Solved

Cisco ASA Internal to DMZ access and Internet

Posted on 2013-05-31
4
2,622 Views
Last Modified: 2013-06-10
Hello Experts Exchange,

I am working on setting up a new DMZ solution on my Cisco ASA 5520 firewall, and have been having problems getting things to work.

What I need to do is...
1.) Allow the DMZ server (172.25.1.50) to the internet on port 80
2.) Allow internet access to the DMZ server (172.25.1.50) on port 80
3.) Allow the inside network (11.11.2.0) to access the DMZ server (172.25.1.50) on tcp 3389
4.) Allow the inside host (11.11.2.252) to access the DMZ server (172.25.1.50) on tcp 3051
5.) Allow the DMZ server (172.25.1.50) to access the inside host (11.11.2.252) on tcp 3051

I am using software version 8.2(2), below is my current configuration.

ASA-1(config)# sh run
: Saved
:
ASA Version 8.2(2) 
!
name 151.200.10.204 Corp-Out
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 151.200.10.250 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 11.11.4.38 255.255.254.0 
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address 172.25.1.1 255.255.255.0 
!
boot system disk0:/asa822-k8.bin
ftp mode passive
object-group service RDP tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service 3051 tcp
 port-object eq 3051
access-list nonat extended permit ip host 151.200.10.203 any 
access-list acl_inside extended permit icmp any any 
access-list acl_inside extended permit ip any host 151.200.10.150 
access-list acl_inside extended permit tcp any host 151.200.10.150 
access-list acl_inside extended permit udp any host 151.200.10.150 
access-list acl_inside extended permit udp host 11.11.55.250 any 
access-list acl_inside extended permit tcp host 11.11.55.250 any 
access-list acl_inside extended permit tcp 11.11.2.0 255.255.255.0 host 172.25.1.50 eq 3389 
access-list acl_inside extended permit tcp host 11.11.2.152 host 172.25.1.50 object-group 3051 
access-list acl_inside extended deny tcp any 172.25.1.0 255.255.255.0 eq 3389 
access-list acl_inside extended deny ip any host 69.31.88.10 
access-list acl_inside extended deny tcp any host 115.253.253.254 eq 16464 
access-list acl_inside extended deny tcp any host 184.253.253.254 eq 16464 
access-list acl_inside extended deny tcp any any eq 27737 
access-list acl_inside extended deny tcp any any eq 19347 
access-list acl_inside extended deny tcp any any eq 24305 
access-list acl_inside extended deny tcp any any eq 29902 
access-list acl_inside extended deny tcp any any eq 25549 
access-list acl_inside extended deny tcp any any eq 15670 
access-list acl_inside extended deny udp any any eq 27737 
access-list acl_inside extended deny udp any any eq 19347 
access-list acl_inside extended deny udp any any eq 24305 
access-list acl_inside extended deny udp any any eq 29902 
access-list acl_inside extended deny udp any any eq 25549 
access-list acl_inside extended deny udp any any eq 15670 
access-list acl_inside extended deny tcp any host 180.253.253.254 eq 16464 
access-list acl_inside extended deny tcp any host 180.254.253.254 eq 16464 
access-list acl_inside extended deny udp any host 115.253.253.254 eq 16464 
access-list acl_inside extended deny udp any host 184.253.253.254 eq 16464 
access-list acl_inside extended deny udp any host 180.253.253.254 eq 16464 
access-list acl_inside extended deny udp any host 180.254.253.254 eq 16464 
access-list acl_inside extended deny udp any any eq tftp 
access-list acl_inside extended deny tcp any any eq 137 
access-list acl_inside extended deny tcp any any eq 138 
access-list acl_inside extended deny tcp any any eq netbios-ssn 
access-list acl_inside extended deny tcp any any eq 445 
access-list acl_inside extended deny tcp any any eq 593 
access-list acl_inside extended deny udp any any eq 8998 
access-list acl_inside extended deny tcp any any eq 7441 
access-list acl_inside extended deny udp any any eq 7997 
access-list acl_inside extended deny tcp any any eq 7997 
access-list acl_inside extended deny udp any any eq 4444 
access-list acl_inside extended deny tcp any any eq 4444 
access-list acl_inside extended deny udp any any eq 6257 
access-list acl_inside extended deny tcp any any eq 6699 
access-list acl_inside extended permit tcp host 11.11.1.12 any 
access-list acl_inside extended permit tcp host 11.11.4.20 any 
access-list acl_inside extended permit tcp host 172.20.1.250 any 
access-list acl_inside extended deny ip host 11.11.9.69 host 207.46.248.113 
access-list acl_inside extended deny ip host 11.11.9.188 any 
access-list acl_inside extended deny ip any host 66.250.188.38 
access-list acl_inside extended deny ip any host 64.62.193.35 
access-list acl_inside extended deny ip any host 204.2.192.53 
access-list acl_inside extended deny ip any host 204.2.192.59 
access-list acl_inside extended deny ip any host 204.2.177.71 
access-list acl_inside extended deny ip any host 207.188.7.85 
access-list acl_inside extended deny ip host 11.11.4.66 any 
access-list acl_inside extended permit ip host 11.11.1.48 any 
access-list acl_inside extended deny tcp any any eq smtp 
access-list acl_inside extended permit tcp host 11.11.2.241 any 
access-list acl_inside extended deny ip any host 74.117.62.125 
access-list acl_inside extended permit tcp host 11.11.1.12 any eq smtp 
access-list acl_inside extended permit tcp host 11.11.4.20 any eq smtp 
access-list acl_inside extended deny ip any host 149.20.51.124 
access-list acl_inside extended permit ip any any 
access-list 100 extended permit ip any host 151.200.10.150 
access-list 100 extended permit tcp any host 151.200.10.150 
access-list 100 extended permit udp any host 151.200.10.150 
access-list 100 extended permit udp any host Corp-Out 
access-list 100 extended permit tcp any host Corp-Out 
access-list 100 extended permit tcp any host 151.200.10.205 
access-list 100 extended permit udp any host 151.200.10.205 
access-list 100 extended permit tcp any host 151.200.10.247 
access-list 100 extended permit udp any host 151.200.10.247 
access-list 100 extended permit tcp any host 151.200.10.241 eq www 
access-list 100 extended permit tcp any host 151.200.10.241 eq 15868 
access-list 100 extended permit tcp any host 151.200.10.241 eq 30600 
