jamiegf
asked on
cisco DMZ NAT configuration
Hi there.
I have a DMZ configured on an interface on a Cisco Firewall ASA5520 running software version 7.0.
I can get to my one server 192.168.100.11 on there by rdp. I can also reach it from the internet by using the static external IP address.
My problem is i cannot get from the DMZ web server out to anywhere else (the internet or back to the internal network even after creating ACLs). I need this site to hit a Database on our internal network eventually.
The setup is
Inside network = 172.25.0.0
Inside interface on ASA = 172.25.10.5
DMZ = 192.168.100.0
DMZ interface = 192.168.100.254
DMS webserver = 192.168.100.11
Here is part of the current config ('ive removed all the security/nat acl rules and left what i hope is anything relevant tto this question)
I think my problem is I have to add NAT to the DMZ. Ive tried various methods and have had no luck yet. Can anybody tell me what i need to do or see anything I need to get rid of from the config below?
"
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 1.2.3.4 255.255.255.192
!
interface GigabitEthernet0/1
nameif Swtich
security-level 50
ip address 172.25.10.5 255.255.0.0
!
interface GigabitEthernet0/2
description DMZ - to be configured
nameif DMZ
security-level 25
ip address 192.168.100.254 255.255.255.0
same-security-traffic permit inter-interface
object-group network DMZ_Outside
network-object 0.0.0.0 0.0.0.0
object-group network DMZ-Web-Servers
description DMZ Web Servers
network-object WEBSERVER-01 255.255.255.255
object-group service WEBSERVER-01_trafffic tcp
description Allows Http, https and FTP to WEBSERVER-01 on the DMZ
port-object eq ftp
port-object eq www
port-object eq https
mtu Outside 1500
mtu Swtich 1500
mtu management 1500
mtu DMZ 1500
icmp permit any Outside
icmp permit any Swtich
icmp permit any DMZ
global (Outside) 1 interface
global (DMZ) 1 interface
nat (Swtich) 1 172.25.0.0 255.255.0.0
nat (management) 0 access-list management_nat0_outbound
access-group outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
"
I have a DMZ configured on an interface on a Cisco Firewall ASA5520 running software version 7.0.
I can get to my one server 192.168.100.11 on there by rdp. I can also reach it from the internet by using the static external IP address.
My problem is i cannot get from the DMZ web server out to anywhere else (the internet or back to the internal network even after creating ACLs). I need this site to hit a Database on our internal network eventually.
The setup is
Inside network = 172.25.0.0
Inside interface on ASA = 172.25.10.5
DMZ = 192.168.100.0
DMZ interface = 192.168.100.254
DMS webserver = 192.168.100.11
Here is part of the current config ('ive removed all the security/nat acl rules and left what i hope is anything relevant tto this question)
I think my problem is I have to add NAT to the DMZ. Ive tried various methods and have had no luck yet. Can anybody tell me what i need to do or see anything I need to get rid of from the config below?
"
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 1.2.3.4 255.255.255.192
!
interface GigabitEthernet0/1
nameif Swtich
security-level 50
ip address 172.25.10.5 255.255.0.0
!
interface GigabitEthernet0/2
description DMZ - to be configured
nameif DMZ
security-level 25
ip address 192.168.100.254 255.255.255.0
same-security-traffic permit inter-interface
object-group network DMZ_Outside
network-object 0.0.0.0 0.0.0.0
object-group network DMZ-Web-Servers
description DMZ Web Servers
network-object WEBSERVER-01 255.255.255.255
object-group service WEBSERVER-01_trafffic tcp
description Allows Http, https and FTP to WEBSERVER-01 on the DMZ
port-object eq ftp
port-object eq www
port-object eq https
mtu Outside 1500
mtu Swtich 1500
mtu management 1500
mtu DMZ 1500
icmp permit any Outside
icmp permit any Swtich
icmp permit any DMZ
global (Outside) 1 interface
global (DMZ) 1 interface
nat (Swtich) 1 172.25.0.0 255.255.0.0
nat (management) 0 access-list management_nat0_outbound
access-group outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
"
Hi,
you may well have errors on your access-list ... which you didn't post.
Basically, should you want your webserver go to Internet, you need:
access-list DMZ_access_in permit ip host 192.168.100.11 any
should you want to give access from webserver to host 172.25.10.100 on port 23 (as en example), you need:
access-list acl_dmz permit tcp host 172.16.1.150 host 172.25.10.100 eq 23
hope this helps
max
you may well have errors on your access-list ... which you didn't post.
Basically, should you want your webserver go to Internet, you need:
access-list DMZ_access_in permit ip host 192.168.100.11 any
should you want to give access from webserver to host 172.25.10.100 on port 23 (as en example), you need:
access-list acl_dmz permit tcp host 172.16.1.150 host 172.25.10.100 eq 23
hope this helps
max
packet-tracer input DMZ udp 192.168.100.11 65535 8.8.4.4 53 detailed
what are the results?
what are the results?
ASKER
Daniel, if i upgrade, what happens to the existing config? Does it convert it?
