Configure ASA 5505 (Base Licence) - Permit from Inside to DMZ hosts

Unanswered Question
Nov 22nd, 2013
User Badges:

Please can someone assist me with this quite basic configuration? (forgive the simple question but I am not too familiar with ASAs)


I need to configure an ASA 5505 to allow access from the inside interface to hosts on the DMZ interface (for SSH)


My partial configuration is as follows:


access-list inside_in extended permit tcp host 10.10.1.100 object-group INSIDE-LAN eq ssh

access-list inside_in extended permit tcp object-group INSIDE-LAN host 10.10.1.100 eq ssh

access-group inside_in interface inside


I am not sure whether I need an ACL on the DMZ interface.


I am running ASA version 8.0(3)6


Any help is gratefully received!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Fri, 11/22/2013 - 05:56
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

It's not only then access-list that has to be configured, but also a NAT rule.


The ACL: You only need to specify the initial traffic. As a stateful firewall, the ASA will take care of the return-packets.

If 10.10.1.100 is your DMZ-host, then you don't need your first ACL-line.


NAT: You should exempt the traffic from NAT. That can be done in different ways and depend on your actual config.


Please post the output of "show run nat", "show run global" and "show run static".


A NAT-config that will work in many scenarios (but without knowing the rest of your config, this is probably not the optimum) is the following:


static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0


In this example 10.1.1.0/24 is your internal network, inside and dmz are the names of the interfaces.


You find more on NAT in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043190



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Daren Matthews Mon, 11/25/2013 - 02:07
User Badges:

Thank you very much Karsten - I have asked my counterpart in the country where the firewall is to provide this command output.  I have also asked him to configure the NAT statement. What you have said makes sense and I have relayed the information.  I am also trying to gain access to it myself.  Many thanks for your help.

Daren Matthews Tue, 11/26/2013 - 01:53
User Badges:

Hi Karsten,


I now have access to the ASA so can respond more easily.  Meanwhile, here is the result of the show commands that you requested:


ASA# show run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0_outbound outside


ASA# show run global

global (inside) 1 82.64.92.12-196.38.92.13 netmask 255.255.255.0

global (outside) 1 interface


ASA# show run static

static (inside,outside) 84.12.54.131 ISI_SRV netmask 255.255.255.255

static (inside,outside) 84.12.54.132 DWA_SRV netmask 255.255.255.255


Thank you very much for the help.  I'll try to repay the community in the future!

Daren Matthews Mon, 12/02/2013 - 12:59
User Badges:

Hi Karsten,


See my last post and the fact that I have access to the ASA.  I'll try your NAT rule first I think.

Marius Gunnerud Fri, 11/22/2013 - 06:29
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

To bypass the NAT you could enter the no nat-control command from global configuration mode.


If you require further assistance please post your full sanitized configuration.


--

Please rate all helpful posts.

Karsten Iwen Fri, 11/22/2013 - 06:38
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

To bypass the NAT you could enter the no nat-control command from global configuration mode.


that won't help as it is very likely that there is a nat-statement for internet-access on the internal interface.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jumora Thu, 11/28/2013 - 05:38
User Badges:
  • Cisco Employee,

just add:


eneable

config t

global (dmz) 1 interface



Value our effort and rate the assistance!

jumora Thu, 11/28/2013 - 05:40
User Badges:
  • Cisco Employee,

You cannot bypass NAT if you already have nat (inside) 1 0 0 it will force you to add that global that I mention or configure NAT exemption or a static identity NAT.






Value our effort and rate the assistance!

jumora Sun, 12/01/2013 - 20:14
User Badges:
  • Cisco Employee,

Do you need anything else, do you have any comments??






Value our effort and rate the assistance!

Daren Matthews Mon, 12/02/2013 - 12:55
User Badges:

Hi Jumora,


Your advice seems sound and I apologise for the delay in replying - it's because since Thursday I have been in London dealing with a problem with, ironically, another Cisco ASA.


I have access to the ASA that is the subject of this problem and tomorrow will be trying out this:


global (dmz) 1 interface


I will reposrt back to this discussion AND can assure everyone that once the problem is overcome I'll update and give closure for anyone else reading this.  There is nothing worse that a discussion that does not get closed.


Thanks again,

Daren

jumora Mon, 12/02/2013 - 17:05
User Badges:
  • Cisco Employee,

It's ok, I will wait for your update



Value our effort and rate the assistance!

Daren Matthews Fri, 12/13/2013 - 06:53
User Badges:

First of all I am very sorry for the delay.


In addition to:

global (dmz) 1 interface


This is what I configured:

static (dmz,inside) tcp 10.10.1.100 ssh 10.10.1.100 ssh netmask 255.255.255.                                                 255

access-list inside_access_in extended permit ip any host 10.10.1.100 log

access-group inside_access_in in interface inside


Testing seems to show that an implicit deny is dropping it somehow, if I interpret this correctly:

TESTING

-------------


ASA_Firewall# packet-tracer input inside tcp 172.23.80.37 1026 10.10.1.100 ssh


Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (dmz,inside) tcp 10.10.1.100 ssh 10.10.1.100 ssh netmask 255.255.255.255

  match tcp dmz host 10.10.1.100 eq 22 inside any

    static translation to 10.10.1.100/22

    translate_hits = 0, untranslate_hits = 2

Additional Information:

NAT divert to egress interface dmz

Untranslate 10.10.1.100/22 to 10.10.1.100/22 using netmask 255.255.255.255


Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule     <=================  This is where it fails

Actions

This Discussion