Need help with giving devices behind DMZ access to Lan Resources

Answered Question
Jul 6th, 2010

Heres a little background of my setup, I have 1 Isp which assigns me an Ip via dhcp , i have Patted my inside to outside to receive net access, I have also done the same with my Dmz interface which all devices on the Dmz can access the internet. Inside (vlan1) Outside (vlan2) Dmz (vlan3)

I have sucessfully setup rules to access from outside of my network a couple of security cameras to watch my dogs while i am work, my email server etc , plus i have vpn access. works very well. My only issue is i want dmz devices to be able to access and Use my Dns server that sits on the inside , but i have tried so many access list, rules etc and i continuously receive an error that states denied due to dns query. I also want DMZ devices to beable to access network printers (port 9100) that reside on the inside also but i have been unsucessful with this Of course the only way my dmz devices can access internal recourses is if i set the security level to 100 which i do not want to do . Vlan 3 labled dmz is my wireless segment . (as for now i have a second nic on my dns server that is on the 10.10.3.x network going to vlan 3 ) but that is just temp . I want Dmz computers to be able to access internal Dns and AD..etc..I also was wishing that the ASA could allow me to doa  sort of ip helper so my vlan 3 can pull ip addresses from my dhcp server on the dmz network, but for now i have dhcp running on a server for just the inside, and the dmz is pulling dhcp address for clients from the asa dhcp server..I just want the dmz devices to be able to access certain inside resources.

Thanks in advance for any assistance

Here is my config

!
ASA Version 8.3(1)
!
hostname xxxxxxxxx
domain-name xxxxxxxxxxxx.local
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
name 10.10.10.9 foxclone
name 10.10.10.198 netprinter-01
name 10.10.10.14 file-serv
name 10.10.3.190 petcam
name 10.10.10.25 mail-serv
name 10.10.3.191 petcam2
name 10.10.10.254 namesrv0-1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
banner exec Welcome To xxxxxxx
banner login Welcome To xxxxxxx
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server namesrv0-1
domain-name xxxxxxxxx.local
dns server-group vlan3_dns_server
name-server 10.10.3.254(temp)
domain-name dmz.liquidskynet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
description inside network segment 
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.192
object network mail-serv-smtp
host 10.10.10.25
object network mail-serv-https
host 10.10.10.25
object network foxclone
host 10.10.10.9
object network Inside_Outside_Dynamic_Pat
subnet 10.10.10.0 255.255.255.0
object network Dmz_Outside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network petcam2-http
host 10.10.3.191
object network petcam-http
host 10.10.3.190
object network petcam2-winstream
host 10.10.3.191
object network namesrv0-1
host 10.10.10.254
object network file-serv
host 10.10.10.14
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
description dmz network segment 
object network Dmz_Inside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network namesrv0-1(vlan3)
host 10.10.3.254
object network mail-serv
host 10.10.10.25
object network foxclone-rdp-dmz
host 10.10.10.9
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.3.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list outside_access_in extended permit tcp any object petcam-http eq 8081
access-list outside_access_in extended permit tcp any object mail-serv-https eq https
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq smtp
access-list outside_access_in extended permit tcp any object foxclone eq 7000 inactive
access-list outside_access_in extended permit tcp any object petcam2-http eq 8082
access-list outside_access_in extended permit tcp any object petcam2-winstream eq 81 inactive
pager lines 24
logging enable
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level alerts
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Vpn-1_Pool 192.168.10.10-192.168.10.34 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-631.bin
asdm location petcam 255.255.255.255 inside
asdm location file-serv 255.255.255.255 inside
asdm location petcam2 255.255.255.255 inside
asdm location 10.10.3.25 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.10.0 obj-192.168.10.0
nat (dmz,outside) source static obj-10.10.3.0 obj-10.10.3.0 destination static obj-192.168.10.0 obj-192.168.10.0
!
object network mail-serv-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network mail-serv-https
nat (inside,outside) static interface service tcp https https
object network foxclone
nat (inside,outside) static interface service tcp 7000 7000
object network Inside_Outside_Dynamic_Pat
nat (inside,outside) dynamic interface
object network Dmz_Outside_Dynamic_Pat
nat (dmz,outside) dynamic interface dns
object network petcam2-http
nat (dmz,outside) static interface service tcp 8082 8082
object network petcam-http
nat (dmz,outside) static interface service tcp 8081 8081
object network petcam2-winstream
nat (dmz,outside) static interface service tcp 81 81
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http server idle-timeout 60
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd dns namesrv0-1 68.87.73.246 interface inside
dhcpd domain liquidskynet.local interface inside
!
dhcpd address 10.10.3.10-10.10.3.30 dmz
dhcpd dns 10.10.3.254 68.87.73.246 interface dmz
dhcpd domain dmz.liquidskynet.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server inside foxclone C:\TFTP-Root
webvpn
group-policy Tunnel-1 internal
group-policy Tunnel-1 attributes
dns-server value 10.10.10.254 10.10.3.254
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel-1_splitTunnelAcl
default-domain value liquidskynet.local
group-policy DfltGrpPolicy attributes
dns-server value 10.10.10.254
ip-comp enable
re-xauth enable
pfs enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value Vpn-1_Pool
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
username dhaman password xxxxxxxxxxxxxxxxxxxxx encrypted privilege 15
username dhaman attributes
vpn-group-policy Tunnel-1
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
group-lock none
tunnel-group DefaultRAGroup general-attributes
default-group-policy Tunnel-1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxxxxx
tunnel-group Tunnel-1 type remote-access
tunnel-group Tunnel-1 general-attributes
address-pool Vpn-1_Pool
default-group-policy Tunnel-1
tunnel-group Tunnel-1 ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 10.10.10.25
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 6 months ago

When you configured the NAT rule, you basically met one of the criterion required to enable communication between the inside and the DMZ. The requirement is that when you want to communicate between the higher security interface (inside) to lower security interface (DMZ), you need to have a NAT rule specified for the higher security hosts. In your case, since you want to open connection from the DMZ side, you need to have a static rule configured that will allow DMZ host to establish a connection that will be translated correctly to the inside address. If you want to make it more granular, please try the following:

access-list dmz_access_in line 1 permit udp any host 10.10.10.254 eq 53

no access-list dmz_access_in permit ip any host 10.10.10.254

This will ensure that only UDP port 53 traffic is allowed from DMZ to inside and all other traffic initiated by the DMZ towards inside will be blocked.

Hope this answers your questions.

Regards,

NT

Note: Do not forget to rate useful posts.

Correct Answer by Nagaraja Thanthry about 6 years 6 months ago

Nice to know that things are working now. Glad that we could help.

Regards,

NT

Note: Do not forget to rate the useful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (8 ratings)
Loading.
Nagaraja Thanthry Tue, 07/06/2010 - 16:11

Seems like you are missing access-list on the DMZ interface. Since DMZ interface is on lower security than the inside, you need exclusive rules to allow DMZ to inside communication.Please try adding an access-list rule allowing traffic from DMZ network to inside and see if that helps. Also, I do not see any NAT rules from inside to DMZ. You might need to add identity NAT to allow DMZ devices to access the inside servers. Hope this helps.

Regards,

NT

david.haman Tue, 07/06/2010 - 17:46

Could you give an example, at first i did have a an access list for this but it did not seem to help.

I upgraded from an older version of asa to this 8.3 version and in the asdm it is a lot more granular than before.

i have tried such access list as

access-list dmz_access_in extended permit tcp any object namesrv0-1 eq domain

but still doesnt work

Nagaraja Thanthry Tue, 07/06/2010 - 19:34

You could use something like:

access-list dmz_access_in permit ip any host

The access list you have seems incorrect as most commonly DNS uses UDP but your access-list is for TCP. Hope this helps.

