ASA5510 DMZ issue

pvj · ‎08-25-2010

Hi,

Having serious trouble getting my DMZ zone to work as planned.

The setup is typical, having WAN interface, and a internal interface with a few vlans on it - besides that I now configured a new VLAN on a vacant interface eth0/3 which I am planning to use as DMZ.

internal VLANs - security level 100

DMZ VLAN - security level 50

WAN interface - security level 0

ticked on the "Allow between interfaces with same secury level" which made it easy to configure access between everything located internal, also from internal to DMZ.

However I have 1 public IP and I wish to port NAT to servers in the DMZ. Just to test I tried to make a public server following cisco's guide http://www.cisco.com/en/US/docs/security/asa/asa83/getting_started/5500/guide/dmz.html#wp1065777

When I am trying to NAT to the external IP I get this following error :

[ERROR] nat (DMZ_SKA,WAN) static XXX.XXX.XXX.XXX service tcp 3389 3389
Address XXX.XXX.XXX.XX overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Then tried using the CLI with a command like :

nat (DMZ_SKA,WAN) static interface service tcp 3389 3389

Still no joy, even when allowing everything on WAN and DMZ nothing is working. If I try to NAT port 80 it gets blocked by the firewall at the WAN interface even though I explicity allowed it.

Anyone with bright ideas ?

Loren Kolnes · ‎08-25-2010

Hi Poul,

Can you post the output of the following commands:

sh run nat

sh run object network

With regards to the port 80 translation make sure that the access-list refers to the real ip address, in this case the server address as it exists on the dmz network,

This link gives some examples of natting in 8.3.

https://supportforums.cisco.com/docs/DOC-9129

Thanks,

Loren

Kureli Sankar · ‎08-25-2010

Seems like the NAT that you configued is ok. ACL may be a problem.

On the outside ACL where you permit 3389 and 80 to this dmz server you need to use the real/private IP of the server in the DMZ.

Read this link. https://supportforums.cisco.com/docs/DOC-12690#ACL_Changes

-KS

Loren Kolnes · ‎08-25-2010

Hi Poul,

While the previous engineer is correct, the nat statement is correct, we still need to make sure the host defined in the network object is the real ip address of the server. Can you verify this and also make sure that the access-list you have applied to the WAN interface is allowing traffic to the real ip address and real port of the server.

Thanks,

Loren

pvj · ‎08-26-2010

Hi all,

Thanks for the suggestion, tried to delete everything and start over with the DMZ thing.

Here is sh run nat :

ciscoasa# sh run nat
nat (PROD_SKA,WAN) source dynamic any interface
nat (DEV_SKA,WAN) source dynamic any interface
!
object network DMZ_RDP_SRV
nat (DMZ_SKA,WAN) static interface service tcp www www
ciscoasa#

Here is sh run object network :

ciscoasa# sh run object network
object network LAN_WAN_NAT
subnet 10.10.101.0 255.255.255.0
description LAN NAT
object network A_
object network WAN
host 217.116.XXX.XXX
object network DMZ_RDP_SRV
host 192.168.100.100
ciscoasa#

Here is sh run access-list :

ciscoasa# sh run access-list
access-list DEV_SKA_access_in extended permit ip 10.10.102.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list DEV_SKA_access_in extended permit object-group DM_INLINE_SERVICE_1 10.10.103.0 255.255.255.0 any
access-list PROD_SKA_access_in extended permit object-group DEV_SKA_ACCESS_GROUP 10.10.102.0 255.255.255.0 any
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq www
access-list allow_ping_to_wan remark ping from lan to wan
access-list allow_ping_to_wan standard permit 10.10.101.0 255.255.255.0
ciscoasa#

Here is sh run access-group :

ciscoasa# sh run access-group
access-group OUTSIDE_IN_DMZ in interface WAN
access-group PROD_SKA_access_in in interface PROD_SKA
access-group DEV_SKA_access_in in interface DEV_SKA
ciscoasa#

Still no joy...

Checked the ACL's which to me seems to be good ( that might not really be the case ).. WAN is still blocking port 80.

Do you guys need more conf info ? I am stuck..

Kureli Sankar · ‎08-26-2010

This ACL

access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 217.116.XXX.XXX eq www

should actually be

access-list OUTSIDE_IN_DMZ extended permit tcp any host 192.168.100.100 eq 3389
access-list OUTSIDE_IN_DMZ extended permit tcp any host 192.168.100.100 eq www

Refer this link: https://supportforums.cisco.com/docs/DOC-12690#ACL_Changes

-KS

Loren Kolnes · ‎08-26-2010

Hi Poul,

The following nat statements need to be changed:

nat (PROD_SKA,WAN) source dynamic any interface
nat (DEV_SKA,WAN) source dynamic any interface

You will need to configure them using network objects, i.e. auto-nat.

Assuming the source for the dynamic pat is 192.168.100.0/24 for the PROD_SKA network and 172.16.1.0/24 for the DEV_SKA network the following nat configuration would be necessary.

object network obj-prod_ska

subnet 192.168.100.0 255.255.255.0

nat (PROD_SKA,WAN) dynamic interface

object network obj-dev_ska

subnet 172.16.1.0 255.255.255.0

nat (DEV_SKA,WAN) dynamic interface

Additional networks off of the PROD_SKA and DEV_SKA interfaces would need to be configured in a similar fashion.

Let me know if you have any questions.

Thanks

Loren

pvj · ‎08-29-2010

Hi,

Got it working - thank you soo much.

It was indeed a mix of both the ACL and the fact that the ASDM choose to use a network object rather than the physical WAN interface.

Running your suggested commands in the CLI did the trick..

So you both answered correctly - being new here I would like to click "Correct answer" to you both but is that possible?

Best regards

Loren Kolnes · ‎08-29-2010

Hi Poul,

Glad to hear this is working, As far as who gets credit I dont think there is a way to give credit to more than one person, so this is your call. You can, however, provide a rating based on how helpful you found the answers to your questions.

Best regards,

Loren