ASA, inside to dmz access

Unanswered Question
Jun 9th, 2009

Hi, hope someone can help. I've been working on setting up access from some clients on the inside interface to a host on the dmz. I've been unable to get it working so far. The config is below.

ASA Version 7.0(8)

!

enable password Bte2XWw78iXdJmqt encrypted

passwd Bte2XWw78iXdJmqt encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240 standby x.x.x.x

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.901

vlan 901

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.

0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

failover

failover lan unit primary

failover lan interface LANFAIL Management0/0

failover polltime unit msec 500 holdtime 5

failover polltime interface 3

failover key *****

failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2

icmp permit any inside

icmp permit any dmz

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh x.x.x.x 255.255.255.240 outside

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483

: end

I can see in the log the following when the connection fails when trying icmp form the inside host 10.0.0.92 to the dmz host 192.168.1.50.

%ASA-7-609002: Teardown local-host inside:10.0.0.92 duration 0:00:02

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:02

Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Luis Melendrez Tue, 06/09/2009 - 10:55

Try adding the inspect icmp to the default global_policy.

ASA# config t

ASA(config)# policy-map global_policy

ASA(config-pmap)# class inspection_default

ASA(config-pmap-c)#inspec icmp

srikantganesh Tue, 06/09/2009 - 11:56

Try adding

static(inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

==

Recommend Updating the firewall to the latest version 8.2(1)(Not to resolve this issue but as best practice

francisco_1 Wed, 06/10/2009 - 00:22

looks like you're also missing an ACL on the inside interface

access-list inside-in extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.0.0

access-group inside-in in interface inside

francisco_1 Wed, 06/10/2009 - 00:44

this command "static(inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0" uses static identity NAT for inside address 10.0.0.0 when accesss by dmz. Static identity NAT translates the real IP address to the same IP address. The translation is always active, and both "translated" and remote hosts can originate connections

kegodfrey Wed, 06/10/2009 - 01:24

Thanks for getting back with some recommendations guys. I'm still having problems accessing the DMZ from inside, icmp, rdp or otherwise. The logs are showing this info..

%ASA-7-609002: Teardown local-host inside:10.0.0.92 duration 0:00:02

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:02

Any ideas? Thanks for your help.

kegodfrey Wed, 06/10/2009 - 02:48

Thanks, here is the latest config..

enable password Bte2XWw78iXdJmqt encrypted

passwd Bte2XWw78iXdJmqt encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240 standby x.x.x.x

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.901

vlan 901

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list inside-in extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.

255.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.

0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

failover

failover lan unit primary

failover lan interface LANFAIL Management0/0

failover polltime unit msec 500 holdtime 5

failover polltime interface 3

failover key *****

failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2

icmp permit any inside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

access-group inside-in in interface inside

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15

username instalec password 19VhLQJ8INTCLvRW encrypted

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483

: end

[OK]

IDG-ASA#

Kureli Sankar Wed, 06/10/2009 - 03:32

nat 0 with acl takes precedence over static identity.

You can remove this line:

nat (inside) 0 access-list nonat

Also, this line doesn't make any sense:

access-list dmz-in extended permit ip any host 192.168.1.50 log

If the dmz host listens in port 80 or 23 try tcp connection. Although icmp should work.

sh logg | i 192.168.1.50

and see what that says.

Does 192.168.1.50 have 192.168.1.1 as its gateway?

Does this layer 3 device 10.0.0.252 have a route to the firewall in order to get to 192.168.1.0/24?

francisco_1 Wed, 06/10/2009 - 03:50

remove

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

add

access-list dmz-in extended permit ip 192.168.1.0 255.0.0.0 10.0.0.0 255.255.255.0

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

try it now.

check your routing

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

for interfaces directly connected to the ASA, you dont need to route for those interfaces. Make sure routing is setup properly. Post a network diagram if you have one so we can see traffic path between inside and dmz..

kegodfrey Wed, 06/10/2009 - 04:00

Thanks for the feedback. Here is the log for the 192.168.1.50 host, it does have 192.168.1.1 as its default gateway and can ping it's default gateway. The routing is in place, hosts on the 10.x subnet(s) have a route to the 192.168.1.0/24 subnet via the inside interface of the ASA.

ip route 192.168.1.0 255.255.255.0 10.0.0.224

As to how it connects, both the inside and dmz interface are connected to the same switch in different vlan's. There is vlan for DMZ, where the only route into it is via the ASA. The inside interface connects into the main VLAN, where the default gateway for the hosts on this vlan is 10.0.0.252. The host 192.168.1.50 can ping the 192.168.1.1 interface, the hosts on the LAN can ping the 10.0.0.224(inside ASA interface) Your assistance is greatly appreciated.