Regards,

NT

david.haman Tue, 07/06/2010 - 21:00

Thank you for your assistance

i ran the following command

access-list dmz_access_in permit ip any host 10.10.10.254

I still have been receiving the following error when ever i try to have a dmz host use the Dns server in the inside ..im at a loss here

This is the error i receive

Deny inbound UDP from 10.10.3.11/62073 to 10.10.10.254/53 due to DNS Query

Nagaraja Thanthry Tue, 07/06/2010 - 21:32

Have you already added the NAT rule from inside to DMZ? Can you try using the packet-tracer and see at what point the firewall is blocking the access?

packet-tracer input dmz udp 1024 53 detailed

This should tell us the exact place where the packets are getting blocked. Hope this helps.

Regards,

NT

david.haman Wed, 07/07/2010 - 04:44

I have a ststic nat rule from source inside (inside network 10.10.10.0/24) to destination dmz

(dmz network 10.10.3.0/24) im not undestanding why i would need this though since my indside can already see

everything behind the dmz , its that the dmz cant see speccific services like dns behind the inside. o

r maybe i have it backwards?

i have added  the staic nat as you suggested inside to dmz, and created an access rule to allow inbound to my dns server but udp/53 is still being dropped

Nagaraja Thanthry Wed, 07/07/2010 - 05:57

Can you post the output of the packet tracer here?

packet-tracer input dmz udp 1024 53 detailed

Regards,

NT

david.haman Wed, 07/07/2010 - 06:43

Here are the results of

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac10428, priority=1, domain=permit, deny=false
        hits=8287, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=dmz, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.10.0      255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST

Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac10c48, priority=0, domain=permit, deny=true
        hits=236, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Nagaraja Thanthry Wed, 07/07/2010 - 08:33

Seems like the access-list is not applied to the interface. The traffic is getting dropped due to implicit rule. Can you please apply the ACL to the interface?

access-group in interface DMZ

Hope this helps to fix the issue.

Regards,

NT

david.haman Wed, 07/07/2010 - 08:44

After running these commands


access-list dmz_access_in permit ip any host 10.10.10.254
access-group dmz_access_in in interface DMZ

i receive the following error

petcam2    1132    72.14.204.103    80    Deny tcp src dmz:petcam2/1132 dst outside:72.14.204.103/80 by access-group "dmz_access_in" [0x0, 0x0]

david.haman Wed, 07/07/2010 - 08:52

Hello

I have attached a screenshot of my asdm setups , acl, access rules and Nat, maybe this could help clear up my issue

Thank you very much

Attachment: 
Nagaraja Thanthry Wed, 07/07/2010 - 10:40

Can you add the following lines to the access-list? Also, when you had that access-list, I am assuming you were able to get to the DNS server.

access-list dmz_access_in permit ip any host 10.10.10.254

access-list dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list dmz_access_in permit ip any any

Hope this helps.

Regards,

NT

david.haman Wed, 07/07/2010 - 10:46

Hello,

I added the access list that you suggested but i still receive this error

DNSDeny inbound UDP from petcam2/64204 to 10.10.10.254/53 due to DNS Query

Nagaraja Thanthry Wed, 07/07/2010 - 12:22

Hello David,

At this point, I think the issue could be due to a bug in Cisco code. But before we go there, can you post the latest "show run" output (with the DMZ access-lists) and also the packet-tracer output

