• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 709
  • Last Modified:

Internet Access DMZ

Hi everyone,

I have a slite problem with my DMZ configuration. The servers in my DMZ can't access the internet. The DNS is set-up to my local LAN and using the public DNS-servers from google isn't working also.

I have allowed all access in to the DMZ and I thought that access to any less secure network was always posible or am I just confused with the rules of going to a network which is less secure?

thanks in advance!

This is my current stripped configuration:

 
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 192.168.3.1 255.255.255.0 
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq 4125
 port-object eq 987
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq pptp
 port-object eq smtp
 port-object eq ssh
 port-object eq 4210
 port-object eq 15000
 port-object eq 4203
 port-object eq 4205
 port-object eq 4230
 port-object eq 28081
 port-object range 50000 50050
 port-object eq ftp-data
object-group service Special
 description Zelf aangemaakte services
 service-object tcp eq 3389 
 service-object tcp eq 4125 
 service-object tcp eq 987 
 service-object tcp eq 4210 
 service-object tcp eq 4203 
 service-object tcp eq 4205 
 service-object tcp eq 15000 
 service-object tcp eq 4230 
 service-object tcp eq 28081 
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq domain 
access-list dmz_access_in extended permit udp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq netbios-dgm 
access-list dmz_access_in extended permit udp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq netbios-ns 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq 445 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq netbios-ssn 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq ftp inactive 
access-list dmz_access_in extended permit ip host DMZ_FTP-server any 
access-list inside_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp a2osbs smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www a2osbs www netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 a2osbs imap4 netmask 255.255.255.255 
static (inside,outside) tcp interface 987 a2osbs 987 netmask 255.255.255.255 
static (dmz,outside) tcp interface 4230 DMZ_FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface https a2osbs https netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 a2osbs pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 4205 server-archx 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4210 LAN_FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 28081 server-archx 28081 netmask 255.255.255.255 
static (inside,outside) tcp interface 4125 a2osbs 4125 netmask 255.255.255.255 
static (inside,outside) tcp interface 15000 a2osbs 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4203 Oude_Server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface pptp a2osbs pptp netmask 255.255.255.255 
static (dmz,outside) tcp interface ftp-data DMZ_FTP-server ftp-data netmask 255.255.255.255 
static (dmz,outside) tcp interface ftp DMZ_FTP-server ftp netmask 255.255.255.255 
static (dmz,outside) tcp interface 50050 DMZ_FTP-server 50050 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50049 DMZ_FTP-server 50049 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50048 DMZ_FTP-server 50048 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50047 DMZ_FTP-server 50047 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50046 DMZ_FTP-server 50046 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50045 DMZ_FTP-server 50045 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50044 DMZ_FTP-server 50044 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50043 DMZ_FTP-server 50043 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50042 DMZ_FTP-server 50042 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50041 DMZ_FTP-server 50041 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50040 DMZ_FTP-server 50040 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50039 DMZ_FTP-server 50039 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50038 DMZ_FTP-server 50038 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50037 DMZ_FTP-server 50037 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50036 DMZ_FTP-server 50036 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50035 DMZ_FTP-server 50035 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50034 DMZ_FTP-server 50034 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50033 DMZ_FTP-server 50033 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50032 DMZ_FTP-server 50032 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50031 DMZ_FTP-server 50031 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50030 DMZ_FTP-server 50030 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50029 DMZ_FTP-server 50029 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50028 DMZ_FTP-server 50028 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50027 DMZ_FTP-server 50027 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50026 DMZ_FTP-server 50026 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50025 DMZ_FTP-server 50025 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50024 DMZ_FTP-server 50024 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50023 DMZ_FTP-server 50023 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50022 DMZ_FTP-server 50022 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50021 DMZ_FTP-server 50021 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50020 DMZ_FTP-server 50020 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50019 DMZ_FTP-server 50019 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50018 DMZ_FTP-server 50018 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50017 DMZ_FTP-server 50017 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50016 DMZ_FTP-server 50016 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50015 DMZ_FTP-server 50015 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50014 DMZ_FTP-server 50014 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50013 DMZ_FTP-server 50013 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50012 DMZ_FTP-server 50012 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50011 DMZ_FTP-server 50011 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50010 DMZ_FTP-server 50010 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50009 DMZ_FTP-server 50009 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50008 DMZ_FTP-server 50008 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50007 DMZ_FTP-server 50007 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50006 DMZ_FTP-server 50006 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50005 DMZ_FTP-server 50005 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50004 DMZ_FTP-server 50004 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50003 DMZ_FTP-server 50003 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50002 DMZ_FTP-server 50002 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50001 DMZ_FTP-server 50001 netmask 255.255.255.255 
static (dmz,outside) tcp interface 50000 DMZ_FTP-server 50000 netmask 255.255.255.255 
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz

Open in new window

0
Silencer001
Asked:
Silencer001
  • 5
  • 5
  • 2
  • +1
1 Solution
 
Ernie BeekExpertCommented:
What type of license do you have?
0
 
jjmartineziiiCommented:
You are missing your NAT statements on the DMZ (Unless your DMZ is using Public IPs, I can't tell)


Try:

nat (DMZ) 1 0.0.0.0 0.0.0.0
0
 
Silencer001Author Commented:
Lol really? It was that simple?

Ahhh so normally access in the DMZ is using a public IP address and with this command you translate the internal address to a public address?

Thanks for the comment erniebeek. I am using the IPSEC plus license.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
jjmartineziiiCommented:
Yes, it goes with these statements. The global statement tells it to NAT all traffic using instance 1 to the IP of the outside interface. the nat (inside) 1 command tells it to nat all traffic (0.0.0.0) on the inside. the nat (DMZ) 1 does the same but for the DMZ

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
Ernie BeekExpertCommented:
That should do the trick indeed. If you have a plus license that won't give you any issues.
0
 
Silencer001Author Commented:
Thanks for the explanations guys! Now I see!! Is NATTING always needed when you want to go from 1 interface to another? So let's say DMZ to LAN?

DMZ: 192.168.3.0 /24
LAN: 192.168.2.0 /24

then I need a NAT rule when I want a computer in the DMZ accessible from the LAN? Let's say:


global (dmz) 2 interface
nat (inside) 2 192.168.3.200 192.168.2.200

Then the IP-address 192.168.3.200 is transformed to 192.168.2.200 when it wants to gain access to the LAN?
0
 
Ernie BeekExpertCommented:
In a firewall it is (because it's not a router).
So even if you don't want the addresses to be natted, you need to do that. But now you nat the address to itself.
Btw, your statement above is not correct, should be: nat (inside) 2 192.168.2.200 255.255.255.255. But then you nat the address 192.168.2.200 to the address of the DMZ interface. What you're looking for here is identity nat.

Have a look at:
http://www.wr-mem.com/?p=4
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043405
0
 
Silencer001Author Commented:
Thanks for the links erniebeek! Will read through this when I get back home!!
Is there also a nice book of cisco specifically for firewalls? I have the first 4 books of cisco at home, but covers mostly VLAN's, ACL's and routing..

The following line also translates hosts from the LAN to the DMZ:?


 
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Open in new window

0
 
Silencer001Author Commented:
I think that we are looking in the wrong direction and that the firewall isn't the problem. Without having to add any rule I can access every share in the LAN from my DMZ except for 1 PC. Also RDP is working from 1 zone to another, except file sharing so don't think that NAT would be the problem?
0
 
Ernie BeekExpertCommented:
You might be right, I already see that static in the initial config you posted (are those dutch comment in there?).
So let me get this straight, there is just one pc on the lan which shares you can't get to from the DMZ?
0
 
Silencer001Author Commented:
Yes indeed =) You already helped me with the config of the ASA DMZ in the first place:-D

Indeed, that fully correct! I can ping and rdp to the client in the LAN without any problems..
0
 
Ernie BeekExpertCommented:
Ah, it sometimes hard to keep track of all the people over here ;)

Ok, so we might want to have a closer look at that client then. Do you get any errors when trying to connect, or does something show in the eventlog of the client? Any firewall/virusscanner running on the client that might get in the way?
0
 
Mystique_87Commented:
yup, if you have the IPSEC plus license, the license would not be the issue. Do try the nat commands as suggested.

Also, when you are sending traffic from DMZ to the LAN, ie, from lower security level to the higher security level, the nat would not be necessary.

Natting is required when you are sending traffic from a higher security level to a lower security level, like from LAN to DMZ/Outside.

In case you would like to disable this being mandatory, you can issue the command 'no nat-control'
This command is available on versions prior to 8.3.
Once this is configured, it is not mandatory to configure nat for traffic from higher security level to lower security level. The natting will take place only if it is configured.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 5
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now