Solved: Re: ASA 5510 intervlan routing

Nay Myo Tun · ‎11-17-2010

Hi,

Could you please help to advise? I have issue on my project . I have already setup the ASA 5510 and configured eth0 for outside ( security-level 0) , eth1 for DMZ (security-level 50 ) and eth3 for internal network ( security-level 100 ). I want to route / ftp to ping / ftp from each VLAN to another .

I have configured the necessary ACL to allow the traffic ( DMZ <=> Outside ) interfaces .

Using packet tracer from Outside to DMZ , the packet is allowed. But I can't ping / ftp from one interface to another . Pls. see the attached screen shot.

But according to what i ve read from this forum, " If you are trying inter-vlan routing, then make sure that both sub-interfaces have a nameif and security level set to same value."

Does it apply to DMZ , internal and external interfaces with diff security level ? Really appreciate your advise since I am now confused.

Mohamed Sobair · ‎11-26-2010

Hi,

In firewall terminology, from Higher Security level to access lower securtiy level Only nat is required, From Lower Security level to higher security level an access-list or conduit must be used to permit the traffic.

Your configuration looks Ok except that you dont have dynamic Nat for the inside Network to DMZ and Outside.

For ASA version 8.3 , The configuration is slightly different, please add the following commands and check out your Access:

object network obj-192.25.130.0   subnet 192.25.130.0 255.255.255.0   nat (inside,outside) dynamic 192.25.152.250
object network obj-192.25.130.0-01   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz1) dynamic 192.25.156.250
object network obj-192.25.130.0-02   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz2) dynamic 192.25.154.250

HTH

Mohamed

View solution in original post

Jennifer Halim · ‎11-17-2010

For traffic to and from inside and DMZ, you would need to configure static 1:1 NAT in addition to the access-list to permit the traffic through.

Assuming that your inside subnet is 172.25.152.0/24, then you would need to configure the following:

static (inside,dmz) 172.25.152.0 172.25.152.0 netmask 255.255.255.0

Then "clear xlate" after the above. You should be able to access to and from between inside and dmz, providing that you already configure the access-list to permit the traffic.

Nay Myo Tun · ‎11-26-2010

Sorry,late response,Jennifer. I still cannot resolve .

My requirement is

( 1 ) I'd like to ssh/ ftp from internal server to DMZ server

( 2 ) would like to ssh / telnet access to Router from internal network. ( currently no way to control/ configure RTR from internal segment unless using console access )

( 3 ) outside < --- > DMZ ftp traffic . And also But the current config still doen't fullfill my requirement. Kindly take note my FW is ASA Version 8.3(1)with 5510 HW. My config is as per attach. What could be the blocking issue?

Mohamed Sobair · ‎11-26-2010

Hi,

In firewall terminology, from Higher Security level to access lower securtiy level Only nat is required, From Lower Security level to higher security level an access-list or conduit must be used to permit the traffic.

Your configuration looks Ok except that you dont have dynamic Nat for the inside Network to DMZ and Outside.

For ASA version 8.3 , The configuration is slightly different, please add the following commands and check out your Access:

object network obj-192.25.130.0   subnet 192.25.130.0 255.255.255.0   nat (inside,outside) dynamic 192.25.152.250
object network obj-192.25.130.0-01   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz1) dynamic 192.25.156.250
object network obj-192.25.130.0-02   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz2) dynamic 192.25.154.250

HTH

Mohamed

Nay Myo Tun · ‎11-29-2010

Hi sobair,

Thanks and really appreciate your expertise. I am now able to access the DMZ server/ External Router from the internal network.But still trying the opposite direction from the lower security level to the higer security level. ( External to DMZ server , and DMZ server to Interal Network ).So should I configure just ACL only in order to permit the traffic from lower security to higher security ?

My Current Config is

object-group service PORT_GROUPtcp

port-object eq echo

port-object eq ftp

port-object eq ssh

! Allow access from Internet to DMZ SVR

access-list OUT_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP

Pls. see the attached for more detail.

cadet alain · ‎11-29-2010

Hi,

if you want access from out to dmz then you need an ACL permitting the traffic from lower to higher security but you also have to do static nat from dmz server to outside.

For dmz to in you need an ACL but you don't need static nat just dynamic nat from dmz to in.

Regards.

Don't forget to rate helpful posts.

Mohamed Sobair · ‎11-29-2010

Hi,

No not only an ACL, you need static Nat from inside to DMZ that allows access from DMZ network to the inside Network along with ACL applied on the DMZ interface.

HTH

Mohamed

cadet alain · ‎11-29-2010

Hi Mohamed,

I didn't say only an ACL but also dynamic nat from dmz to in but you're surely right about static but I can't test it as I haven't got any ASA in my lab and it's been a long time since I've configured one.

Regards.

Don't forget to rate helpful posts.

Nay Myo Tun · ‎11-30-2010

Hi Mohamed,

I have tried added the static nat . But still error message and didn't go through from DMZ to IN and OUT to DMZ. Kindly advise. Attach is the network diagram.

