02-04-2010 08:12 AM - edited 03-11-2019 10:05 AM
Hi,
would anybody be able to help me to configure asa 5505 to achieve these requirements please?
- 3x interface outside, inside, dmz
- some traffic needs to go from outside to dmz web server and then be forwarded to inside ip address or group ip addresses ( citrix secure gateway to citrix )
- some traffic needs to go from inside to dmz ( citrix to secure gateway, backup software, rdp ) possibly to do No NAT or exclusion so it doesn't uses outside
- some traffic needs to go from outside to inside restricted by source ip address ( user from x.x.x.x can go to y.y.y.y )
- some traffic needs to go from outside to inside on specific port to specific device ( smtp to spam firewall )
- some traffic needs to go from can go to all inside ( http, https )
- some traffice needs to go from inside to outside ( webmail server to outside )
I hope that I made this clear and somebody will be able to help. I already have configuration file done but it still doesn't work despite various change.
If anybody wants to have a look I can send the config file
many thanks in advance
Patrick Babic
02-04-2010 09:15 AM
Pls. provide the config and only specify what specific flow is breaking. One at a time pls.
Thanks,
KS
02-04-2010 09:32 AM
I want to achieve outside to dmz to inside
----------------------------------------------------------------
object-group service DM_INLINE_TCP_3 tcp
port-object eq echo
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
group-object backup-exec
group-object citrix-session-reliability-2598
group-object rdc-3389
group-object sql-1433
port-object eq citrix-ica
access-list outside_access_in extended permit tcp any host dmz object-group DM_INLINE_TCP_3
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0 object-group DM_INLINE_TCP_5
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255
static (dmz,inside) tcp interface citrix-ica ctxdmz citrix-ica netmask 255.255.255.255
static (dmz,inside) tcp interface 2598 ctxdmz 2598 netmask 255.255.255.255
static (dmz,inside) tcp interface www ctxdmz www netmask 255.255.255.255
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
I hope that I have given you correct details as I am relatively new to the cisco
thank you
Patrick
02-04-2010 09:38 AM
Let us focus on one thing at a time.
inside to outside:
You have nat and route but no permission. Need to fix that.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
access-group inside_access_in in interface inside
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0 object-group DM_INLINE_TCP_5
You are not allowing the inside to go to the internet.
You need the following as well.
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq 80
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq 443
and also for dns name resolution if you have to go out to the internet to get name resolution.
Once done pls. confirm that inside hosts are able to go out to the internet and then we shall look at inside to dmz traffic.
-KS
02-05-2010 07:54 AM
hi,
thanks for the feedback, however I am not able to to test the functionality
as we have only one line and the line is in use. I have only very limited
window to do that maybe in two weeks.
I am trying to pre-configure the firewall so I can swap it with our current
watchguard firewall.
Despite this I can see the point you are trying to make. Last time I was
testing the config I have also notices that I also have an issue on access
list with getting traffic from outside to inside.
I am not sure whether I am doing it correctly as when I change acl from any
to any for all relevant services it works. However I want to narrow it down
to any to inside only so I am not sure whether is that possible. This
wouldn't be a huge problem if this is not advisable, but I am just trying to
be pedantic.
Bigger problem is the inside to dmz without using outside as this would
generate lots of traffic. We are deploying lots of citrix clients and
xendesktop clients all of them are querying dmz for various services.
my current running config with your changes:
ftp mode passive
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service DM_INLINE_TCP_1 tcp
port-object eq domain
port-object eq echo
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
group-object streaming-1935
group-object video-streaming-tcp-udp
port-object eq h323
object-group service DM_INLINE_TCP_2 tcp
group-object backup-exec
group-object citrix-session-reliability-2598
group-object rdc-3389
port-object eq citrix-ica
object-group service DM_INLINE_TCP_3 tcp
port-object eq echo
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
group-object barracuda-8000
port-object eq smtp
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
group-object backup-exec
group-object citrix-session-reliability-2598
group-object rdc-3389
group-object sql-1433
port-object eq citrix-ica
access-list outside_access_in extended permit tcp any host
connect-outside-181 object-group rdc-3389
access-list outside_access_in extended permit tcp object-group sirsi-support
host sirsi-outside-184 object-group rdc-3389
access-list outside_access_in extended permit tcp any host outside
object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host dmz object-group
DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host outside
object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit tcp any host outside
object-group blackberry-3101
access-list dmz_access_in extended permit tcp 10.1.0.0 255.255.0.0
192.168.1.0 255.255.255.0 object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit tcp host unicornsvr any eq www
access-list inside_access_in extended permit tcp host exchsvr any eq https
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0
10.1.0.0 255.255.0.0 object-group DM_INLINE_TCP_5
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0
any eq www
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0
any eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask
255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask
255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask
255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask
255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask
255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask
255.255.255.255
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask
255.255.255.255
static (inside,outside) tcp interface 1935 streaming-unit 1935 netmask
255.255.255.255
static (dmz,inside) tcp interface citrix-ica ctxdmz citrix-ica netmask
255.255.255.255
static (dmz,inside) tcp interface 2598 ctxdmz 2598 netmask 255.255.255.255
static (dmz,inside) tcp interface www ctxdmz www netmask 255.255.255.255
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
Hopefully I made my self clear, if not I apologize in advance
Patrick
02-05-2010 08:50 AM
I already wrote what you need for inside to outside access.
Here is what you need for inside to dmz access.
conf t
no static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
The above should do it.
For dmz to inside:
I don't understand the reasing behind this.
static (dmz,inside) tcp interface citrix-ica ctxdmz citrix-ica netmask 255.255.255.255
static (dmz,inside) tcp interface 2598 ctxdmz 2598 netmask 255.255.255.255
static (dmz,inside) tcp interface www ctxdmz www netmask 255.255.255.255
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
but you need these:
access-list dmz_access_in extended deny ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list dmz_access_in extended per ip any any ---If you like for the dmz to go out to the internet.
For outside to inside:
You have everything in place from what I can tell.
For outside to dmz:
I do not see that you are permitting traffic from the internet to the dmz server remote-outside-179 pls. make sure to allow that.
If you have a smartnet I would open a TAC case. Pls. understand that you are combining multiple TAC cases with this one question that you have posted in our forum. With object-groups and names that you are using it is hard to look through the entire config and validate all what you need for communication through this box.
Also, if you are replacing an existing firewall that uses the same IP address as this make sure to clear arp on the upstream routers so, the new MAC address can be learned.
-KS
02-05-2010 09:06 AM
Hi,
thanks for the advise and correction I will be testing the firewall within
next couple weeks
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide