Solved

On a ASA allowing DMZ host access to internal resource and external internet

Posted on 2013-01-28
4
1,232 Views
Last Modified: 2013-01-29
Hello

I am setting up a new Cisco ASA 8.6 code.  

The problem:
I need to give granular access to internal resources from a DMZ host.  Whenever I apply an access list to the DMZ I get access to the internal resource but lose access to the internet.  How do I give access to internal resources while maintaining outbound access to the internet?

Thanks in advance

Config:
hostname SFN-ASA1
domain-name ia-global.com
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x..34 255.255.255.224
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 10.2.0.3 255.255.255.248
!
interface GigabitEthernet0/2
 nameif dmz
 security-level 50
 ip address 172.16.29.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 10.2.3.20 255.255.255.0
 management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 10.2.3.21
 name-server 10.2.3.22
 domain-name ia-global.com
object network test_rdp
 host 10.2.0.4
object network obj_dmz_network
 subnet 172.16.29.0 255.255.255.0
object network obj_dmz_server
 host 172.16.29.5
object network objN_default_network
 subnet 0.0.0.0 0.0.0.0
object service objS_rdp
 service tcp source eq 3389 destination eq 3389
object network objN_inside
 subnet 10.0.0.0 255.0.0.0
object-group service objS_outbound_protocols
 description This group is used for all outbound protocols
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination eq ftp
 service-object tcp destination eq ssh
 service-object tcp destination eq 3389
 service-object udp destination eq ntp
 service-object icmp
access-list dmz_access extended permit udp any any eq domain
access-list dmz_access extended permit tcp host 172.16.29.5 host 10.2.0.4 eq www
access-list public_access extended permit tcp any object obj_dmz_server eq 3389
access-list public_access extended permit tcp any object test_rdp eq www
access-list public_access extended permit tcp any object obj_dmz_server eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu management 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
!
object network test_rdp
 nat (Inside,outside) static x.x.x.56
object network obj_dmz_network
 nat (Inside,dmz) static obj_dmz_network
object network obj_dmz_server
 nat (dmz,outside) static x.x.x.58
object network objN_inside
 nat (Inside,outside) dynamic interface
access-group public_access in interface outside
access-group dmz_access in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
route Inside 10.0.0.0 255.0.0.0 10.2.0.1 1
route Inside 192.168.0.0 255.255.0.0 10.2.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 Inside
http 192.168.0.0 255.255.0.0 Inside
http 192.168.0.0 255.255.0.0 management
http 10.2.3.0 255.255.255.0 Inside
http 10.2.3.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 30
ssh 10.0.0.0 255.0.0.0 Inside
ssh timeout 30
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.3.21
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:aef02da99b50f1131f7e772a5b85638b
0
Comment
Question by:jdflory
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
Comment Utility
Your ACL needs to have all the specific permit statements, then general deny statements for private IP ranges, followed by a permit any. Without the permit any at the end, the implicit deny any will take effect and block all other traffic. This allows certain traffic to inside hosts, denies all other attempts at accessing private IP's, and then allows anything else which at that point can only be public IP addresses.

access-list dmz_access extended permit udp any any eq domain
access-list dmz_access extended permit tcp host 172.16.29.5 host 10.2.0.4 eq www
access-list dmz_access extended deny ip 10.0.0.0 255.0.0.0
access-list dmz_access extended deny ip 172.16.0.0 255.240.0.0
access-list dmz_access extended deny ip 192.168.0.0 255.255.0.0
access-list dmz_access extended permit ip any any

From here it's just a matter of any nat/IPS rules that may also be in place.
0
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
hi,
i believe it is a problem of nat exemption on dmz from inside.
please try the following:

nat (inside,dmz) source static objN_inside objN_inside destination static obj_dmz_network obj_dmz_network

object network obj_dmz_network
 no nat (Inside,dmz) static obj_dmz_network

clear xlate
exit
write mem

you can leave the access-list as in your posted configuration

hope this helps
max
0
 

Author Comment

by:jdflory
Comment Utility
Thanks guys
natting is working fine.  It is definitely the access list.

raurenpc
 so if explicitly deny access to internal ips wouldn't that block access to the ones I allow?  Is it the order that matters?  This is the first logical sounding argument I have heard but am still having a hard time understanding.   can you explain each step of your example, especially why there is ip any any .

thanks
0
 

Author Comment

by:jdflory
Comment Utility
Thanks a lot rauenpc

That worked great.  I guess the key is to keep the access list in the correct order.  I did find I can use line parameter in the access list to insert new lines wherever I want.

Thanks again
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now