( For Extenal to DMZ2 )

object network DMZ2_static

host 192.25.154.107

nat (DMZ2,OUT) static 192.25.152.246

( For DMZ to internal )

object network DMZ2_IN_static

host 172.25.154.107

nat ( DMZ2,IN) static 172.25.130.250

Existing ACL

access-list OUT_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP

access-list IN_IN extended permit ip 192.25.130.0 255.255.255.0 any

Existing Group

access-group OUTSIDE_IN in interface OUT

access-group INSIDE_IN in interface IN

( error message : )

Source IP Source Destination IP Dest (port) Description

192.25.154.107	37457	192.25.130.22	22	Inbound TCP connection denied from 192.25.154.107/37457 to 192.25.130.102/22 flags SYN on interface DMZ2
192.25.154.107	43166	192.25.130.22	21	Inbound TCP connection denied from 192.25.154.107/43166 to 192.25.130.102/21 flags SYN on interface DMZ2
192.25.158.60	3096	192.25.158.248	443	Teardown TCP connection 3215 for management:192.25.158.60/3096 to identity:192.25.158.248/443 duration 0:03:01 bytes 989 TCP Reset-O
192.25.158.60	4026	192.25.158.248	80	TCP access denied by ACL from 192.25.158.60/4026 to management:192.25.158.248/80

( Note: 192.25.158.60 is management station @ 158 network. )

Mohamed Sobair · ‎11-30-2010

Hi,

From DMZ to Internal , try bellow config:

hostname(config)# object network host-obj 2.hostname(config-network-object)# host172.25.154.107
3.hostname(config-network-object)# nat (inside,dmz) static 172.25.130.250

Access-list DMZ permit ip any host 172.25.130.250

Access-group DMZ in interface DMZ2

And From Outside to DMZ, try the following:

object network DMZ2_static

host 192.25.154.107

nat (DMZ2,OUT) static 192.25.152.246

access-list OUTSIDE_IN extended permit tcp any host 172.25.130.250 object-group PORT_GROUP

access-group OUTSIDE_IN in interface OUT

HTH

Mohamed

Nay Myo Tun · ‎12-01-2010

Hi Mohamed,

Thanks for your kind support. I still have issue to access from OUT to DMZ and DMZ to internal network.

ASA01# sh nat translated interface OUT

Auto NAT Policies (Section 2)

1 (DMZ2) to (OUT) source static OUT_TO_DMZ2 172.25.152.246

translate_hits = 0, untranslate_hits = 0

2 (DMZ2) to (OUT) source dynamic OUT 172.25.152.250

translate_hits = 77, untranslate_hits = 0

ASA01# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list OUT_IN; 6 elements; name hash: 0xc608a2be

access-list OUT_IN line 1 extended permit tcp any host 172.25.154.107 object-group PORT_GROUP 0x93ff2600

access-list OUT_IN line 1 extended permit tcp any host 172.25.154.107 eq echo (hitcnt=2) 0x9124577b

access-list OUT_IN line 1 extended permit tcp any host 172.25.154.107 eq ftp (hitcnt=28) 0x4450eadc

access-list OUT_IN line 1 extended permit tcp any host 172.25.154.107 eq ssh (hitcnt=25) 0x8bf2d476

access-list OUT_IN line 2 extended permit tcp any host 172.25.154.250 object-group PORT_GROUP 0xc2fa2030

access-list OUT_IN line 2 extended permit tcp any host 172.25.154.250 eq echo (hitcnt=2) 0xe7ad53a7

access-list OUT_IN line 2 extended permit tcp any host 172.25.154.250 eq ftp (hitcnt=2) 0x01d86629

access-list OUT_IN line 2 extended permit tcp any host 172.25.154.250 eq ssh (hitcnt=0) 0x8814dc01

access-list INSIDE_IN; 1 elements; name hash: 0xcf1073ab

access-list INSIDE_IN line 1 extended permit ip 172.25.130.0 255.255.255.0 any (hitcnt=0) 0xf2f5e4a1

access-list DMZ2; 5 elements; name hash: 0x85355895

access-list DMZ2 line 1 extended permit ip any host 172.25.130.250 (hitcnt=0) 0x7d17c44b

access-list DMZ2 line 2 extended permit icmp 172.25.154.0 255.255.255.0 host 172.25.130.250 (hitcnt=0) 0xc172bb61

access-list DMZ2 line 3 extended permit tcp 172.25.154.0 255.255.255.0 host 172.25.130.250 object-group PORT_GROUP 0x84222e17

access-list DMZ2 line 3 extended permit tcp 172.25.154.0 255.255.255.0 host 172.25.130.250 eq echo (hitcnt=0) 0x950b8d32

access-list DMZ2 line 3 extended permit tcp 172.25.154.0 255.255.255.0 host 172.25.130.250 eq ftp (hitcnt=0) 0x704a9bc5

access-list DMZ2 line 3 extended permit tcp 172.25.154.0 255.255.255.0 host 172.25.130.250 eq ssh (hitcnt=0) 0xc6b3d207

ASA01#

object network DMZ1
    subnet 172.25.156.0 255.255.255.0
object network DMZ2
    subnet 172.25.130.0 255.255.255.0
object network OUT
    subnet 172.25.130.0 255.255.255.0
object network DMZ2
    host 172.25.154.107
object network DMZ1
     subnet 172.25.130.0 255.255.255.0
object network DMZ2_TO_INSIDE
    host 172.25.154.107
object network OUT_TO_DMZ2
    host 172.25.154.107

object network DMZ2
   nat (INSIDE,DMZ2) dynamic 172.25.154.250
object network OUT
   nat (DMZ2,OUT) dynamic 172.25.152.250
object network DMZ1
   nat (DMZ2,DMZ1) dynamic 172.25.156.250
object network DMZ2_TO_INSIDE
   nat (INSIDE,DMZ2) static 172.25.130.250
object network OUT_TO_DMZ2
   nat (DMZ2,OUT) static 172.25.152.246
access-group OUT_IN in interface OUT
access-group DMZ2 in interface DMZ2
route OUT 0.0.0.0 0.0.0.0 172.25.152.246 1
route OUT 172.25.240.0 255.255.255.0 172.25.152.246 1

Here is the syslog

Dst IP Port

5	Dec 01 2010	16:16:52	305013	172.25.154.107	22			Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src OUT:172.25.240.111/48863 dst DMZ2:172.25.154.107/22 denied due to NAT reverse path failure
3	Dec 01 2010	16:17:55	710003	172.25.158.60	2472	172.25.158.248	80	TCP access denied by ACL from 172.25.158.60/2472 to management:172.25.158.248/80
5	Dec 01 2010	16:20:07	305013	172.25.154.107	22			Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src OUT:172.25.240.111/49079 dst DMZ2:172.25.154.107/22 denied due to NAT reverse path failure
4	Dec 01 2010	16:28:25	106023	172.25.240.111		172.25.154.107		Deny icmp src OUT:172.25.240.111 dst DMZ2:172.25.154.107 (type 8, code 0) by access-group "OUT_IN" [0x0, 0x0]

Note: 172.25.240.111 is the IP address of the server which is connected to the External to gi0/0 RTR 3825 172.25.240.110/24.

RTR 3825 gi0/1 172.25.152.246 is connected to FW OUT 172.25.152.248.

Mohamed Sobair · ‎12-01-2010

Hi,

DO you have nat excemption configured? could you post the output of (show run nat)

Mohamed

Nay Myo Tun · ‎12-01-2010

Thanks,Mohamed. I don't have nat excemption configured.

AODWASA01# sh run nat
!
object network DWH-MAIN
nat (DWH-MAIN,GDG_MAIN) dynamic 172.25.154.250
object network FW_EXT
nat (DWH-MAIN,FW_EXT) dynamic 172.25.152.250
object network GDG-MGT
nat (DWH-MAIN,GDG_MGT) dynamic 172.25.156.250
object network GDG_MAIN_TO_DWH-MAIN
nat (DWH-MAIN,GDG_MAIN) static 172.25.130.250
object network FW_EXT_TO_GDG_MAIN
nat (GDG_MAIN,FW_EXT) static 172.25.152.246

Thanks.

Nay Myo Tun · ‎12-02-2010

Hi Mohamed,

Kindly check the packet tracer result.

ASA01# packet-tracer input DMZ2 tcp 172.25.154.107 ftp 172.25.130.250 ftp

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network DMZ2_TO_INSIDE
nat (INSIDE,DMZ2) static 172.25.130.250
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 172.25.130.250/21 to 172.25.154.107/21

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: DMZ2
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA01#

ASA01# packet-tracer input OUT tcp 172.25.152.250 ftp 172.25.154.107 ftp

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.25.154.0 255.255.255.0 DMZ2

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface OUT
access-list OUT_IN extended permit tcp any host 172.25.154.107 object-group DW_GROUP
object-group service DW_GROUP tcp
port-object eq echo
port-object eq ftp
port-object eq ssh
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network OUT_TO_DMZ2
nat (DMZ2,OUT) static 172.25.152.246
Additional Information:

Result:
input-interface: OUT
input-status: up
input-line-status: up
output-interface: DMZ2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA01#

Nay Myo Tun · ‎12-01-2010

Hi Mohamed, Here is the output.

AODWASA01# sh run nat
!
object network IN
      nat (IN,DMZ2) dynamic 172.25.154.250
object network OUT
      nat (IN,OUT) dynamic 172.25.152.250
object network DMZ1
      nat (IN,DMZ1) dynamic 172.25.156.250
object network DMZ2_TO_IN
      nat (IN,DMZ2) static 172.25.130.250
object network OUT_TO_DMZ2
      nat (DMZ2,OUT) static 172.25.152.246

Thanks.