I'm scared of bringing down our network and our customers too. So id rather not upgrade.
Hi Max. I have the inside interface at security level 50, dmz at 25 and outside interface at 0, so I didnt think i needed ACLs to go out to the internet. Only to come back to the higher security level. Or do i have that wrong?
have the following ACLs
"
access-list Outside-access-DMZ remark allow traffic into DMZ
access-list outside-access-DMZ extended permit tcp any host WEBSERVER-01 eq www
access-list DMZ_access_in remark Allow WEBSERVER-01 (on DMZ) to access Mysql (port 3306) on UNix server 172.25.6.100
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.6.100 object-group MySQL_Traffic
access-list DMZ_access_in remark test to my machine from DMZ- JGF
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.2.100
"
i have also used the ASDM to grant access to any ip address on any tcp just to quickly test, and this also didn't work. So i'm thinking it must be a NAT issue.
I'm scared of bringing down our network and our customers too. So id rather not upgrade.
Hi Max. I have the inside interface at security level 50, dmz at 25 and outside interface at 0, so I didnt think i needed ACLs to go out to the internet. Only to come back to the higher security level. Or do i have that wrong?
have the following ACLs
"
access-list Outside-access-DMZ remark allow traffic into DMZ
access-list outside-access-DMZ extended permit tcp any host WEBSERVER-01 eq www
access-list DMZ_access_in remark Allow WEBSERVER-01 (on DMZ) to access Mysql (port 3306) on UNix server 172.25.6.100
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.6.100 object-group MySQL_Traffic
access-list DMZ_access_in remark test to my machine from DMZ- JGF
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.2.100
"
i have also used the ASDM to grant access to any ip address on any tcp just to quickly test, and this also didn't work. So i'm thinking it must be a NAT issue.
Your current config should be upgraded, but you want to do a few incremental upgrades.
Perform the packet trace as well. It should give you some idea if it is a access list issue.
Perform the packet trace as well. It should give you some idea if it is a access list issue.
jamiegf, you should only ever *have to* upgrade for any of these three reasons:
1) you need a bug fix in a later release (or sometimes have to fall back to a previous release)
2) you are impacted by a security vulnerability
3) you are reaching end of life and need continued support
1) you need a bug fix in a later release (or sometimes have to fall back to a previous release)
2) you are impacted by a security vulnerability
3) you are reaching end of life and need continued support
The codebase is 7, it should be upgraded.
Hi,
wrong: this is true only if you do not apply the access-list on an interface (e.g.: access-group DMZ_access_in in interface DMZ). Any other case has an implicit "deny any any".
please try the access-list i provided in the last post: in particular, just to make sure it can go to Internet:
access-list DMZ_access_in permit ip host 192.168.100.11 any
then:
access-list DMZ_access_in permit tcp host WEBSERVER-01 host 172.25.6.100 eq 3306
this last case is a little more complicated, because it will depend if host 172.25.6.100 is already natted to a dmz or an outside IP.
max
Hi Max. I have the inside interface at security level 50, dmz at 25 and outside interface at 0, so I didnt think i needed ACLs to go out to the internet. Only to come back to the higher security level. Or do i have that wrong?
wrong: this is true only if you do not apply the access-list on an interface (e.g.: access-group DMZ_access_in in interface DMZ). Any other case has an implicit "deny any any".
please try the access-list i provided in the last post: in particular, just to make sure it can go to Internet:
access-list DMZ_access_in permit ip host 192.168.100.11 any
then:
access-list DMZ_access_in permit tcp host WEBSERVER-01 host 172.25.6.100 eq 3306
this last case is a little more complicated, because it will depend if host 172.25.6.100 is already natted to a dmz or an outside IP.
max
ASKER
Hi Max - the first part worked a treat. I can ping www.google.com etc. great, thank you so much for that!
The next part hasnt worked. I tried another another rule to my own machine and that also didnt work. Tested it by telneting from other machines and the test work ok from the "inside" network.
Do you know what i should try next?
There are no nat rules for 172.25.6.100 but there is already an acl for it:
"
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.2.100
"
The next part hasnt worked. I tried another another rule to my own machine and that also didnt work. Tested it by telneting from other machines and the test work ok from the "inside" network.
Do you know what i should try next?
There are no nat rules for 172.25.6.100 but there is already an acl for it:
"
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.2.100
"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Absolute legend! thank you Max!
Thanks !
Should you want to upgrade firewall code, be aware that nat statements will have to be quite different.
The following is an article I wrote that I believe may be helpful:
https://www.experts-exchange.com/articles/11175/Cisco-ASA-PRE-8-3-and-POST-8-3-NAT-Operations.html
cheers
max
Should you want to upgrade firewall code, be aware that nat statements will have to be quite different.
The following is an article I wrote that I believe may be helpful:
https://www.experts-exchange.com/articles/11175/Cisco-ASA-PRE-8-3-and-POST-8-3-NAT-Operations.html
cheers
max
Your traffic in your DMZ to the LAN is going through NAT I believe.
But again, upgrade first to the latest version before anything IMO