Cisco ASA DMZ configuration

Hi all!

I am having a problem with setting up and configuring a DMZ on a Cisco ASA 5510 version 8.3

I can access the DMZ from the internal LAN, but cannot anything on the internal LAN from the DMZ even after configuring specific ACL's for this access. I've been trying to get anything to work, once I get that I will lock it down for access to a SQL server and maybe some AD authentication.

After looking the some different sites, in particular here, I've come across a number of different solutions. However, since I have version 8.3 it seems that a number of those solutions are no longer valid. I've seen posts where it says I need NATs and others that say they're not needed.

I'm a bit lost on what's need for access from a higher security level interface to a lower one. I used to manage PIX and systems with ipchains, but it's been about 7 years and things are a lot different. Not to mention this ASDM interface is throwing me a bit and would almost rather be in the old familiar SSH session. :)

In looking at the Log Viewer, I can see DNS traffic being denied from the LAN_access_out rule
below is my config. some of it is a bit screwy since I am trying to get anything from the DMZ to work. I'll be locking it down better after I get it working. I had the access rules, pretty much wide open and one point as well, and it still didnt work.

Below is my sanitized code, with unimportant stuff pulled out.

ASA Version 8.3(2) 
!
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 999.999.999.2 255.255.255.224 
!
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.7.1 255.255.255.0 
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.50.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network colo-0 
 subnet 172.16.0.0 255.255.255.0
object network colo-16 
 subnet 172.16.16.0 255.255.255.0
object network TBLAN 
 subnet 192.168.7.0 255.255.255.0
object network TBVPN 
 subnet 192.168.8.0 255.255.255.0
object network DMZ_lan 
 subnet 192.168.55.0 255.255.255.0
object network stage_dmz 
 host 192.168.55.5
object network stage_wan 
 host 999.999.999.5 
object network TB_DC 
 host 192.168.7.10 
object-group network colo 
 network-object object colo-0 
 network-object object colo-16 
object-group network TBNETs
 network-object object TBLAN
 network-object object TBVPN
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group service DNS tcp-udp
 port-object eq domain
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any 
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo 

access-list DMZ_access_in extended permit ip object stage_dmz object TB_DC 
access-list DMZ_access_in extended permit ip object TB_DC object stage_dmz 
access-list DMZ_access_in extended permit ip object stage_dmz any 
access-list DMZ_access_in extended permit object-group TCPUDP any any object-group DNS 
access-list DMZ_access_in extended permit ip any any 
access-list DMZ_access_in extended permit icmp any any 
access-list LAN_access_in extended permit ip object TB_DC object stage_dmz 
access-list LAN_access_in extended permit ip object stage_dmz object TB_DC 
access-list LAN_access_in extended permit ip any any 
access-list LAN_access_in extended permit icmp any any 

arp timeout 14400
nat (LAN,WAN) source static TBLAN TBLAN destination static colo colo
nat (any,any) source static any any destination static TBVPN TBVPN
nat (LAN,WAN) source dynamic TBLAN interface
!
object network obj_any
 nat (management,WAN) dynamic interface
access-group WAN_access in interface WAN
access-group LAN_access_in in interface LAN
access-group LAN_access_out out interface LAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 999.999.999.1 1
timeout xlate 3:00:00

Open in new window


Thanks in Advance!

LVL 2
tabivAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cheever000Commented:
I believe in this instance you will need some sort of no nat or an identity NAT to cross between the interfaces, it probably works in one direction because of the higher to lower rules.
tabivAuthor Commented:
yeah, it works from the DMZ to the Internal because of the security levels. I am not sure what I would need for the NAT rule, if anything. I keep seeing different things online. I am not sure what you mean by "no nat" or "identity NAT" for this. Can you give an example?
pfc_itCommented:
Have you tried messing with NAT (LAN,DMZ)?
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

tabivAuthor Commented:
Yes, I've tried a couple different NAT statements, none of them worked. Plus in the logs it's being blocked by the ACL. So I don't know if it's an ACL issue, or if it's blocked because of a lack of proper NATing.

Can someone give me an example of what I would need for the above config? Or what is needed for communication between a DMZ back to the Internal LAN?
Cheever000Commented:
Are there different access lists inplay then in the example, both your lists shown have no denys and a permit IP any any which would mean they allow all traffic.  

I am still learning the NAT in the 8.3 code but try something like this.

nat (LAN,DMZ) source static TBLAN TBLAN destination static DMZ DMZ  since your names aren't posted I am just assuming you have a name that defines the dmz network, if so replace the static DMZ DMZ with that name.

And I would also like to say for this kind of trouble shooting the packet tracer tool built in to the device works great, with a simple gui interface that can be launched from the ASDM, also has command line options, but I prefer running it from the ASDM.
tabivAuthor Commented:
Thanks for the input :)

Yeah. I've tried a few different NATs including ones that were similar to what you posted (but a bit more open). The 3 below are what I have know I have tried and there were a few others:

nat (LAN,DMZ) source static TBLAN TBLAN destination static DMZ_lan DMZ_lan
nat (any,any) source static any any destination static DMZ_lan DMZ_lan
nat (any,any) source static stage_dmz stage_dmz destination static TBLAN TBLAN

I have it fairly open right now until I get this figured out. Though I still have a DENY on the external interface and nothing coming in.

I've used the Packet Tracing Tool in this a number of times. Unfortunately, it's just telling me what I already know from the logs, that my packet is being blocked by an ACL (LAN_access_out).

This is driving me nuts. :(
pfc_itCommented:
Tabiv,

Could it be because your DMZ interface is set to a different network then your network objects?  

interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.50.1 255.255.255.0

object network DMZ_lan
 subnet 192.168.55.0 255.255.255.0
object network stage_dmz
 host 192.168.55.5
tabivAuthor Commented:
Your too thorough! ;)

I noticed that earlier today too but figured I would ignore it and hope no one else noticed it (I changed it on another post about 5 hours ago). That was a typo on my part when I was sanitizing my IP info in my config.

tabivAuthor Commented:
The LAN_access_out Access Group either needed to be completely deleted (including all related ACLs) or an ACL needed to be added to the Group to allow DMZ traffic. I had originally misunderstood what 'OUT' meant. Thinking that it was from the LAN side out, but really it's out of the interface in either direction.

No NATs were needed.

thanks everyone for your input.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tabivAuthor Commented:
I fixed the problem myself and posted the correct answer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.