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Regards,

NT

david.haman Wed, 07/07/2010 - 13:02

: Saved
: Written by dhaman at 15:57:32.736 EDT Wed Jul 7 2010
!
ASA Version 8.3(1)
!
hostname brickzone
domain-name liquidskynet.local
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
names
name 10.10.10.9 foxclone
name 10.10.10.198 netprinter-01
name 10.10.10.14 file-serv
name 10.10.3.190 petcam
name 10.10.10.25 mail-serv
name 10.10.3.191 petcam2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name liquidskynet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.192
object network mail-serv-smtp
host 10.10.10.25
object network mail-serv-https
host 10.10.10.25
object network foxclone
host 10.10.10.9
object network Inside_Outside_Dynamic_Pat
subnet 10.10.10.0 255.255.255.0
object network Dmz_Outside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network petcam2-http
host 10.10.3.191
object network petcam-http
host 10.10.3.190
object network petcam2-winstream
host 10.10.3.191
object network backup-serv
host 10.10.3.11
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
object network namesrv0-1
host 10.10.10.254
description AD,DNS,DHCP(Inside)
object network petcam-todns-to-inside
host 10.10.3.191
object network petcam2-inside-dns
host 10.10.3.191
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list dmz_access_in extended permit ip any host 10.10.10.254
access-list dmz_access_in extended deny ip any 10.10.10.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.3.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list outside_access_in extended permit tcp any object petcam-http eq 8081
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq https
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq smtp
access-list outside_access_in extended permit tcp any object foxclone eq 7000 inactive
access-list outside_access_in extended permit tcp any object petcam2-http eq 8082
access-list outside_access_in extended permit tcp any object petcam2-winstream eq 81 inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Vpn-1_Pool 192.168.10.10-192.168.10.34 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-631.bin
asdm location petcam 255.255.255.255 inside
asdm location file-serv 255.255.255.255 inside
asdm location mail-serv 255.255.255.255 inside
asdm location petcam2 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.10.0 obj-192.168.10.0
nat (dmz,outside) source static obj-10.10.3.0 obj-10.10.3.0 destination static obj-192.168.10.0 obj-192.168.10.0
!
object network mail-serv-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network mail-serv-https
nat (inside,outside) static interface service tcp https https
object network foxclone
nat (inside,outside) static interface service tcp 7000 7000
object network Inside_Outside_Dynamic_Pat
nat (inside,outside) dynamic interface
object network Dmz_Outside_Dynamic_Pat
nat (dmz,outside) dynamic interface
object network petcam2-http
nat (dmz,outside) static interface service tcp 8082 8082
object network petcam-http
nat (dmz,outside) static interface service tcp 8081 8081
object network petcam2-winstream
nat (dmz,outside) static interface service tcp 81 81
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http server idle-timeout 60
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd dns 10.10.10.254 interface inside
dhcpd domain liquidskynet.local interface inside
!
dhcpd address 10.10.3.10-10.10.3.30 dmz
dhcpd dns 68.87.71.230 68.87.73.246 interface dmz
dhcpd domain dmz.liquidskynet.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy Tunnel-1 internal
group-policy Tunnel-1 attributes
dns-server value 10.10.10.254
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel-1_splitTunnelAcl
default-domain value liquidskynet.local
group-policy DfltGrpPolicy attributes
dns-server value 10.10.10.254
ip-comp enable
re-xauth enable
pfs enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value Vpn-1_Pool
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
username dhaman password XXXXXXXXXXXXXXXXXXXXXXXX encrypted privilege 15
username dhaman attributes
vpn-group-policy Tunnel-1
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
group-lock none
tunnel-group DefaultRAGroup general-attributes
default-group-policy Tunnel-1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key XXXXXXXXXXXXX
tunnel-group Tunnel-1 type remote-access
tunnel-group Tunnel-1 general-attributes
address-pool Vpn-1_Pool
default-group-policy Tunnel-1
tunnel-group Tunnel-1 ipsec-attributes
pre-shared-keyXXXXXXXXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum XXXXXXXXXXX
: end

Here is the Trace

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac10428, priority=1, domain=permit, deny=false
        hits=16767, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=dmz, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.10.0      255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac10c48, priority=0, domain=permit, deny=true
        hits=464, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Nagaraja Thanthry Wed, 07/07/2010 - 13:19

Hello David,

I do not see the DMZ access-list applied to the interface.

access-group dmz_access_in in interface DMZ

Also, the identity NAT between inside and DMZ is missing:

object network namesrv0-1
host 10.10.10.254
description AD,DNS,DHCP(Inside)

nat (inside,dmz) static 10.10.10.254

Please enter these commands and then run the packet tracer again.

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Hopefully that should tell us where it is getting blocked. Current output indicates that there is not access-list on the DMZ interface.

