outbound web access from dmz

Unanswered Question
Feb 4th, 2008

I'm having a problem getting web access from my dmz network. It has a higher security-level than the outside interface, so shouldn't I be able to get outside internet access from the dmz? Inbound access from outside to the DMZ works fine the way I have it w/ PAT.

Does anyone see anything wrong w/ what I've got?

---

5510(config)# sh run

: Saved

:

ASA Version 7.0(7)

!

hostname 5510

enable password ABC87h/3Z9f23JKj6 encrypted

names

name 192.168.3.0 DEV_NET

name 192.168.4.0 DMZ_NET

name 192.168.2.0 CLUSTER_NET

name 199.199.xxx.0 AEW_NET

name 199.199.xxx.14 MY_WAN_IP

name 192.168.1.0 MGMT_NET

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP 255.255.255.0

!

interface Ethernet0/1

nameif dmz

security-level 20

ip address 192.168.4.1 255.255.255.0

!

interface Ethernet0/2

nameif cluster

security-level 60

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

object-group protocol TCP_UDP_ICMP

protocol-object tcp

protocol-object udp

protocol-object icmp

object-group network CLUSTER_GRP

network-object host 192.168.2.10

object-group network DEVELOPMENT_GRP

network-object host 192.168.3.10

object-group network DMZ_GRP

network-object host 192.168.4.10

object-group network INSIDE_GRP

group-object DMZ_GRP

group-object CLUSTER_GRP

group-object DEVELOPMENT_GRP

object-group service DMZ_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh

access-list ANY_ACCESS extended permit ip any any

access-list SSH_ACCESS extended permit tcp any any eq ssh

access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES

access-list DMZ_ACCESS extended permit tcp any interface dmz object-group DMZ_SERVICES

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu management 1500

mtu dmz 1500

mtu cluster 1500

mtu outside 1500

mtu development 1500

no failover

icmp permit any dmz

icmp permit any cluster

icmp permit any development

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (dmz) 1 DMZ_NET 255.255.255.0

nat (cluster) 1 CLUSTER_NET 255.255.255.0

nat (development) 1 DEV_NET 255.255.255.0

static (cluster,outside) tcp interface ssh 192.168.2.10 ssh netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.4.10 www netmask 255.255.255.255

static (dmz,outside) tcp interface https 192.168.4.10 https netmask 255.255.255.255

static (dmz,outside) tcp interface 3690 192.168.4.10 3690 netmask 255.255.255.255

static (management,development) MGMT_NET MGMT_NET netmask 255.255.255.0

static (management,cluster) MGMT_NET MGMT_NET netmask 255.255.255.0

static (management,dmz) MGMT_NET MGMT_NET netmask 255.255.255.0

static (development,cluster) DEV_NET DEV_NET netmask 255.255.255.0

static (development,dmz) DEV_NET DEV_NET netmask 255.255.255.0

static (cluster,development) CLUSTER_NET CLUSTER_NET netmask 255.255.255.0

access-group DMZ_ACCESS in interface dmz

access-group SSH_ACCESS in interface cluster

access-group ALL_ACCESS in interface outside

route outside 0.0.0.0 0.0.0.0 139.169.174.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http MGMT_NET 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 02/04/2008 - 08:17

This acl is blocking it, don't forget about the explicit deny ip any any...

access-list DMZ_ACCESS extended permit tcp any interface dmz object-group DMZ_SERVICES

access-list DMZ_ACCESS extended deny ip any any

What is the reason for the above acl? If you don't need it, get rid of it and you will get to the internet. If you need access from the dmz to the inside, you must write the access in this acl.

a.e.wiggin Mon, 02/04/2008 - 08:34

I thought it was allowing only 3 of the 4 services I care about to get into the DMZ and ssh to the others. However, it did work.

I guess it has something to do w/ PAT which I don't quite understand yet. Do access-lists override PAT, was I using them both wrong together?

My only problem now is that my ssh logins take minutes to 'login' to other machines.

Actions

This Discussion