We help IT Professionals succeed at work.
Get Started

Cisco ASA DMZ configuration

2,392 Views
Last Modified: 2013-11-16
Hi all!

I am having a problem with setting up and configuring a DMZ on a Cisco ASA 5510 version 8.3

I can access the DMZ from the internal LAN, but cannot anything on the internal LAN from the DMZ even after configuring specific ACL's for this access. I've been trying to get anything to work, once I get that I will lock it down for access to a SQL server and maybe some AD authentication.

After looking the some different sites, in particular here, I've come across a number of different solutions. However, since I have version 8.3 it seems that a number of those solutions are no longer valid. I've seen posts where it says I need NATs and others that say they're not needed.

I'm a bit lost on what's need for access from a higher security level interface to a lower one. I used to manage PIX and systems with ipchains, but it's been about 7 years and things are a lot different. Not to mention this ASDM interface is throwing me a bit and would almost rather be in the old familiar SSH session. :)

In looking at the Log Viewer, I can see DNS traffic being denied from the LAN_access_out rule
below is my config. some of it is a bit screwy since I am trying to get anything from the DMZ to work. I'll be locking it down better after I get it working. I had the access rules, pretty much wide open and one point as well, and it still didnt work.

Below is my sanitized code, with unimportant stuff pulled out.

ASA Version 8.3(2) 
!
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 999.999.999.2 255.255.255.224 
!
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.7.1 255.255.255.0 
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.50.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network colo-0 
 subnet 172.16.0.0 255.255.255.0
object network colo-16 
 subnet 172.16.16.0 255.255.255.0
object network TBLAN 
 subnet 192.168.7.0 255.255.255.0
object network TBVPN 
 subnet 192.168.8.0 255.255.255.0
object network DMZ_lan 
 subnet 192.168.55.0 255.255.255.0
object network stage_dmz 
 host 192.168.55.5
object network stage_wan 
 host 999.999.999.5 
object network TB_DC 
 host 192.168.7.10 
object-group network colo 
 network-object object colo-0 
 network-object object colo-16 
object-group network TBNETs
 network-object object TBLAN
 network-object object TBVPN
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group service DNS tcp-udp
 port-object eq domain
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any 
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo 

access-list DMZ_access_in extended permit ip object stage_dmz object TB_DC 
access-list DMZ_access_in extended permit ip object TB_DC object stage_dmz 
access-list DMZ_access_in extended permit ip object stage_dmz any 
access-list DMZ_access_in extended permit object-group TCPUDP any any object-group DNS 
access-list DMZ_access_in extended permit ip any any 
access-list DMZ_access_in extended permit icmp any any 
access-list LAN_access_in extended permit ip object TB_DC object stage_dmz 
access-list LAN_access_in extended permit ip object stage_dmz object TB_DC 
access-list LAN_access_in extended permit ip any any 
access-list LAN_access_in extended permit icmp any any 

arp timeout 14400
nat (LAN,WAN) source static TBLAN TBLAN destination static colo colo
nat (any,any) source static any any destination static TBVPN TBVPN
nat (LAN,WAN) source dynamic TBLAN interface
!
object network obj_any
 nat (management,WAN) dynamic interface
access-group WAN_access in interface WAN
access-group LAN_access_in in interface LAN
access-group LAN_access_out out interface LAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 999.999.999.1 1
timeout xlate 3:00:00

Open in new window


Thanks in Advance!

Comment
Watch Question
Commented:
This problem has been solved!
Unlock 1 Answer and 10 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE