asa5505 configuration with dzm

patrifick · ‎02-04-2010

Hi,

would anybody be able to help me to configure asa 5505 to achieve these requirements please?

- 3x interface outside, inside, dmz

- some traffic needs to go from outside to dmz web server and then be forwarded to inside ip address or group ip addresses ( citrix secure gateway to citrix )

- some traffic needs to go from inside to dmz ( citrix to secure gateway, backup software, rdp ) possibly to do No NAT or exclusion so it doesn't uses outside

- some traffic needs to go from outside to inside restricted by source ip address ( user from x.x.x.x can go to y.y.y.y )

- some traffic needs to go from outside to inside on specific port to specific device ( smtp to spam firewall )

- some traffic needs to go from can go to all inside ( http, https )

- some traffice needs to go from inside to outside ( webmail server to outside )

I hope that I made this clear and somebody will be able to help. I already have configuration file done but it still doesn't work despite various change.

If anybody wants to have a look I can send the config file

many thanks in advance

Patrick Babic

Kureli Sankar · ‎02-04-2010

Pls. provide the config and only specify what specific flow is breaking. One at a time pls.

Thanks,

KS

patrifick · ‎02-04-2010

I want to achieve outside to dmz to inside

----------------------------------------------------------------

object-group service DM_INLINE_TCP_3 tcp
port-object eq echo
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https

object-group service DM_INLINE_TCP_5 tcp
group-object backup-exec
group-object citrix-session-reliability-2598
group-object rdc-3389
group-object sql-1433
port-object eq citrix-ica

access-list outside_access_in extended permit tcp any host dmz object-group DM_INLINE_TCP_3

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0 object-group DM_INLINE_TCP_5

global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255

static (dmz,inside) tcp interface citrix-ica ctxdmz citrix-ica netmask 255.255.255.255
static (dmz,inside) tcp interface 2598 ctxdmz 2598 netmask 255.255.255.255
static (dmz,inside) tcp interface www ctxdmz www netmask 255.255.255.255
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1

I hope that I have given you correct details as I am relatively new to the cisco

thank you

Patrick

Kureli Sankar · ‎02-04-2010

Let us focus on one thing at a time.

inside to outside:

You have nat and route but no permission. Need to fix that.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 62.253.196.177 1

access-group inside_access_in in interface inside

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0 object-group DM_INLINE_TCP_5

You are not allowing the inside to go to the internet.

You need the following as well.

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq 80

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq 443

and also for dns name resolution if you have to go out to the internet to get name resolution.

Once done pls. confirm that inside hosts are able to go out to the internet and then we shall look at inside to dmz traffic.

-KS

patrifick · ‎02-05-2010

hi,

thanks for the feedback, however I am not able to to test the functionality

as we have only one line and the line is in use. I have only very limited

window to do that maybe in two weeks.

I am trying to pre-configure the firewall so I can swap it with our current

watchguard firewall.

Despite this I can see the point you are trying to make. Last time I was

testing the config I have also notices that I also have an issue on access

list with getting traffic from outside to inside.

I am not sure whether I am doing it correctly as when I change acl from any

to any for all relevant services it works. However I want to narrow it down

to any to inside only so I am not sure whether is that possible. This

wouldn't be a huge problem if this is not advisable, but I am just trying to

be pedantic.

Bigger problem is the inside to dmz without using outside as this would

generate lots of traffic. We are deploying lots of citrix clients and

xendesktop clients all of them are querying dmz for various services.

my current running config with your changes:

ftp mode passive

dns server-group DefaultDNS

domain-name chathamhouse.org.uk

object-group network sirsi-support

network-object host sirsi-1

network-object host sirsi-2

object-group service backup-exec tcp

port-object eq 10000

port-object eq 3106

port-object eq 3527

port-object eq 6101

port-object eq 6103

port-object eq 6106

object-group service barracuda-8000 tcp

port-object eq 8000

object-group service blackberry-3101 tcp

port-object eq 3101

object-group service citrix-session-reliability-2598 tcp

port-object eq 2598

object-group service rdc-3389 tcp

port-object eq 3389

object-group service sql-1433 tcp

port-object eq 1433

object-group service streaming-1935 tcp

port-object eq 1935

object-group service video-streaming-tcp-udp tcp

port-object eq 3230

port-object eq 3231

port-object eq 3232

port-object eq 3233

port-object eq 3234

port-object eq 3235

object-group service DM_INLINE_TCP_1 tcp

port-object eq domain

port-object eq echo

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

group-object streaming-1935

group-object video-streaming-tcp-udp

port-object eq h323

object-group service DM_INLINE_TCP_2 tcp

group-object backup-exec

group-object citrix-session-reliability-2598

group-object rdc-3389

port-object eq citrix-ica

object-group service DM_INLINE_TCP_3 tcp

port-object eq echo

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_4 tcp

group-object barracuda-8000

port-object eq smtp

port-object eq ssh

object-group service DM_INLINE_TCP_5 tcp

group-object backup-exec

group-object citrix-session-reliability-2598

group-object rdc-3389

group-object sql-1433

port-object eq citrix-ica

access-list outside_access_in extended permit tcp any host

connect-outside-181 object-group rdc-3389

access-list outside_access_in extended permit tcp object-group sirsi-support

host sirsi-outside-184 object-group rdc-3389

access-list outside_access_in extended permit tcp any host outside

object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host dmz object-group

DM_INLINE_TCP_3

access-list outside_access_in extended permit tcp any host outside

object-group DM_INLINE_TCP_4

access-list outside_access_in extended permit tcp any host outside

object-group blackberry-3101

access-list dmz_access_in extended permit tcp 10.1.0.0 255.255.0.0

192.168.1.0 255.255.255.0 object-group DM_INLINE_TCP_2

access-list inside_access_in extended permit tcp host unicornsvr any eq www

access-list inside_access_in extended permit tcp host exchsvr any eq https

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0

10.1.0.0 255.255.0.0 object-group DM_INLINE_TCP_5

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0

any eq www

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0

any eq https

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu dmz 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any dmz

no asdm history enable

arp timeout 14400

global (dmz) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask

255.255.255.255

static (inside,outside) tcp interface smtp barracuda smtp netmask

255.255.255.255

static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask

255.255.255.255

static (inside,outside) tcp interface ssh barracuda ssh netmask

255.255.255.255

static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask

255.255.255.255

static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask

255.255.255.255

static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask

255.255.255.255

static (inside,outside) tcp interface 1935 streaming-unit 1935 netmask

255.255.255.255

static (dmz,inside) tcp interface citrix-ica ctxdmz citrix-ica netmask

255.255.255.255

static (dmz,inside) tcp interface 2598 ctxdmz 2598 netmask 255.255.255.255

static (dmz,inside) tcp interface www ctxdmz www netmask 255.255.255.255

static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 62.253.196.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect

0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

Hopefully I made my self clear, if not I apologize in advance

Patrick

Kureli Sankar · ‎02-05-2010

I already wrote what you need for inside to outside access.

Here is what you need for inside to dmz access.

conf t

no static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

The above should do it.

For dmz to inside:

I don't understand the reasing behind this.

static (dmz,inside) tcp interface citrix-ica ctxdmz citrix-ica netmask 255.255.255.255

static (dmz,inside) tcp interface 2598 ctxdmz 2598 netmask 255.255.255.255

static (dmz,inside) tcp interface www ctxdmz www netmask 255.255.255.255

static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255

but you need these:

access-list dmz_access_in extended deny ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list dmz_access_in extended per ip any any ---If you like for the dmz to go out to the internet.

For outside to inside:

You have everything in place from what I can tell.

For outside to dmz:

I do not see that you are permitting traffic from the internet to the dmz server remote-outside-179 pls. make sure to allow that.

If you have a smartnet I would open a TAC case. Pls. understand that you are combining multiple TAC cases with this one question that you have posted in our forum. With object-groups and names that you are using it is hard to look through the entire config and validate all what you need for communication through this box.

Also, if you are replacing an existing firewall that uses the same IP address as this make sure to clear arp on the upstream routers so, the new MAC address can be learned.

-KS

patrifick · ‎02-05-2010

Hi,

thanks for the advise and correction I will be testing the firewall within

next couple weeks

Patrick