Damian Gardner
asked on
Unable to get to the Internet from DMZ
Hello - I am a novice with firewalls and DMZ's, and am having trouble configuring a Cisco ASA 5510 firewall to allow an application server connected to the ASA to access the Internet, as well as for a server inside the firewall to communicate with the server in the DMZ. I am attaching the current configuration of ASA for review. Any help on this would be much appreciated, as I am dead in the water on this issue.
Thank you,
Damian
Cisco-Config-after-changes.txt
Thank you,
Damian
Cisco-Config-after-changes.txt
ASKER
Thanks for helping Palinitr. The IP of the app server in the DMZ is currently 192.168.5.2, and there are 2 servers inside the network that need to talk with this machine - 192.168.1.25, and also a backup server 192.168.1.16. At the moment, I don't know that we need to restrict port communication between the inside and outside servers, unless there's a big security risk to the one on the inside? The app server needs to relay information from a database server inside the network to users loggin into the application server in the DMZ. Did I answer your questions adequately?
Thanks,
Damian
Thanks,
Damian
Yes, you did. I'll print off your config and will post the necessary changes soon.
ASKER
Much appreciated sir.
Thank you
Thank you
Damian
Try adding, these lines
object-group network InsideServers
network-object 192.168.1.16 255.255.255.255
network-object 192.168.1.25 255.255.255.255
access-list inside_access_in extended permit tcp object-group InsideServers host 192.168.5.2 any
access-list dmz_access_in extended permit tcp host 192.168.5.2 object-group InsideServers any
static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255
Try adding, these lines
object-group network InsideServers
network-object 192.168.1.16 255.255.255.255
network-object 192.168.1.25 255.255.255.255
access-list inside_access_in extended permit tcp object-group InsideServers host 192.168.5.2 any
access-list dmz_access_in extended permit tcp host 192.168.5.2 object-group InsideServers any
static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255
ASKER
Ok. Will these changes allow outside access to the Internet also?
Thanks
Thanks
Oops, sorry forgot to add that:
access-list dmz_access_in extended permit tcp host 192.168.5.2 any eq http
This will give 192.168.5.2 access to the internet over port 80
access-list dmz_access_in extended permit tcp host 192.168.5.2 any eq http
This will give 192.168.5.2 access to the internet over port 80
ASKER
Some of the commands worked, while others didn't, it seems. Here's what I'm seeing:
Password: ******
LACOASA# conf t
LACOASA(config)# object-group network InsideServers
LACOASA(config-network)# network-object 192.168.1.16 255.255.255.255
LACOASA(config-network)# network-object 192.168.1.25 255.255.255.255
LACOASA(config-network)# access-list inside_access_in extended permit tcp obje$
access-list inside_access_in extended permit tcp object-group InsideServers host
192.168.5.2 any
^
ERROR: % Invalid input detected at '^' marker.
LACOASA(config-network)# access-list dmz_access_in extended permit tcp host 19$
access-list dmz_access_in extended permit tcp host 192.168.5.2 object-group Insi
deServers any
^
ERROR: % Invalid input detected at '^' marker.
LACOASA(config-network)# static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 2$
LACOASA(config)#
Password: ******
LACOASA# conf t
LACOASA(config)# object-group network InsideServers
LACOASA(config-network)# network-object 192.168.1.16 255.255.255.255
LACOASA(config-network)# network-object 192.168.1.25 255.255.255.255
LACOASA(config-network)# access-list inside_access_in extended permit tcp obje$
access-list inside_access_in extended permit tcp object-group InsideServers host
192.168.5.2 any
^
ERROR: % Invalid input detected at '^' marker.
LACOASA(config-network)# access-list dmz_access_in extended permit tcp host 19$
access-list dmz_access_in extended permit tcp host 192.168.5.2 object-group Insi
deServers any
^
ERROR: % Invalid input detected at '^' marker.
LACOASA(config-network)# static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 2$
LACOASA(config)#
ASKER
Ok - I added the extra line for HTTP access. I am not sure - do I need to save these changes or execute any other commands after these are executed, or do the changes take effect right away?
Thanks
Thanks
ooops, too much beer, lol, try
access-list inside_access_in extended permit tcp object-group InsideServers 192.168.5.2 255.255.255.255 any
access-list dmz_access_in extended permit tcp 192.168.5.2 255.255.255.255 object-group InsideServers any
access-list inside_access_in extended permit tcp object-group InsideServers 192.168.5.2 255.255.255.255 any
access-list dmz_access_in extended permit tcp 192.168.5.2 255.255.255.255 object-group InsideServers any
Changes will take effect immediately, only save once you are sure they are right
ASKER
Hmm - for some reason it doesn't like the ANY word or something:
access-list inside_access_in extended permit tcp object-group InsideServers 192.
168.5.2 255.255.255.255 any
^
ERROR: % Invalid input detected at '^' marker.
LACOASA(config)#
(The marker is actually under the word ANY, although it doesn't appear this way here)
access-list inside_access_in extended permit tcp object-group InsideServers 192.
168.5.2 255.255.255.255 any
^
ERROR: % Invalid input detected at '^' marker.
LACOASA(config)#
(The marker is actually under the word ANY, although it doesn't appear this way here)
Damian
Is this urgent ? The reason I ask, is that I will do this on our ASA at work tomorrow (its 11pm in the UK at the moment) and will then post the config. I was doing this off the top of my head and obviously getting it wrong somewhere.
Adrian
Is this urgent ? The reason I ask, is that I will do this on our ASA at work tomorrow (its 11pm in the UK at the moment) and will then post the config. I was doing this off the top of my head and obviously getting it wrong somewhere.
Adrian
ASKER
Oh - most certainly take your time, Adrian. Yes - is you have an ASA you can test on, by all means please give it a try and let me know your findings when convenient.
I appreciate your time today.
Thanks,
Damian
I appreciate your time today.
Thanks,
Damian
Damian
Here you are:
Declare a group for your inside servers (saves repeating access-lists later)
object-group network InsideServers
network-object host 192.168.1.16
network-object host 192.168.1.25
The following will give the inside servers full access to your server in the DMZ and the server in the DMZ full access to your inside servers, these would need changing if you want to restrict ports
access-list inside_access_in extended permit ip object-group InsideServers host 192.168.5.2
access-list dmz_access_in extended permit ip host 192.168.5.2 object-group InsideServers
You must NAT the server in the DMZ to your inside network, you must also make sure that there is
a route defined on your inside servers to get to this IP address.
static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255
The following will give the server in the DMZ full access ato the outside world, this would need changing if you want to restrict which ports the server in the dmz can use to access the outside world
access-list dmz_access_in extended permit ip host 192.168.5.2 any
Adrian
Here you are:
Declare a group for your inside servers (saves repeating access-lists later)
object-group network InsideServers
network-object host 192.168.1.16
network-object host 192.168.1.25
The following will give the inside servers full access to your server in the DMZ and the server in the DMZ full access to your inside servers, these would need changing if you want to restrict ports
access-list inside_access_in extended permit ip object-group InsideServers host 192.168.5.2
access-list dmz_access_in extended permit ip host 192.168.5.2 object-group InsideServers
You must NAT the server in the DMZ to your inside network, you must also make sure that there is
a route defined on your inside servers to get to this IP address.
static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255
The following will give the server in the DMZ full access ato the outside world, this would need changing if you want to restrict which ports the server in the dmz can use to access the outside world
access-list dmz_access_in extended permit ip host 192.168.5.2 any
Adrian
ASKER
It looks like the first couple of commands are failing for some reason:
LACOASA(config)# object-group network InsideServers
LACOASA(config-network)# network-object host 192.168.1.16
Adding obj (network-object host 192.168.1.16) to grp (InsideServers) failed; obs
LACOASA(config-network)# network-object host 192.168.1.25
Adding obj (network-object host 192.168.1.25) to grp (InsideServers) failed; obs
LACOASA(config-network)# object-group network InsideServers
LACOASA(config-network)# network-object host 192.168.1.16
Adding obj (network-object host 192.168.1.16) to grp (InsideServers) failed; obs
LACOASA(config-network)#
The STATIC command is failing because it looks like it already exists?
LACOASA(config)# static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.2$
ERROR: mapped-address conflict with existing static
dmz:192.168.5.2 to inside:192.168.5.2 netmask 255.255.255.255
The last one worked - however it's still not getting out. One thing I'm noticing is I am unable to ping the Cisco ASA, even though it is physically connected to a port on the back. I wonder if perhaps I simply do not have the NIC on the server configured correctly? Here's the current settings:
IP = 192.168.5.2
Mask = 255.255.255.0
Gateway = 192.168.5.254
DNS=8.8.8.8
The connection status is 100% connected, strong signal.
Not sure what's wrong, but it's definitely a problem that it can't even ping the ASA, right?
Thanks Adrian,
Damian
LACOASA(config)# object-group network InsideServers
LACOASA(config-network)# network-object host 192.168.1.16
Adding obj (network-object host 192.168.1.16) to grp (InsideServers) failed; obs
LACOASA(config-network)# network-object host 192.168.1.25
Adding obj (network-object host 192.168.1.25) to grp (InsideServers) failed; obs
LACOASA(config-network)# object-group network InsideServers
LACOASA(config-network)# network-object host 192.168.1.16
Adding obj (network-object host 192.168.1.16) to grp (InsideServers) failed; obs
LACOASA(config-network)#
The STATIC command is failing because it looks like it already exists?
LACOASA(config)# static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.2$
ERROR: mapped-address conflict with existing static
dmz:192.168.5.2 to inside:192.168.5.2 netmask 255.255.255.255
The last one worked - however it's still not getting out. One thing I'm noticing is I am unable to ping the Cisco ASA, even though it is physically connected to a port on the back. I wonder if perhaps I simply do not have the NIC on the server configured correctly? Here's the current settings:
IP = 192.168.5.2
Mask = 255.255.255.0
Gateway = 192.168.5.254
DNS=8.8.8.8
The connection status is 100% connected, strong signal.
Not sure what's wrong, but it's definitely a problem that it can't even ping the ASA, right?
Thanks Adrian,
Damian
From the ASA, can you ping 192.168.5.2 ?
I take it there's only one NIC in the server ? Can you do a route print on the server and post the results here please.
I take it there's only one NIC in the server ? Can you do a route print on the server and post the results here please.
ASKER
Well - something is wrong, because even the ASA cannot see this machine:
LACOASA# ping 192.168.5.2
Sending 5, 100-byte ICMP Echos to 192.168.5.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
LACOASA#
C:\Documents and Settings\dgardner>route print
IPv4 Route Table
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 1e 0b 1e 5b 74 ...... HP NC373i Multifunction Gigabit Server Adapter #
2 - Teefer2 Miniport
0x3 ...00 1e 0b 1e 5b 72 ...... HP NC373i Multifunction Gigabit Server Adapter -
Teefer2 Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.5.254 192.168.5.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.5.0 255.255.255.0 192.168.5.2 192.168.5.2 20
192.168.5.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.5.255 255.255.255.255 192.168.5.2 192.168.5.2 20
224.0.0.0 240.0.0.0 192.168.5.2 192.168.5.2 20
255.255.255.255 255.255.255.255 192.168.5.2 192.168.5.2 1
255.255.255.255 255.255.255.255 192.168.5.2 3 1
Default Gateway: 192.168.5.254
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
C:\Documents and Settings\dgardner>
There are 2 NICs on the server. The other is unplugged.
Thanks
LACOASA# ping 192.168.5.2
Sending 5, 100-byte ICMP Echos to 192.168.5.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
LACOASA#
C:\Documents and Settings\dgardner>route print
IPv4 Route Table
==========================
Interface List
0x1 ..........................
0x2 ...00 1e 0b 1e 5b 74 ...... HP NC373i Multifunction Gigabit Server Adapter #
2 - Teefer2 Miniport
0x3 ...00 1e 0b 1e 5b 72 ...... HP NC373i Multifunction Gigabit Server Adapter -
Teefer2 Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.5.254 192.168.5.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.5.0 255.255.255.0 192.168.5.2 192.168.5.2 20
192.168.5.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.5.255 255.255.255.255 192.168.5.2 192.168.5.2 20
224.0.0.0 240.0.0.0 192.168.5.2 192.168.5.2 20
255.255.255.255 255.255.255.255 192.168.5.2 192.168.5.2 1
255.255.255.255 255.255.255.255 192.168.5.2 3 1
Default Gateway: 192.168.5.254
==========================
Persistent Routes:
None
C:\Documents and Settings\dgardner>
There are 2 NICs on the server. The other is unplugged.
Thanks
Is the cable between your server and the asa a cross over or straight through ?
What model is your asa, I'm in my mobile now, so can't look at your config at the moment.
What model is your asa, I'm in my mobile now, so can't look at your config at the moment.
ASKER
the cable is a straight patch cable - not a crossover. could that be the issue? The ASA is a 5510 Cisco
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok - I did that, and then tried pinging the server from the ASA. It still can't see the server:
LACOASA(config)# access-group dmz_access_in in interface dmz
LACOASA(config)# ping 192.168.5.2
Sending 5, 100-byte ICMP Echos to 192.168.5.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
LACOASA(config)#
LACOASA(config)# access-group dmz_access_in in interface dmz
LACOASA(config)# ping 192.168.5.2
Sending 5, 100-byte ICMP Echos to 192.168.5.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
LACOASA(config)#
ASKER
Palinitr - I ended up contacting Cisco to have them take a look at the ASA, and it turns out I need to be plugged into port #2, not #3, as the DMZ was configured on a different port on the ASA. Can't beleive it. anyway - once I moved the cable to port 2, it worked fine. Thanks very much for your help, and I'll award you the points for all your help.
Thanks,
Damian
Thanks,
Damian
Do you want to restrict the ports that the server inside your firewall uses when talking to the server in the DMZ ?
Does your app server in the DMZ only need to talk to the outside world on port 80 ?