[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

On a ASA allowing DMZ host access to internal resource and external internet

Posted on 2013-01-28
4
Medium Priority
?
1,395 Views
Last Modified: 2013-01-29
Hello

I am setting up a new Cisco ASA 8.6 code.  

The problem:
I need to give granular access to internal resources from a DMZ host.  Whenever I apply an access list to the DMZ I get access to the internal resource but lose access to the internet.  How do I give access to internal resources while maintaining outbound access to the internet?

Thanks in advance

Config:
hostname SFN-ASA1
domain-name ia-global.com
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x..34 255.255.255.224
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 10.2.0.3 255.255.255.248
!
interface GigabitEthernet0/2
 nameif dmz
 security-level 50
 ip address 172.16.29.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 10.2.3.20 255.255.255.0
 management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 10.2.3.21
 name-server 10.2.3.22
 domain-name ia-global.com
object network test_rdp
 host 10.2.0.4
object network obj_dmz_network
 subnet 172.16.29.0 255.255.255.0
object network obj_dmz_server
 host 172.16.29.5
object network objN_default_network
 subnet 0.0.0.0 0.0.0.0
object service objS_rdp
 service tcp source eq 3389 destination eq 3389
object network objN_inside
 subnet 10.0.0.0 255.0.0.0
object-group service objS_outbound_protocols
 description This group is used for all outbound protocols
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination eq ftp
 service-object tcp destination eq ssh
 service-object tcp destination eq 3389
 service-object udp destination eq ntp
 service-object icmp
access-list dmz_access extended permit udp any any eq domain
access-list dmz_access extended permit tcp host 172.16.29.5 host 10.2.0.4 eq www
access-list public_access extended permit tcp any object obj_dmz_server eq 3389
access-list public_access extended permit tcp any object test_rdp eq www
access-list public_access extended permit tcp any object obj_dmz_server eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu management 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
!
object network test_rdp
 nat (Inside,outside) static x.x.x.56
object network obj_dmz_network
 nat (Inside,dmz) static obj_dmz_network
object network obj_dmz_server
 nat (dmz,outside) static x.x.x.58
object network objN_inside
 nat (Inside,outside) dynamic interface
access-group public_access in interface outside
access-group dmz_access in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
route Inside 10.0.0.0 255.0.0.0 10.2.0.1 1
route Inside 192.168.0.0 255.255.0.0 10.2.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 Inside
http 192.168.0.0 255.255.0.0 Inside
http 192.168.0.0 255.255.0.0 management
http 10.2.3.0 255.255.255.0 Inside
http 10.2.3.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 30
ssh 10.0.0.0 255.0.0.0 Inside
ssh timeout 30
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.3.21
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:aef02da99b50f1131f7e772a5b85638b
0
Comment
Question by:jdflory
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 38829661
Your ACL needs to have all the specific permit statements, then general deny statements for private IP ranges, followed by a permit any. Without the permit any at the end, the implicit deny any will take effect and block all other traffic. This allows certain traffic to inside hosts, denies all other attempts at accessing private IP's, and then allows anything else which at that point can only be public IP addresses.

access-list dmz_access extended permit udp any any eq domain
access-list dmz_access extended permit tcp host 172.16.29.5 host 10.2.0.4 eq www
access-list dmz_access extended deny ip 10.0.0.0 255.0.0.0
access-list dmz_access extended deny ip 172.16.0.0 255.240.0.0
access-list dmz_access extended deny ip 192.168.0.0 255.255.0.0
access-list dmz_access extended permit ip any any

From here it's just a matter of any nat/IPS rules that may also be in place.
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 38830187
hi,
i believe it is a problem of nat exemption on dmz from inside.
please try the following:

nat (inside,dmz) source static objN_inside objN_inside destination static obj_dmz_network obj_dmz_network

object network obj_dmz_network
 no nat (Inside,dmz) static obj_dmz_network

clear xlate
exit
write mem

you can leave the access-list as in your posted configuration

hope this helps
max
0
 

Author Comment

by:jdflory
ID: 38831405
Thanks guys
natting is working fine.  It is definitely the access list.

raurenpc
 so if explicitly deny access to internal ips wouldn't that block access to the ones I allow?  Is it the order that matters?  This is the first logical sounding argument I have heard but am still having a hard time understanding.   can you explain each step of your example, especially why there is ip any any .

thanks
0
 

Author Comment

by:jdflory
ID: 38833514
Thanks a lot rauenpc

That worked great.  I guess the key is to keep the access list in the correct order.  I did find I can use line parameter in the access list to insert new lines wherever I want.

Thanks again
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question