Solved: ASA 5510 DMZ Nat question

gtorresjr77 · ‎10-23-2013

Hi All,

first time posting.

so my goal is to have an FTP Server on the DMZ and be able to access it using the outside interface (which is currently just configured as 10.2.2.2) I tried adding the NAT rule using asdm and CLI but it won't take. What am I missing that i can't NAT

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

here is the current config

Thanks

ASA Version 8.2(1)

!

interface Ethernet0/0

nameif outside

security-level 0

no ip address

!

interface Ethernet0/1

nameif inside

security-level 100

no ip address

!

interface Ethernet0/1.1

vlan 1

nameif inside1

security-level 100

ip address 10.20.10.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 100

ip address 10.40.20.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

object-group network FTPServer-External

network-object 10.2.2.2 255.255.255.255

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu dmz 1500

mtu inside1 1500

mtu inside3 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (dmz) 1 172.20.10.0 255.255.255.0

nat (inside1) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

Jouni Forss · ‎10-23-2013

Hi,

The Static PAT (Port Forward) configuration seems valid

Though you dont have any IP address in the visible configuration for the "outside" interface.

interface Ethernet0/0

nameif outside

security-level 0

no ip address

You should add

interface Ethernet0/0

ip address

- Jouni

View solution in original post

Jouni Forss · ‎10-23-2013

Hi,

I cant see any other reason for not accepting the command atleast if you did it through ASDM

The "static" command itself refers to the "outside" interface with the parameter "interface" and if the interface has no IP address configured I would imagine it wont accept the NAT configuration as there is no IP address to use for the NAT configuration you are trying to insert.

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

- Jouni

View solution in original post

Julio Carvajal · ‎10-25-2013

Hello,

The problem you had before was that you were using incorrectly the native VLAN interface.

You changed the setup so we will start from here now:

First of all remove this:

no access-group inside_access_in

Add the following

policy-map global_policy

class class-default

inspect FTP

Just in case you do not have it

static (dmz,inside)172.20.10.5 172.20.10.5

static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

Let me know how it goes.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

jumora · ‎10-28-2013

This is the correct configuration:

How do I get 10.20.10.0 network able to access just the FTP Server via its translated IP?

Step 1:

Lower the security level of the interface where the FTP server resides:

enable

config t

Interface Ethernet0/2

security-level 90

Why would you do this? Because you are playing with same-security-traffic feature which if you really don't know for what it is used just don't use it as it is not necessary on your setup.

enable

config t

static (dmz,inside) tcp 10.2.2.1 21 172.20.10.5 211 netmask 255.255.255.255

Then add the next line:

enable

config t

global (dmz) 1 interface

You might ask yourself, why am I adding this last line? Because you have the next configuration line that obligates it to PAT when going to the DMZ.

nat (inside) 1 10.20.10.0 255.255.255.0

Now, my question to you? When you access your FTP server from the outside interface, do you do it over domain or IP? See, it is completely another thing to be on the external world and some other device doing a NAT for you and then another thing to try to connect from the internal network to the DMZ FTP server and mapping it to what would see to be the correct IP that would be 10.2.2.1.

Plus your code should be updated, really old version, maybe a 8.2.5 code would be OK.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎10-31-2013

Please update the ticket as resolved or answered so we can close out followup.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎10-31-2013

Yeah, with correct answer is the right way, if you believe that the solution was not given you just rate it but the idea is if you post question we continue the conversation until we resolve.

Question, did you get the information that you needed or do you still have doubts?

Value our effort and rate the assistance!

View solution in original post

jumora · ‎11-06-2013

jumora@cisco.com

Value our effort and rate the assistance!

View solution in original post

jumora · ‎11-06-2013

or juanmh84@hotmail.com

Value our effort and rate the assistance!

View solution in original post

Jouni Forss · ‎10-23-2013

Hi,

The Static PAT (Port Forward) configuration seems valid

Though you dont have any IP address in the visible configuration for the "outside" interface.

interface Ethernet0/0

nameif outside

security-level 0

no ip address

You should add

interface Ethernet0/0

ip address

- Jouni

Jouni Forss · ‎10-23-2013

Also,

Seems that one of your interfaces is configured as Trunk

interface Ethernet0/1

nameif inside

security-level 100

no ip address

The actual physical interfaces configurations seems unneeded if you are not planning to add IP address to it. If you are not going to add one you could configure

interface Ethernet0/1

no nameif

no security-level

Just to avoid any future missunderstanding with the interface in question.

