cisco DMZ NAT configuration

Hi there.
I have a DMZ configured on an interface on a Cisco Firewall ASA5520 running software version 7.0.
I can get to my one server 192.168.100.11 on there by rdp. I can also reach it from the internet by using the static external IP address.
My problem is i cannot get from the DMZ web server out to anywhere else (the internet or back to the internal network even after creating ACLs). I need this site to hit a Database on our internal network eventually.

The setup is
Inside network  = 172.25.0.0
Inside interface on ASA  = 172.25.10.5
DMZ = 192.168.100.0
DMZ interface = 192.168.100.254
DMS webserver = 192.168.100.11

Here is part of the current config ('ive removed all the security/nat acl rules and left what i hope is anything relevant tto this question)

I think my problem is I have to add NAT to the DMZ. Ive tried various methods and have had no luck yet. Can anybody tell me what i need to do or see anything I need to get rid of from the config below?


"
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 1.2.3.4 255.255.255.192
!
interface GigabitEthernet0/1
 nameif Swtich
 security-level 50
 ip address 172.25.10.5 255.255.0.0
!
interface GigabitEthernet0/2
 description DMZ - to be configured
 nameif DMZ
 security-level 25
 ip address 192.168.100.254 255.255.255.0

same-security-traffic permit inter-interface
object-group network DMZ_Outside
 network-object 0.0.0.0 0.0.0.0

object-group network DMZ-Web-Servers
 description DMZ Web Servers
 network-object WEBSERVER-01 255.255.255.255

object-group service WEBSERVER-01_trafffic tcp
 description Allows Http, https and FTP to WEBSERVER-01 on the DMZ
 port-object eq ftp
 port-object eq www
 port-object eq https

mtu Outside 1500
mtu Swtich 1500
mtu management 1500
mtu DMZ 1500
icmp permit any Outside
icmp permit any Swtich
icmp permit any DMZ

global (Outside) 1 interface
global (DMZ) 1 interface
nat (Swtich) 1 172.25.0.0 255.255.0.0
nat (management) 0 access-list management_nat0_outbound
access-group outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
"
jamiegfAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You are two major versions behind.  I would upgrade to the latest for sure.

Your traffic in your DMZ to the LAN is going through NAT I believe.

But again, upgrade first to the latest version before anything IMO
0
max_the_kingCommented:
Hi,
you may well have errors on your access-list ... which you didn't post.
Basically, should you want your webserver go to Internet, you need:

access-list DMZ_access_in permit ip host 192.168.100.11 any

should you want to give access from webserver to host 172.25.10.100 on port 23 (as en example), you need:

access-list acl_dmz permit tcp host 172.16.1.150 host 172.25.10.100 eq 23

hope this helps
max
0
Jan SpringerCommented:
packet-tracer input DMZ udp 192.168.100.11 65535 8.8.4.4 53 detailed

what are the results?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

jamiegfAuthor Commented:
Daniel, if i upgrade, what happens to the existing config? Does it convert it?
I'm scared of bringing down our network and our customers too. So id rather not upgrade.

Hi Max. I have the  inside interface at security level 50, dmz at 25 and outside interface at 0, so I didnt think i needed ACLs to go out to the internet. Only to come back to the higher security level. Or do i have that wrong?

have the following ACLs
"
access-list Outside-access-DMZ remark allow traffic into DMZ
access-list outside-access-DMZ extended permit tcp any host WEBSERVER-01 eq www
access-list DMZ_access_in remark Allow WEBSERVER-01 (on DMZ) to access Mysql (port 3306) on UNix server 172.25.6.100
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.6.100 object-group MySQL_Traffic
access-list DMZ_access_in remark test to my machine from DMZ- JGF
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.2.100
"

i have also used the ASDM to grant access to any ip address on any tcp just to quickly test, and this also didn't work. So i'm thinking it must be a NAT issue.
0
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Your current config should be upgraded, but you want to do a few incremental upgrades.

Perform the packet trace as well.  It should give you some idea if it is a access list issue.
0
Jan SpringerCommented:
jamiegf, you should only ever *have to* upgrade for any of these three reasons:

1) you need a bug fix in a later release (or sometimes have to fall back to a previous release)

2) you are impacted by a security vulnerability

3) you are reaching end of life and need continued support
0
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
The codebase is 7, it should be upgraded.
0
max_the_kingCommented:
Hi,

Hi Max. I have the  inside interface at security level 50, dmz at 25 and outside interface at 0, so I didnt think i needed ACLs to go out to the internet. Only to come back to the higher security level. Or do i have that wrong?

wrong: this is true only if you do not apply the access-list on an interface (e.g.: access-group DMZ_access_in  in interface DMZ). Any other case has an implicit "deny any any".

please try the access-list i provided in the last post: in particular, just to make sure it can go to Internet:
access-list DMZ_access_in permit ip host 192.168.100.11 any

then:
access-list DMZ_access_in permit tcp host WEBSERVER-01 host 172.25.6.100 eq 3306

this last case is a little more complicated, because it will depend if host 172.25.6.100 is already natted to a dmz or an outside IP.

max
0
jamiegfAuthor Commented:
Hi Max - the first part worked a treat. I can ping www.google.com etc. great, thank you so much for that!

The next part hasnt worked. I tried another another rule to my own machine and that also didnt work. Tested it by telneting from other machines and the test work ok from the "inside" network.
Do you know what i should try next?
There are no nat rules for 172.25.6.100 but there is already an acl for it:
"
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host 172.25.2.100
"
0
max_the_kingCommented:
Hi,
then you might already have a nat from inside to dmz. If this is the case, you may try to exempt nat from inside to dmz and then try again with the access-list i provided. Please note that you'd better test the access-list by doing a telnet to the requested port, e.g. from dmz host command-line: telnet 172.25.10.100 3306


this is the code to exempt nat from inside to dmz:
access-list nonatdmz permit ip 172.25.0.0 255.255.0.0 192.168.100.0 255.255.255.0
nat (Switch) 0 access-list nonatdmz

max
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jamiegfAuthor Commented:
Absolute legend! thank you Max!
0
max_the_kingCommented:
Thanks !
Should you want to upgrade firewall code, be aware that nat statements will have to be quite different.
The following is an article I wrote that I believe may be helpful:
http://www.experts-exchange.com/articles/11175/Cisco-ASA-PRE-8-3-and-POST-8-3-NAT-Operations.html

cheers
max
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.