cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1310
Views
34
Helpful
17
Replies

ASA Need expert review..Nat Problems with DMZ, inside, outside.

risenshine4th
Level 1
Level 1

I am trying to fix a similar situation.

I need the "Masters" to review my configs so I can share the knowledge.

I can get to the Internet from the DMZ and the inside interfaces.

I'm trying to allow the inside interface to be able to access anything in the DMZ.

I would like to be able to browse the webpages.

Also I am trying to allow remote desktop into the DMZ...I want to keep the DMZ limited to the access rules and ports defines.

I've got several public IPs that go to go to the DMZ and Inside depending on the port and service.

I've attached a clean detailed config.

1 Accepted Solution

Accepted Solutions

My first thought is to cut back on your ACLs

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

I would take all of the ones that are outbound off, leaving only the inbound access lists.

When you did your statics, did you clear your xlate table? (clear xlate ) Generally the port translation error comes from the translation not being recognized, and you have to clear the table, or reboot the device, before they'll be seen.

--John

HTH, John *** Please rate all useful posts ***

View solution in original post

17 Replies 17

Collin Clark
VIP Alumni
VIP Alumni

Add global (DMZ) 1 interface

You should be able to remove these statements-

global (inside) 10 interface

global (DMZ) 5 interface

Hope that helps.

I added the "global (DMZ) 1 interface"

and removed

global (inside) 10 interface

global (DMZ) 5 interface

cl xlate after saving the config.

There doesn't seem to bee any change.

I do see how the global (inside) 10 interface

global (DMZ) 5 interface were not needed.

Any other ideas?

Is there anything in the log?

I appreciate the help.

I'm attaching the Logs.

This morning I was able to ping from (192.168.0.10)within the DMZ and even remote into \\192.168.0.100\c$ without any configuration changes...this lasted 20 minutes. Then back to normal without any changes.

I find it strange that when I try and ping from the inside it shows the source as the destination I am trying to ping.

Basically, I've got a PC on the DMZ and a PC on the Inside Interfaces.

Let's be clear on what needs to be working-

+Inside to DMZ, whatever ports and protocols you deem necessary.

Do you need DMZ to Inside to work? All IP's or just some?

What needs to work:

Need Inside network to be able to able to reach anything and use any service in the DMZ. Want to be able to service the webservers and use admin tools. no limits. RDP

I would like to limit the services and traffic from the DMZ into the inside.

For example...

would ike to allow 192.168.154.2 to be able to pop3 192.168.0.4.

I would like to allow any DMZ server to be able to send SMTP to 192.168.04

access-list DMZ_access_out extended permit tcp host 192.168.154.2 eq pop3 host 192.168.0.4 eq pop3

access-list DMZ_access_out extended permit tcp any host 192.168.0.4 eq smtp

Thanks

It looks like everything is in place. Can you try, from a DMZ server, telnet to 192.168.0.4 on port 25. Then can you capture the log for it (show logg | i dmz_server_ip)? Thanks.

6 Nov 07 2008 12:20:07 302014 192.168.154.10 1181 Exchange-192.168.0.4 25 Teardown TCP connection 65 for DMZ:192.168.154.10/1181 to inside:Exchange-192.168.0.4/25 duration 0:00:30 bytes 0 SYN Timeout

6 Nov 07 2008 12:19:37 302013 192.168.154.10 1181 Exchange-192.168.0.4 25 Built inbound TCP connection 65 for DMZ:192.168.154.10/1181 (192.168.154.10/1181) to inside:Exchange-192.168.0.4/25 (Exchange-192.168.0.4/25)

This repeats

Are you still seeing the NAT translations too? I see there are 0 bytes across 30 seconds. This usually means it's not getting to the destination or there is a restriction on the application. On the Exchange server are there any restrictions (ie relaying)? Do you see anything in the Exchange server event viewer for the connection?

Hello John,

According to your ACLs and explaination one post above, I think you are confused about the directions of applying ACLs, in or out.

When you apply and ACL as out, that ACL will filter the traffic departs from firewall destined to the HOST in applied interface. Let me explain with an example

"Need Inside network to be able to able to reach anything and use any service in the DMZ"

So you want any inside host to use any service in DMZ.

Inside host say A with IP address of 192.168.0.200 want to connect a web page on host B 192.168.154.220. This connection attempt will be filtered in 2 points. 1) When entering the inside interface "inside_access_in in interface inside" 2) Departing from forwarded interface (Which is DMZ interface in this case), "dmz_access_out out interface dmz"

So you are actually filtering the inside->dmz access which you initially permitted with inside_access_in ACL, by applying an outbound ACL to DMZ interface. This also affects connections from outside interface. So if these ACLs were formed when the former was unsure about directions, I recommend removing them and start with a fresh understanding.