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/0 gaddr 10.0.0.92

/512 laddr 10.0.0.92/512

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:02

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:00

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:00

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:00

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.50/768 gaddr 19

2.168.1.1/0 laddr 192.168.1.1/0

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/768 gaddr 192.168

.1.1/0 laddr 192.168.1.1/0

%ASA-7-609002: Teardown local-host dmz:192.168.1.50 duration 0:00:00

%ASA-7-609001: Built local-host dmz:192.168.1.50

%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.50/0 gaddr 10.

0.0.92/512 laddr 10.0.0.92/512

francisco_1 Wed, 06/10/2009 - 04:10

looks like the connection is built and allowed.

is your switch doing inter-vlan routing? your ASA is routing the packets between interfaces, your vlans should be a layer vlan without SVI on the switch and just point your PC's gateway to the ASA directly..

kegodfrey Wed, 06/10/2009 - 04:18

The switch is doing inter vlan routing, but not for the dmz vlan 901. The only devices on the dmz vlan 901 are the dmz interface of the ASA and the 192.168.1.50 host. The DMZ vlan is configured only as a L2 vlan and no routed interface exists for it on the switch.

The switch is the default gateway for the 10.x hosts. I dont want to have to change the client PC's default gateway the internal ASA interface, is this necessary?

francisco_1 Wed, 06/10/2009 - 04:26

not necessary. your setup is ok.

Try adding

access-list inside-in extended permit icmp any any

access-list dmz-in extended permit icmp any any

francisco_1 Wed, 06/10/2009 - 04:32

your switch should have ip route 192.168.1.0 255.255.255.0 point to ASA [inside interface]

Your should only route on ASA for prefixes it doesnt know about...

remove this on ASA

route inside 10.0.0.0 255.0.0.0 10.0.0.252 1

remove this..

route inside 192.168.0.0 255.255.255.0 10.0.0.252 1

your need to be more specific when routing to inside. try and add routes for subnets again on ASA you want to route to inside..

and test.....

kegodfrey Wed, 06/10/2009 - 04:33

No, still no luck. icmp still not working... I've tried other ports, such as http and rdp that I know the host is listening on, but no connection.

kegodfrey Wed, 06/10/2009 - 04:50

Yes, I have removed the routes. The device I am trying to ping 192.168.1.50 from is on the same 10.x subnet as the inside interface as the ASA, so there are no routes other than the one outside. Still not working. Any more ideas?

francisco_1 Wed, 06/10/2009 - 05:05

pls post your config again. I want to go through it one last time...

kegodfrey Wed, 06/10/2009 - 05:12

Thanks for your help, really appreciate it.

Here is the config.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240 standby x.x.x.x

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.224 255.255.255.0 standby 10.0.0.225

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.901

vlan 901

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any host 192.168.1.50 log

access-list inside-in extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.

255.0

access-list inside-in extended permit icmp any any

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.

0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

failover

failover lan unit primary

failover lan interface LANFAIL Management0/0

failover polltime unit msec 500 holdtime 5

failover polltime interface 3

failover key *****

failover interface ip LANFAIL 172.16.0.1 255.255.255.0 standby 172.16.0.2

icmp permit any inside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (dmz) 1 192.168.1.0 255.255.255.0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

access-group inside-in in interface inside

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username administrator password 1V34C/gDgAuBFfnF encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:e3c62475fae1d5ffaf08dc9b5f5a1483

: end

[OK]

francisco_1 Wed, 06/10/2009 - 05:27

you still have some lines i asked you to remove above.

Copy and paste

nat (inside) 1 0.0.0.0 0.0.0.0

no global (dmz) 1 interface

no access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list dmz-in extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

you should have

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 192.168.1.0 255.255.255.0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside-in extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list inside-in extended permit icmp any any

for testing we are permiting IP ANY ANY for now..

Kureli Sankar Wed, 06/10/2009 - 09:00

You are still only trying icmp? I see icmp built and teardown mesages. So, the conns are getting built.

Are these windows PCs. Do they have the firewall turned on? Especially the one that is supposed to reply for icmp.

If so, turn it off and try it pls.

Try some tcp connection like RDP or http or telnet.

Actions

This Discussion