Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASA 5505 (8.2) DMZ to Inside - Howto

Hello,

I'm Cisco ASA beginner who have Cisco ASA 5505 in his home. I just bought this because i want to learn more about Cisco CLI and im Cisco fan.

My problem is strange, there is maybe a lack of knowledge, but this is my experience with Cisco for the moment

So here is my setup:

hellhound(config)# show running-config interface vlan 1
!
interface Vlan1
 description -- ISP Network ---
 nameif Outside
 security-level 0
 ip address dhcp setroute
hellhound(config)# show running-config interface vlan 2
!
interface Vlan2
 description -- Internal Network ---
 nameif Inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
hellhound(config)# show running-config interface vlan 3
!
interface Vlan3
 description --- DMZ Network ---
 nameif DMZ
 security-level 50
 ip address 10.10.10.1 255.255.255.0
hellhound(config)# show running-config interface vlan 4
!
interface Vlan4
 description -- AP Guest Network --
 nameif Guest
 security-level 50
 ip address 20.20.20.1 255.255.255.0
hellhound(config)#

This is my interfaces, i also will show my access-list, access-group & nats.

hellhound(config)# show running-config access-list
access-list NAT_Exemption_Inside extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.224
access-list NAT_Exemption_Inside extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list NAT_Exemption_Inside extended permit ip 192.168.0.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list NAT_Exemption_DMZ extended permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.224
access-list NAT_Exemption_DMZ extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NAT_Exemption_DMZ extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list Split_Tunnel extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.224
access-list Split_Tunnel extended permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.224
access-list Split_Tunnel extended permit ip 20.20.20.0 255.255.255.0 172.16.0.0 255.255.255.224
access-list Inside_to_Outside extended permit ip 192.168.0.0 255.255.255.0 any
access-list DMZ_to_Outside extended permit ip 10.10.10.0 255.255.255.0 any
access-list Guest_to_Outside extended permit ip 20.20.20.0 255.255.255.0 any
access-list NAT_Exemption_Guest extended permit ip 20.20.20.0 255.255.255.0 172.16.0.0 255.255.255.224
access-list NAT_Exemption_Guest extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list NAT_Exemption_Guest extended permit ip 20.20.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Static_Inside_Traffic extended permit tcp any interface Outside eq smtp inactive
access-list Static_Inside_Traffic extended permit tcp any interface Outside eq 7000 inactive
hellhound(config)#

hellhound(config)# show running-config access-group
access-group Static_Inside_Traffic in interface Outside
hellhound(config)#

hellhound(config)# show running-config nat
nat (Inside) 0 access-list NAT_Exemption_Inside
nat (Inside) 1 access-list Inside_to_Outside
nat (DMZ) 0 access-list NAT_Exemption_DMZ
nat (DMZ) 1 access-list DMZ_to_Outside
nat (Guest) 0 access-list NAT_Exemption_Guest
nat (Guest) 1 access-list Guest_to_Outside
hellhound(config)#

So the problem is that i need to open the specific ip from my DMZ network to be able to access the DNS server which is in Inside zone.

I think i have to do that with this:

hellhound(config)# access-list FireBat_DNS_Exemption extended permit tcp host 10.10.10.2 host 192.168.0.7 eq domain
hellhound(config)# access-list FireBat_DNS_Exemption extended permit udp host 10.10.10.2 host 192.168.0.7 eq domain

hellhound(config)# access-group FireBat_DNS_Exemption in interface DMZ

Before i put the line with access-group my server in the DMZ zone has an internet connection:

login as: root
root@firebat.home.lan's password:
Last login: Wed Nov  5 16:02:30 2014 from 172.16.0.1
[root@firebat.home.lan ~]# ping abv.bg
PING abv.bg (194.153.145.104) 56(84) bytes of data.
64 bytes from abv.bg (194.153.145.104): icmp_seq=1 ttl=60 time=1.81 ms
64 bytes from abv.bg (194.153.145.104): icmp_seq=2 ttl=60 time=1.47 ms
^C
--- abv.bg ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.473/1.645/1.818/0.177 ms
[root@firebat.home.lan ~]#

After access-group applying i can access the DNS server in the Inside zone, but my internet connection disappear.

[root@firebat.home.lan ~]# ping abv.bg
^C
[root@firebat.home.lan ~]# host home.lan 192.168.0.7
Using domain server:
Name: 192.168.0.7
Address: 192.168.0.7#53
Aliases:

home.lan has address 192.168.0.7
home.lan mail is handled by 10 firebat.home.lan.
[root@firebat.home.lan ~]#

Can somebody help me with this?

Im very confused..

Thanks

 

 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, The problem with your

Hi,

 

The problem with your configurations related to the DMZ is that you create an ACL that only allows DNS traffic to the LAN from the DMZ and it blocks all other traffic. Each ACL contains an implicit deny at the end of the ACL even though it does not show in the ACL configuration. This essentially means that if you have not allowed some required connections on the ACL then they will be blocked by the ACL.

 

If your aim would be to allow the DNS traffic from DMZ to LAN and block all other traffic from DMZ to LAN but allow all connecitvity to the Internet from the DMZ then you could use this ACL (I used different name ACL as I think its better that the interface ACL refers to the interface name rather than a single host behind that interface)

 

access-list DMZ-IN remark Allow DNS querys from DMZ to LAN
access-list DMZ-IN permit tcp host 10.10.10.2 host 192.168.0.7 eq domain
access-list DMZ-IN permit udp host 10.10.10.2 host 192.168.0.7 eq domain
access-list DMZ-IN remark Deny all other traffic from DMZ to LAN
access-list DMZ-IN deny ip any 192.168.0.0 255.255.255.0
access-list DMZ-IN remark Allow other traffic from DMZ
access-list DMZ-IN permit ip 10.10.10.0 255.255.255.0 any

 

access-group DMZ-IN in interface DMZ

 

Hope this helps :)

 

- Jouni

2 REPLIES
Super Bronze

Hi, The problem with your

Hi,

 

The problem with your configurations related to the DMZ is that you create an ACL that only allows DNS traffic to the LAN from the DMZ and it blocks all other traffic. Each ACL contains an implicit deny at the end of the ACL even though it does not show in the ACL configuration. This essentially means that if you have not allowed some required connections on the ACL then they will be blocked by the ACL.

 

If your aim would be to allow the DNS traffic from DMZ to LAN and block all other traffic from DMZ to LAN but allow all connecitvity to the Internet from the DMZ then you could use this ACL (I used different name ACL as I think its better that the interface ACL refers to the interface name rather than a single host behind that interface)

 

access-list DMZ-IN remark Allow DNS querys from DMZ to LAN
access-list DMZ-IN permit tcp host 10.10.10.2 host 192.168.0.7 eq domain
access-list DMZ-IN permit udp host 10.10.10.2 host 192.168.0.7 eq domain
access-list DMZ-IN remark Deny all other traffic from DMZ to LAN
access-list DMZ-IN deny ip any 192.168.0.0 255.255.255.0
access-list DMZ-IN remark Allow other traffic from DMZ
access-list DMZ-IN permit ip 10.10.10.0 255.255.255.0 any

 

access-group DMZ-IN in interface DMZ

 

Hope this helps :)

 

- Jouni

Jouni Forss thank you so much

830
Views
0
Helpful
2
Replies
CreatePlease login to create content