- Jouni

gtorresjr77 · ‎10-23-2013

thanks for that quick response. the interface not having an IP was an oversight for not having the correct IP's from the ISP yet.

I'll add the temp IP and test again. also, i will remove those configs from eth0/1.

i'll let you know if all is good.

Jouni Forss · ‎10-23-2013

Hi,

I cant see any other reason for not accepting the command atleast if you did it through ASDM

The "static" command itself refers to the "outside" interface with the parameter "interface" and if the interface has no IP address configured I would imagine it wont accept the NAT configuration as there is no IP address to use for the NAT configuration you are trying to insert.

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

- Jouni

gtorresjr77 · ‎10-23-2013

ok so i removed the security-level and nameif on eth0/1 and now i cannot ping the 10.20.10.1 from a server with IP 10.20.10.5 connected to the same switch.

from the asa i can ping 10.40.20.2 (int vlan 3 IP on switch) but i can't ping 10.20.10.254 (int vlan 1 on switch)

I have the switch connected to eth 0/1 on port 48 on switch. here's my truncated version of my switch.

ip routing

ip dhcp excluded-address 10.40.20.1 10.40.20.10

!

ip dhcp pool guestwifi

network 10.40.20.0 255.255.255.0

dns-server 8.8.8.8 4.2.2.2

default-router 10.40.20.1

!

interface GigabitEthernet0/40

!

interface GigabitEthernet0/41

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3

switchport mode trunk

!

interface GigabitEthernet0/42

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3

switchport mode trunk

!

interface GigabitEthernet0/43

!

interface GigabitEthernet0/44

!

interface GigabitEthernet0/45

!

interface GigabitEthernet0/46

!

interface GigabitEthernet0/47

!

interface GigabitEthernet0/48

uplink to Firewall

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3

switchport mode trunk

!

interface GigabitEthernet0/49

!

interface GigabitEthernet0/50

!

interface GigabitEthernet0/51

!

interface GigabitEthernet0/52

!

interface Vlan1

ip address 10.20.10.254 255.255.255.0

!

interface Vlan2

description Voice Vlan

no ip address

!

interface Vlan3

description Guest Vlan

ip address 10.40.20.2 255.255.255.0

Jouni Forss · ‎10-23-2013

Hi,

If removing those commads created some problems you could always revert back to the original configuration.

Though I didnt see that there was any IP address configured for the physical interface so I am not sure how it would affect the setup.

If it did it must be related to you using the Vlan1 in the configurations.

I am wondering would you need to change the Native Vlan to something else than the default vlan for the suggested configurations to not cause any problems.

But probably better to revert to the original configuration though it still leaves the ASA configuration looking pretty strange.

- Jouni

gtorresjr77 · ‎10-25-2013

So after removing it still didn't work. what i did was configure the eth0/1 interface with the vlan 1 IP and just kept the eth0/1.3 vlan 3 sub interface. communication is ok now. My next issue\question is, I am trying to get the vlan 1 network 10.20.10.0/24 to see the FTP server on the DMZ (172.20.10.5). here's the asa config so far. What am I missing in access list to be able to hit\ping the FTP Server from vlan 1 server. The switch is configured for DMZ vlan 4. I have the eth0/2 int and FTP server connected to port 43/44 trunked with vlan1, 4.

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.2.2.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.10.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 100

ip address 10.40.20.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.30.10.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

access-list dmz_access_in extended permit ip 10.20.10.0 255.255.255.0 host 172.2

0.10.5

access-list dmz_access_in extended permit icmp 10.20.10.0 255.255.255.0 host 172

.20.10.5

access-list outside_access_in extended permit tcp any object-group FTPServer eq

ftp

access-list inside_access_in extended permit icmp host 172.20.10.5 10.20.10.0 25

5.255.255.0 timestamp-reply

access-list inside_access_in extended permit tcp host 172.20.10.5 10.20.10.0 255

.255.255.0 inactive

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu inside3 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (inside) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

nat (dmz) 1 172.20.10.0 255.255.255.0

static (dmz,outside) tcp interface ftp 172.20.10.5 ftp netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

: end

hofasa#

Julio Carvajal · ‎10-25-2013

Hello,

The problem you had before was that you were using incorrectly the native VLAN interface.