Besides,

*The ACEs that DMZ hosts are stated as source and x destination permitted in dmz_access_out are logically incorrect

*The ACEs that other interface's subnet is stated as source and permitted in any inbound applied ACLs makes firewall vulnerable to spoofing attacks.

*A normal TCP session NEVER establishes a connection with same source port as destination port "access-list DMZ_access_out extended permit tcp host 192.168.154.2 eq pop3 host 192.168.0.4 eq pop3 ", source port always is a dynamically assigned port between 1024-65535

But somehow logs do not contain denies, just SYN time outs. I suggest you to use a service 1)Which you certainly know that it is up

2)Not requires special inspections by firewalls,

while testing capabilities. So use RDP instead port 25, and make sure RDP is enabled at destination client.

Last, make sure that there are no software firewall like windows firewall enabled in clients/servers. If enabled, configure required exceptions.

I agree that I am confused. Good points about the RDP and Firewall settings etc...I've checked these in my testing. I've been testing this build rules to match others on a Juniper device. I know this is part of the trouble.

I've been adding acl's ans statics based on cisco references that either leave something out or don't show even a reference to a working running-config to support the document. I've used both CLI and ASDM examples. They tend to be a little vague.

I am configuring using the ASDM and the CLI to understand what both sides look like.

The from higher to lower security defaults don't appear to work so I've added statics and rules.

I will rebuild again and test. Even the basic tests make me think I'm missing something.

Does anyone have a basic working example of a DMZ?

int e1

nameif inside

sec 100

dup au

no shu

ip add 192.168.10.1 255.255.255.0

int e2

nameif dmz

sec 50

dup au

no shu

ip add 172.16.5.1 255.255.255.0

int e0

nameif outside

sec 0

dup au

no shu

ip add 88.247.156.65 255.255.255.248

nat (inside) 1 0 0 (For inside hosts to connect internet)

nat (dmz) 1 0 0 (For dmz hosts to connect internet)

global (outside) 1 interface

name 172.16.5.10 WEBSERVER

static (dmz,outside) 88.247.156.66 WEBSERVER

static (dmz,inside) 172.16.5.0 172.16.5.0 netmask 255.255.255.0

access-list outside_access_in permit tcp any host 88.247.156.66 eq 80

access-group outside_access_in in interface outside

In above config, any host in DMZ can connect to hosts at outside interface including internet, but cant access inside. Inside can access both DMZ and outside hosts including internet. And outside hosts can only access to 88.247.156.66 IP address on tcp port 80 of your firewall, which is statically natted to your webserver.

Thanks for the sample working config.

When I use the config above...I get the following errors.

Tried to remote desktop to dmz

3|Nov 12 2008|18:20:23|305006|172.16.5.10|80|||portmap translation creation failed for tcp src inside:192.168.10.100/2671 dst dmz:172.16.5.10/80

3|Nov 12 2008|18:20:02|305006|172.16.5.10|445|||portmap translation creation failed for tcp src inside:192.168.10.100/2671 dst dmz:172.16.5.10/445

3|Nov 12 2008|18:20:02|305006|172.16.5.10|139|||portmap translation creation failed for tcp src inside:192.168.10.100/2672 dst dmz:172.16.5.10/139

3|Nov 12 2008|18:19:56|305006|172.16.5.10|445|||portmap translation creation failed for tcp src inside:192.168.10.100/2671 dst dmz:172.16.5.10/445

3|Nov 12 2008|18:19:56|305006|172.16.5.10|139|||portmap translation creation failed for tcp src inside:192.168.10.100/2672 dst dmz:172.16.5.10/139

Ping from inside to dmz

3|Nov 12 2008|18:18:35|305006|172.16.5.10||||portmap translation creation failed for icmp src inside:192.168.10.100 dst dmz:172.16.5.10 (type 8, code 0)

3|Nov 12 2008|18:18:30|305006|172.16.5.10||||portmap translation creation failed for icmp src inside:192.168.10.100 dst dmz:172.16.5.10 (type 8, code 0)

I'll keep trying to figure out what is missing. I'd welcome any other ideas.

my typo,

no static (dmz,inside) 172.16.5.0 172.16.5.0 netmask 255.255.255.0 (this cant be used while a nat statement exists)

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: