Solved

Cisco ASA 5510 routing from Mgt(DMZ) to Internal

Posted on 2013-10-31
4
531 Views
Last Modified: 2013-11-19
Hi Guys,

Some help needed.
I've spent a while on this, let me set the scene

Scene:
I've a webserver on the mgt interface (this is really a DMZ using the mgt interface as a non mgt interface, in otherwords box "dedicate this interface to management" not ticked)
This is IP range 192.168.50.x with websever at 192.168.50.99

I've a PC on the standard internal interface (inside) on 192.168.8.64

Problem:
I cannot browse to http:\\192.168.50.99 (MGT) from 192.168.8.64 (inside) in other words it is not allowing web traffic between the interfaces. I looked up security levels etc and have kept them both to 100, I've also allowed the intefaces to talk to each other with "same-security-traffic permit inter-interface". Along with permit rules and NAT rules. FYI The box can ping both addresses from each of it's interfaces.

Logs:
In the syslog I'm getting SYN Timeout which points me towards NAT, but I've NAT rules in for all networks to see each other.

Help Needed:
I need help in allowing the inside to be able to browse to a web server on the mgt.
The webserver is working well on the localhost PC.

I've a sample of the config below.

Any help much apreciated.


Config:

interface Ethernet0/0
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.8.254 255.255.255.0

interface Management0/0
 description Mgt Internal
 speed 100
 duplex full
 nameif Mgt
 security-level 100
 ip address 192.168.50.254 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network Inside_Network
 subnet 192.168.8.0 255.255.255.0

object network Mgt-network
 subnet 192.168.50.0 255.255.255.0
 description Mgt-network



object-group network Internal_Networks
 network-object object Inside_Network
 network-object 192.168.21.0 255.255.255.0
 network-object 192.168.40.0 255.255.255.0
 network-object object Mgt-network

access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


access-list backup_access_in extended deny ip any any
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
access-list Mgt_access_in extended permit ip any any
access-list Mgt_access_out extended permit ip any any


nat (any,any) source static Internal_Networks Internal_Networks destination static Internal_Networks Internal_Networks no-proxy-arp description Nat Exemption for internal networks


access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt



http server enable
http 192.168.8.0 255.255.255.0 inside

sysopt noproxyarp inside
0
Comment
Question by:ggntt
  • 2
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614119
First, don't do this:

access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt

Only apply ACL's into the interface to keep it simple.

For now remove:
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
Leaving only the permit any any to see if that's an issue.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614126
Oh, and looking at:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


You could simplify that to:
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any

Why? because you first allow certain ports:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp

And after that allow everything (ip) from that network making the first three rules unneccessary.

The last line:
access-list inside_access_in extended permit ip object Mgt-network any
is irrelevant because that network is not on the inside.
0
 

Accepted Solution

by:
ggntt earned 0 total points
ID: 39647429
Guys looks liek this turned out to be a local PC issue from what I can see, local firewall on PC had caused the issue. The trobleshooting pointed to this logic. I had spent too much time focusing on the Cisco side, what put me off is that the PC replied to ping. However the PC was blocking http access.
0
 

Author Closing Comment

by:ggntt
ID: 39658747
An oversight by not looking at the PC itself causing the routing block.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now