You changed the setup so we will start from here now:

First of all remove this:

no access-group inside_access_in

Add the following

policy-map global_policy

class class-default

inspect FTP

Just in case you do not have it

static (dmz,inside)172.20.10.5 172.20.10.5

static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

Let me know how it goes.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

gtorresjr77 · ‎10-28-2013

so I removed and added the statements you stated. From the switch i can ping the DMZ interface on asa 172.20.10.1 but not the FTP server 172.20.10.5. From the ASA i can ping the vlan 4 interface on the switch 172.20.10.2 but cannot ping the FTP server 172.20.10.5.

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.2.2.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.10.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 50

ip address 10.40.20.1 255.255.255.0

<--- More --->

!

interface Ethernet0/2

nameif dmz

security-level 100

ip address 172.20.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.30.10.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

<--- More --->

network-object 172.20.10.5 255.255.255.255

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp timestamp-reply

access-list dmz_access_in extended permit ip 10.20.10.0 255.255.255.0 172.20.10.0 255.255.255.0

access-list dmz_access_in extended permit icmp 10.20.10.0 255.255.255.0 172.20.10.0 255.255.255.0

access-list outside_access_in extended permit tcp any object-group FTPServer eq ftp

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu inside3 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (inside) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

nat (dmz) 1 172.20.10.0 255.255.255.0

static (dmz,outside) tcp interface ftp 172.20.10.5 ftp netmask 255.255.255.255

static (dmz,inside) 172.20.10.5 172.20.10.5 netmask 255.255.255.255

<--- More --->

static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.20.10.0 255.255.255.0 management

http 10.20.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.20.10.0 255.255.255.0 inside

telnet 192.168.1.1 255.255.255.255 management

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

<--- More --->

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

<--- More --->

inspect netbios

inspect tftp

class class-default

inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:6bcfb01a635982dcd4020570173ae95f

: end

Switch config

interface GigabitEthernet0/43

FTP Server

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet0/44

Uplink to ASA DMZ Eth0/2

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet0/45

!

interface GigabitEthernet0/46

!

interface GigabitEthernet0/47

interface GigabitEthernet0/48

UPLink to ASA Eth0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3,4

switchport mode trunk

interface Vlan2

description Voice Vlan

no ip address

no ip route-cache

!

interface Vlan3

description Guest Vlan

ip address 10.40.20.2 255.255.255.0

no ip route-cache

!

interface Vlan4

description DMZ Vlan

ip address 172.20.10.2 255.255.255.0

no ip route-cache

gtorresjr77 · ‎10-28-2013

Ok I'm narrowing this down slowly. I rebooted the switch and i'm able to ping 172.20.10.5 (FTPServer) from switch (when i source the ping from vlan 4) and the ASA. How do i get 10.20.10.0 network able to access dmz (just FTPServer)?

Could it be because Eth0/2 on asa is native vlan and not vlan 4? i don't see an option to change it.

jumora · ‎10-28-2013

This is the correct configuration:

How do I get 10.20.10.0 network able to access just the FTP Server via its translated IP?

Step 1:

Lower the security level of the interface where the FTP server resides:

enable

config t

Interface Ethernet0/2

security-level 90

Why would you do this? Because you are playing with same-security-traffic feature which if you really don't know for what it is used just don't use it as it is not necessary on your setup.

enable

config t

static (dmz,inside) tcp 10.2.2.1 21 172.20.10.5 211 netmask 255.255.255.255

Then add the next line:

enable

config t

global (dmz) 1 interface

You might ask yourself, why am I adding this last line? Because you have the next configuration line that obligates it to PAT when going to the DMZ.

nat (inside) 1 10.20.10.0 255.255.255.0

Now, my question to you? When you access your FTP server from the outside interface, do you do it over domain or IP? See, it is completely another thing to be on the external world and some other device doing a NAT for you and then another thing to try to connect from the internal network to the DMZ FTP server and mapping it to what would see to be the correct IP that would be 10.2.2.1.

Plus your code should be updated, really old version, maybe a 8.2.5 code would be OK.

Value our effort and rate the assistance!

jumora · ‎10-31-2013

Please update the ticket as resolved or answered so we can close out followup.

Value our effort and rate the assistance!

gtorresjr77 · ‎10-31-2013

I don't know how to mark it as resolved without hitting correct answer?

jumora · ‎10-31-2013

Yeah, with correct answer is the right way, if you believe that the solution was not given you just rate it but the idea is if you post question we continue the conversation until we resolve.

Question, did you get the information that you needed or do you still have doubts?

Value our effort and rate the assistance!