Solved

Cisco ASA 5510 routing from Mgt(DMZ) to Internal

Posted on 2013-10-31
4
535 Views
Last Modified: 2013-11-19
Hi Guys,

Some help needed.
I've spent a while on this, let me set the scene

Scene:
I've a webserver on the mgt interface (this is really a DMZ using the mgt interface as a non mgt interface, in otherwords box "dedicate this interface to management" not ticked)
This is IP range 192.168.50.x with websever at 192.168.50.99

I've a PC on the standard internal interface (inside) on 192.168.8.64

Problem:
I cannot browse to http:\\192.168.50.99 (MGT) from 192.168.8.64 (inside) in other words it is not allowing web traffic between the interfaces. I looked up security levels etc and have kept them both to 100, I've also allowed the intefaces to talk to each other with "same-security-traffic permit inter-interface". Along with permit rules and NAT rules. FYI The box can ping both addresses from each of it's interfaces.

Logs:
In the syslog I'm getting SYN Timeout which points me towards NAT, but I've NAT rules in for all networks to see each other.

Help Needed:
I need help in allowing the inside to be able to browse to a web server on the mgt.
The webserver is working well on the localhost PC.

I've a sample of the config below.

Any help much apreciated.


Config:

interface Ethernet0/0
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.8.254 255.255.255.0

interface Management0/0
 description Mgt Internal
 speed 100
 duplex full
 nameif Mgt
 security-level 100
 ip address 192.168.50.254 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network Inside_Network
 subnet 192.168.8.0 255.255.255.0

object network Mgt-network
 subnet 192.168.50.0 255.255.255.0
 description Mgt-network



object-group network Internal_Networks
 network-object object Inside_Network
 network-object 192.168.21.0 255.255.255.0
 network-object 192.168.40.0 255.255.255.0
 network-object object Mgt-network

access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


access-list backup_access_in extended deny ip any any
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
access-list Mgt_access_in extended permit ip any any
access-list Mgt_access_out extended permit ip any any


nat (any,any) source static Internal_Networks Internal_Networks destination static Internal_Networks Internal_Networks no-proxy-arp description Nat Exemption for internal networks


access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt



http server enable
http 192.168.8.0 255.255.255.0 inside

sysopt noproxyarp inside
0
Comment
Question by:ggntt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614119
First, don't do this:

access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt

Only apply ACL's into the interface to keep it simple.

For now remove:
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
Leaving only the permit any any to see if that's an issue.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614126
Oh, and looking at:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


You could simplify that to:
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any

Why? because you first allow certain ports:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp

And after that allow everything (ip) from that network making the first three rules unneccessary.

The last line:
access-list inside_access_in extended permit ip object Mgt-network any
is irrelevant because that network is not on the inside.
0
 

Accepted Solution

by:
ggntt earned 0 total points
ID: 39647429
Guys looks liek this turned out to be a local PC issue from what I can see, local firewall on PC had caused the issue. The trobleshooting pointed to this logic. I had spent too much time focusing on the Cisco side, what put me off is that the PC replied to ping. However the PC was blocking http access.
0
 

Author Closing Comment

by:ggntt
ID: 39658747
An oversight by not looking at the PC itself causing the routing block.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question