access-list 100 extended permit tcp any host 151.200.10.240 eq www 
access-list 100 extended permit tcp any host 151.200.10.20 eq www 
access-list 100 extended permit tcp any host 151.200.10.20 eq pop3 
access-list 100 extended permit tcp any host 151.200.10.20 eq smtp 
access-list 100 extended permit tcp any host 151.200.10.30 eq www 
access-list 100 extended permit tcp any host 151.200.10.30 eq pop3 
access-list 100 extended permit tcp any host 151.200.10.30 eq smtp 
access-list 100 extended permit tcp any host 151.200.10.30 eq imap4 
access-list 100 extended permit tcp any host 151.200.10.30 eq https 
access-list 100 extended permit tcp any host 151.200.10.12 eq www 
access-list 100 extended permit tcp any host 151.200.10.12 eq https 
access-list 100 extended permit ip any host 151.200.10.22 
access-list 100 extended permit tcp any host 151.200.10.172 eq www 
access-list 100 extended permit tcp any host 151.200.10.172 eq pop3 
access-list 100 extended permit tcp any host 151.200.10.172 eq smtp 
access-list 100 extended permit tcp any host 151.200.10.172 eq https 
access-list 100 extended permit tcp any host 151.200.10.172 eq ssh 
access-list 100 extended permit tcp any host 151.200.10.172 eq telnet 
access-list 100 extended permit tcp any host 151.200.10.111 eq www 
access-list 100 extended permit tcp any host 151.200.10.111 eq https 
access-list 100 extended permit tcp any host 151.200.10.111 eq 8087 
access-list 100 extended permit tcp any host 151.200.10.112 eq www 
access-list 100 extended permit tcp any host 151.200.10.112 eq https 
access-list 100 extended permit tcp any host 151.200.10.112 eq 8087 
access-list 100 extended permit tcp any host 151.200.10.53 eq https 
access-list 100 extended deny tcp host 204.2.192.53 any 
access-list 100 extended deny tcp host 204.2.192.59 any 
access-list 100 extended deny tcp host 204.2.177.71 any 
access-list 100 extended deny tcp host 207.188.7.85 any 
access-list 100 extended deny tcp host 64.62.193.35 any 
access-list 100 extended deny tcp host 66.250.188.38 any 
access-list 100 extended deny tcp host 63.160.6.3 any 
access-list 100 extended permit tcp any host 151.200.10.243 
access-list 100 extended permit udp any host 151.200.10.243 
access-list 100 extended permit tcp any host 151.200.10.206 eq https 
access-list 100 extended permit ip any host 151.200.10.243 
access-list 100 extended permit ip any host 151.200.10.160 
access-list 100 extended permit tcp any host 151.200.10.203 
access-list 100 extended permit udp any host 151.200.10.203 
access-list 100 extended permit tcp any host 151.200.10.210 eq https 
access-list 100 extended permit tcp any host 151.200.10.211 eq https 
access-list 100 extended permit tcp any host 151.200.10.20 eq imap4 
access-list 100 extended permit tcp any host 151.200.10.141 eq www 
access-list 100 extended permit tcp any host 151.200.10.141 eq https 
access-list 100 extended permit ip any host 151.200.10.251 
access-list 100 extended permit tcp any host 151.200.10.141 eq 1755 
access-list 100 extended permit tcp any host 151.200.10.141 eq rtsp 
access-list 100 extended permit tcp any host 151.200.10.76 eq www 
access-list 100 extended permit tcp any host 151.200.10.76 eq https 
access-list 100 extended permit tcp any host 151.200.10.76 eq 8091 
access-list 100 extended deny ip host 149.20.51.124 any 
access-list dmz_access extended permit tcp host 172.25.1.50 host 11.11.2.152 eq 3051 
access-list dmz_access extended permit tcp host 172.25.1.50 any eq www 
pager lines 24
logging enable
logging timestamp
logging list All level informational
logging trap informational
logging asdm informational
logging host inside 11.11.4.104
logging class config trap informational 
logging class ip trap informational 
logging class session trap informational 
logging class vpn trap informational 
logging class vpnc trap informational 
logging class email trap informational 
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 151.200.10.249
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 2 11.11.9.67 255.255.255.255
nat (inside) 2 11.11.9.90 255.255.255.255
nat (inside) 2 11.11.9.92 255.255.255.255
nat (inside) 2 11.11.9.107 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 172.25.1.0 255.255.255.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (inside,outside) Corp-Health-Out 11.11.10.110 netmask 255.255.255.255 
static (inside,outside) 151.200.10.241 11.11.5.30 netmask 255.255.255.255 
static (outside,inside) 11.11.1.47 64.214.210.11 netmask 255.255.255.255 
static (inside,outside) 151.200.10.20 11.11.1.12 netmask 255.255.255.255 
static (inside,outside) 151.200.10.30 11.11.4.20 netmask 255.255.255.255 
static (inside,outside) 151.200.10.12 11.11.4.12 netmask 255.255.255.255 
static (inside,outside) 151.200.10.22 11.11.4.22 netmask 255.255.255.255 
static (inside,outside) 151.200.10.243 11.11.9.152 netmask 255.255.255.255 
static (inside,outside) 151.200.10.206 11.11.20.163 netmask 255.255.255.255 
static (inside,outside) 151.200.10.160 11.11.2.160 netmask 255.255.255.255 
static (inside,outside) 151.200.10.203 11.11.1.48 netmask 255.255.255.255 
static (inside,outside) 151.200.10.141 11.11.2.241 netmask 255.255.255.255 
static (inside,outside) 151.200.10.251 11.11.9.180 netmask 255.255.255.255 
static (inside,outside) 151.200.10.52 11.11.20.158 netmask 255.255.255.255 
static (inside,outside) 151.200.10.172 172.20.1.250 netmask 255.255.255.255 
static (inside,outside) 151.200.10.111 11.11.2.234 netmask 255.255.255.255 
static (inside,outside) 151.200.10.112 11.11.2.235 netmask 255.255.255.255 
static (inside,outside) 151.200.10.150 11.11.20.150 netmask 255.255.255.255 
static (inside,outside) 151.200.10.76 11.11.21.8 netmask 255.255.255.255 
static (inside,outside) 151.200.10.53 11.11.5.110 netmask 255.255.255.255 
static (DMZ,outside) 151.200.10.113 172.25.1.50 netmask 255.255.255.255 
static (inside,DMZ) 11.11.2.152 11.11.2.152 netmask 255.255.255.255 
access-group 100 in interface outside
access-group acl_inside in interface inside
access-group dmz_access in interface DMZ
!
router ospf 1
 network 10.0.0.0 255.255.0.0 area 0
 network 11.11.0.0 255.255.0.0 area 0
 log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 151.200.10.254 1
ASA-1(config)#              

