ASA5510 DMZ issue

Unanswered Question

Hi,



Having serious trouble getting my DMZ zone to work as planned.

The setup is typical, having WAN interface, and a internal interface with a few vlans on it - besides that I now configured a new VLAN on a vacant interface eth0/3 which I am planning to use as DMZ.

internal VLANs - security level 100

DMZ VLAN - security level 50

WAN interface - security level 0


ticked on the "Allow between interfaces with same secury level" which made it easy to configure access between everything located internal, also from internal to DMZ.


However I have 1 public IP and I wish to port NAT to servers in the DMZ. Just to test I tried to make a public server following cisco's guide http://www.cisco.com/en/US/docs/security/asa/asa83/getting_started/5500/guide/dmz.html#wp1065777


When I am trying to NAT to the external IP I get this following error :

[ERROR] nat (DMZ_SKA,WAN) static XXX.XXX.XXX.XXX service tcp 3389 3389
Address XXX.XXX.XXX.XX overlaps with outside interface address.
ERROR: NAT Policy is not downloaded


Then tried using the CLI with a command like :


nat (DMZ_SKA,WAN) static interface service tcp 3389 3389


Still no joy, even when allowing everything on WAN and DMZ nothing is working. If I try to NAT port 80 it gets blocked by the firewall at the WAN interface even though I explicity allowed it.


Anyone with bright ideas ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Loren Kolnes Wed, 08/25/2010 - 07:46
User Badges:
  • Cisco Employee,

Hi Poul,


Can you post the output of the following commands:


sh run nat

sh run object network


With regards to the port 80 translation make sure that the access-list refers to the real ip address, in this case the server address as it exists on the dmz network,


This link gives some examples of natting in 8.3.

https://supportforums.cisco.com/docs/DOC-9129



Thanks,


Loren

Loren Kolnes Wed, 08/25/2010 - 10:21
User Badges:
  • Cisco Employee,

Hi Poul,


While the previous engineer is correct, the nat statement is correct, we still need to make sure the host defined in the network object is the real ip address of the server. Can you verify this and also make sure that the access-list you have applied to the WAN interface is allowing traffic to the real ip address and real port of the server.


Thanks,


Loren

Hi all,


Thanks for the suggestion, tried to delete everything and start over with the DMZ thing.


Here is sh run nat :

ciscoasa# sh run nat
nat (PROD_SKA,WAN) source dynamic any interface
nat (DEV_SKA,WAN) source dynamic any interface
!
object network DMZ_RDP_SRV
nat (DMZ_SKA,WAN) static interface service tcp www www
ciscoasa#


Here is sh run object network :

ciscoasa# sh run object network
object network LAN_WAN_NAT
subnet 10.10.101.0 255.255.255.0
description LAN NAT
object network A_
object network WAN
host 217.116.XXX.XXX
object network DMZ_RDP_SRV
host 192.168.100.100
ciscoasa#


Here is sh run access-list :

ciscoasa# sh run access-list
access-list DEV_SKA_access_in extended permit ip 10.10.102.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list DEV_SKA_access_in extended permit object-group DM_INLINE_SERVICE_1 10.10.103.0 255.255.255.0 any
access-list PROD_SKA_access_in extended permit object-group DEV_SKA_ACCESS_GROUP 10.10.102.0 255.255.255.0 any
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq www
access-list allow_ping_to_wan remark ping from lan to wan
access-list allow_ping_to_wan standard permit 10.10.101.0 255.255.255.0
ciscoasa#


Here is sh run access-group :

ciscoasa# sh run access-group
access-group OUTSIDE_IN_DMZ in interface WAN
access-group PROD_SKA_access_in in interface PROD_SKA
access-group DEV_SKA_access_in in interface DEV_SKA
ciscoasa#


Still no joy...

Checked the ACL's which to me seems to be good ( that might not really be the case ).. WAN is still blocking port 80.


Do you guys need more conf info ? I am stuck..

Kureli Sankar Thu, 08/26/2010 - 04:50
User Badges:
  • Cisco Employee,

This ACL


access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq www


should actually be


access-list OUTSIDE_IN_DMZ extended permit tcp any host 192.168.100.100 eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 192.168.100.100 eq www


Refer this link: https://supportforums.cisco.com/docs/DOC-12690#ACL_Changes


-KS

Loren Kolnes Thu, 08/26/2010 - 11:07
User Badges:
  • Cisco Employee,

Hi Poul,


The following nat statements need to be changed:


nat (PROD_SKA,WAN) source dynamic any interface
nat (DEV_SKA,WAN) source dynamic any interface


You will need to configure them using network objects, i.e. auto-nat.

Assuming the source for the dynamic pat is 192.168.100.0/24 for the PROD_SKA network and 172.16.1.0/24 for the DEV_SKA network the following nat configuration would be necessary.


object network obj-prod_ska

  subnet 192.168.100.0 255.255.255.0

  nat (PROD_SKA,WAN) dynamic interface


object network obj-dev_ska

  subnet 172.16.1.0 255.255.255.0

  nat (DEV_SKA,WAN) dynamic interface


Additional networks off of the PROD_SKA and DEV_SKA interfaces would need to be configured in a similar fashion.


Let me know if you have any questions.


Thanks


Loren

Hi,


Got it working - thank you soo much.

It was indeed a mix of both the ACL and the fact that the ASDM choose to use a network object rather than the physical WAN interface.


Running your suggested commands in the CLI did the trick..



So you both answered correctly - being new here I would like to click "Correct answer" to you both but is that possible?


Best regards

Loren Kolnes Sun, 08/29/2010 - 20:00
User Badges:
  • Cisco Employee,

Hi Poul,


Glad to hear this is working, As far as who gets credit I dont think there is a way to give credit to more than one person, so this is your call. You can, however, provide a rating based on how helpful you found the answers to your questions.


Best regards,


Loren

Actions

This Discussion