Regards,

NT

david.haman Wed, 07/07/2010 - 13:43

after i added

access-list dmz_access_in permit ip any host 10.10.10.254

access-list dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list dmz_access_in permit ip any any

I was forgetting

nat (inside,dmz) source static namesrv0-1 namesrv0-1 destination static namesrv0-1 namesrv0-1

access-group dmz_access_in in interface DMZ

My dmz devices can now use my dns server that sits on the inside interface

Thank you so very  much for your assistance with helping me I really appreciate it, now i have a much better understanding of this

Correct Answer
Nagaraja Thanthry Wed, 07/07/2010 - 14:01

Nice to know that things are working now. Glad that we could help.

Regards,

NT

Note: Do not forget to rate the useful posts.

david.haman Wed, 07/07/2010 - 15:07

One last question  could you explain how these  are allowing dmz devices the ability to use the dns server on the inside, is there anyway that i could get more granular with a rule that allows the dmz network (10.10.3.0/24) to use udp 53 located on 10.10.10.254 (dns server)

access-list dmz_access_in permit ip any host 10.10.10.254

access-list  dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list  dmz_access_in permit ip any any     (this seems like it would not be safe ) but if i disable then the dmz devices can not use 10.10.10.254 to resolve

nat (inside,dmz) source static  namesrv0-1 namesrv0-1 destination static namesrv0-1 namesrv0-1

access-group  dmz_access_in in interface DMZ

Thanks again

Correct Answer
Nagaraja Thanthry Wed, 07/07/2010 - 15:19

When you configured the NAT rule, you basically met one of the criterion required to enable communication between the inside and the DMZ. The requirement is that when you want to communicate between the higher security interface (inside) to lower security interface (DMZ), you need to have a NAT rule specified for the higher security hosts. In your case, since you want to open connection from the DMZ side, you need to have a static rule configured that will allow DMZ host to establish a connection that will be translated correctly to the inside address. If you want to make it more granular, please try the following:

access-list dmz_access_in line 1 permit udp any host 10.10.10.254 eq 53

no access-list dmz_access_in permit ip any host 10.10.10.254

This will ensure that only UDP port 53 traffic is allowed from DMZ to inside and all other traffic initiated by the DMZ towards inside will be blocked.

Hope this answers your questions.

Regards,

NT

Note: Do not forget to rate useful posts.

david.haman Wed, 07/07/2010 - 15:53

now im just figuring out how to have dmz computers access some fileshares (windows port

445 and 139) i believe that sit behind the inside network.

Thank you again for your help

Nagaraja Thanthry Wed, 07/07/2010 - 16:31

Hello David,

You need to follow all the configuration steps similar to one you did for the DNS server.

object network
host

nat (inside,dmz) static

access-list dmz_access_in line 2 permit tcp any host eq

Repeate the above set for every server and the port.

Hope this helps.

Regards,

NT

david.haman Wed, 07/07/2010 - 17:35

Hi Nagaraja,

I wanted to thank you once again, you have helped so much

Thanks

David

Nagaraja Thanthry Thu, 07/08/2010 - 20:22

Hello,

You can control the access using the access-list on the DMZ interface. The last set of access-list I posted will help you in tying down the access to any specific application.

access-list dmz_access_in permit udp any host eq 53  -- This line will ensure that anybody can access the DNS server

access-list dmz_access_in deny ip any -- This line will ensure that all other traffic is blocked to inside subnet

access-list dmz_access_in permit ip any any -- This line will ensure that the DMZ server can go to internet

If you want to allow access to any other server on the inside apart from the DNS server (or any other port on the same device), then you need to insert the access-list entry befor the deny statement.

access-list dmz_access_in permit udp any host eq 53

access-list dmz_access_in permit any host eq   -- Duplicate this line for every server (port) on the inside

access-list dmz_access_in deny ip any

access-list dmz_access_in permit ip any any

If you are trying to access the new servers, please make sure that appropriate NAT rules are entered (like the DNS server).

Hope this helps.

Regards,

NT

Actions

This Discussion