Open in new window


Any help is welcome, I've been hitting my head on the wall on this one for a few days now.
0
Comment
Question by:crmcIT
  • 2
4 Comments
 
LVL 17

Expert Comment

by:MAG03
ID: 39211926
What exactly isn't working?  Is it all 5 points or just the DMZ to Inside that isn't?
0
 
LVL 2

Expert Comment

by:NE_Tech_Dude
ID: 39213926
I am a bit confused on what is not working, but if I am guessing correctly I think what is happening is there is no global 0 so your 172.25.1.0/24 network is getting identity natted (natted back into itself).  You can check to see if this is the case by doing a show xlate.
Try taking out line194:  nat (DMZ) 0 172.25.1.0 255.255.255.0
no nat (DMZ) 0 172.25.1.0 255.255.255.0
and then issue a clear xlate to refresh the translation table (use this with caution or go more granular with the command if you are running in production)
clear xlate
I believe that if you identity nat like this hosts on the DMZ only will be able to create the connections going out.  For connections being established from outside will need a static that explicitly tells the ASA to nat from 172.25.1.50 to 172.25.1.50.  

I notice you have a static put in for 172.25.1.50 mapping it to an outside addy 151.200.10.113

static (DMZ,outside) 151.200.10.113 172.25.1.50 netmask 255.255.255.255

If this is instead what you are trying to do, make sure you are trying to reach the dmz host 172.25.1.50 from an outside host by targetting this mapped ip 151.200.10.113.  Also, make sure there is an ACL on the outside allowing for this (I currently do not see one allowing for port 80)


I'm making a few assumptions here but let me know if I'm off the mark and we can try again.
0
 

Accepted Solution

by:
crmcIT earned 0 total points
ID: 39223742
I was able to fix the issue I was having.
0
 

Author Closing Comment

by:crmcIT
ID: 39234122
Access lists were applied to the wrong interface.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
network timeout on mapped drive 3 27
Resource cost of NAT vs routing 3 21
EIGRP Full Mesh 2 33
iPad Won't Connect 16 36
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now