % Invalid input detected at '^' marker.                                  
LACOASA(config)#                                                                


(The marker is actually under the word ANY, although it doesn't appear this way here)
0
 
LVL 6

Expert Comment

by:palinitr
ID: 26067576
Damian

Is this urgent ? The reason I ask, is that I will do this on our ASA at work tomorrow (its 11pm in the UK at the moment) and will then post the config.  I was doing this off the top of my head and obviously getting it wrong somewhere.

Adrian
0
 

Author Comment

by:Damian_Gardner
ID: 26067587
Oh - most certainly take your time, Adrian.  Yes - is you have an ASA you can test on, by all means please give it a try and let me know your findings when convenient.  

I appreciate your time today.

Thanks,
Damian
0
 
LVL 6

Expert Comment

by:palinitr
ID: 26073656
Damian

Here you are:

Declare a group for your inside servers (saves repeating access-lists later)

object-group network InsideServers
 network-object host 192.168.1.16
 network-object host 192.168.1.25

The following will give the inside servers full access to your server in the DMZ and the server in the DMZ full access to your inside servers, these would need changing if you want to restrict ports

access-list inside_access_in extended permit ip object-group InsideServers host 192.168.5.2
access-list dmz_access_in extended permit ip host 192.168.5.2 object-group InsideServers

You must NAT the server in the DMZ to your inside network, you must also make sure that there is
a route defined on your inside servers to get to this IP address.

static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255


The following will give the server in the DMZ full access ato the outside world, this would need changing if you want to restrict which ports the server in the dmz can use to access the outside world

access-list dmz_access_in extended permit ip host 192.168.5.2 any

Adrian
0
 

Author Comment

by:Damian_Gardner
ID: 26073935
It looks like the first couple of commands are failing for some reason:

LACOASA(config)# object-group network InsideServers                            
LACOASA(config-network)#  network-object host 192.168.1.16                      
Adding obj (network-object host 192.168.1.16) to grp (InsideServers) failed; obs
LACOASA(config-network)#  network-object host 192.168.1.25                      
Adding obj (network-object host 192.168.1.25) to grp (InsideServers) failed; obs
LACOASA(config-network)# object-group network InsideServers                    
LACOASA(config-network)# network-object host 192.168.1.16                      
Adding obj (network-object host 192.168.1.16) to grp (InsideServers) failed; obs
LACOASA(config-network)#                                                        


The STATIC command is failing because it looks like it already exists?  

LACOASA(config)# static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.2$
ERROR: mapped-address conflict with existing static                            
  dmz:192.168.5.2 to inside:192.168.5.2 netmask 255.255.255.255                


The last one worked -  however it's still not getting out.  One thing I'm noticing is I am unable to ping the Cisco ASA, even though it is physically connected to a port on the back.  I wonder if perhaps I simply do not have the NIC on the server configured correctly?  Here's the current settings:

IP = 192.168.5.2
Mask = 255.255.255.0
Gateway = 192.168.5.254
DNS=8.8.8.8

The connection status is 100% connected, strong signal.

Not sure what's wrong, but it's definitely a problem that it can't even ping the ASA, right?

Thanks Adrian,
Damian

0
 
LVL 6

Expert Comment

by:palinitr
ID: 26075416
From the ASA, can you ping 192.168.5.2 ?

I take it there's only one NIC in the server ? Can you do a route print on the server and post the results here please.
0
 

Author Comment

by:Damian_Gardner
ID: 26075852
Well - something is wrong, because even the ASA cannot see this machine:

LACOASA# ping 192.168.5.2                                              
Sending 5, 100-byte ICMP Echos to 192.168.5.2, timeout is 2 seconds:  
?????                                                                  
Success rate is 0 percent (0/5)                                        
LACOASA#                                                              

C:\Documents and Settings\dgardner>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1e 0b 1e 5b 74 ...... HP NC373i Multifunction Gigabit Server Adapter #
2 - Teefer2 Miniport
0x3 ...00 1e 0b 1e 5b 72 ...... HP NC373i Multifunction Gigabit Server Adapter -
 Teefer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.5.254      192.168.5.2     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.5.0    255.255.255.0      192.168.5.2      192.168.5.2     20
      192.168.5.2  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.5.255  255.255.255.255      192.168.5.2      192.168.5.2     20
        224.0.0.0        240.0.0.0      192.168.5.2      192.168.5.2     20
  255.255.255.255  255.255.255.255      192.168.5.2      192.168.5.2      1
  255.255.255.255  255.255.255.255      192.168.5.2                3      1
Default Gateway:     192.168.5.254
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\dgardner>


There are 2 NICs on the server. The other is unplugged.

Thanks
0
 
LVL 6

Expert Comment

by:palinitr
ID: 26076040
Is the cable between your server and the asa a cross over or straight through ?

What model is your asa, I'm in my mobile now, so can't look at your config at the moment.
0
 

Author Comment

by:Damian_Gardner
ID: 26076057
the cable is a straight patch cable - not a crossover.  could that be the issue?  The ASA is a 5510 Cisco
0
 
LVL 6

Accepted Solution

by:
palinitr earned 2000 total points
ID: 26094889
Damian

Just noticed, we've not declared the access group, you need to do:

access-group dmz_access_in in interface dmz

0
 

Author Comment

by:Damian_Gardner
ID: 26097584
Ok - I did that, and then tried pinging the server from the ASA.  It still can't see the server:

LACOASA(config)# access-group dmz_access_in in interface dmz        
LACOASA(config)# ping 192.168.5.2                                    
Sending 5, 100-byte ICMP Echos to 192.168.5.2, timeout is 2 seconds:
?????                                                                
Success rate is 0 percent (0/5)                                      
LACOASA(config)#                                                    
0
 

Author Comment

by:Damian_Gardner
ID: 26106179
Palinitr - I ended up contacting Cisco to have them take a look at the ASA, and it turns out I need to be plugged into port #2, not #3, as the DMZ was configured on a different port on the ASA.  Can't beleive it.  anyway - once I moved the cable to port 2, it worked fine.  Thanks very much for your help, and I'll award you the points for all your help.

Thanks,
Damian
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month16 days, 7 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question