Cisco 501 ASA/PIX configuration - Page 2

Famous_20 · ‎09-27-2012

I'm having trouble configuring an ASA into a network solution. We have a 501 with the outside interface on 10.24.10.1, the inside interface as 172.18.10.1, and a DMZ on 192.168.1.1. in the DMZ there is a HTTP/FTP/TFTP server connected to 192.168.1.2 on a virtual machine. When on a machine configured to 172.18.10.10 I can ping to the outside interface but not the DMZ. When I am in the DMZ the PIX does block traffic to the inside, but I can't reach the outside interface. When on the outside I am blocked from the inside, but also blocked from the DMZ. I will post the config file below. Any thoughts?

Group10(config)# sh run

: Saved

:

PIX Version 8.0(4)

!

hostname Group10

enable password 8zN2iKai1VxwjKWN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

description OUTSIDE

nameif OUTSIDE

security-level 0

ip address 10.24.10.2 255.255.255.0

!

interface Ethernet1

no nameif

security-level 0

no ip address

!

interface Ethernet1.1

description DMZ

vlan 100

nameif DMZ

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet1.2

description INSIDE

vlan 200

nameif INSIDE

security-level 100

ip address 172.18.10.1 255.255.255.0

!

interface Ethernet2

no nameif

security-level 50

no ip address

!

ftp mode passive

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

access-list external extended permit tcp 10.0.0.0 255.0.0.0 any eq ftp

access-list external extended permit tcp 10.0.0.0 255.0.0.0 any eq www

access-list internal extended permit ip any any

access-list internal extended permit udp host 172.18.10.1 any eq tftp

access-list dmz extended permit ip any any

no pager

mtu OUTSIDE 1500

mtu DMZ 1500

mtu INSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OUTSIDE

icmp permit any DMZ

icmp permit any INSIDE

no asdm history enable

arp timeout 14400

static (DMZ,OUTSIDE) 10.24.10.3 192.168.1.2 netmask 255.255.255.255

access-group external in interface OUTSIDE

access-group internal out interface OUTSIDE

access-group dmz in interface DMZ

access-group internal in interface INSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 10.24.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

management-access INSIDE

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:774c3a24ef1b4127f4c630cc8fee1c1c

: end

varrao · ‎09-28-2012

If you add this nat, then all your DMZ should b able to access internet:

nat (DMZ) 2 192.168.1.0 255.255.255.0

global (outside) 2 interface

N also please remove the access-group:

access-group internal out interface OUTSIDE

It doesn't make sense to me.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Famous_20 · ‎09-28-2012

Varun,

I removed the line as you instructed, but still no connectivity. As I explained below I gave the client an address of 192.168.1.10/24 with a gateway of 192.168.1.1. This should put me on the DMZ interface of the PIX, or should the gateway be 192.168.1.2, since that is where the SNAT is from the outside?

Famous_20 · ‎09-28-2012

Harish,

I'm not sure what else to try as far as protocols. HTTP is not getting to the DMZ, because when I did give the test machine a 192.168.1.10 address I cannot get to the internet.

Famous_20 · ‎09-28-2012

Just for a logical analysis: I configured a test machine at 172.18.10.10, with a default gateway of 172.18.10.1 (the inside of the ASA) Since I have internet connectivity on this machine HTTP is going through the DMZ, since it is not coming directly from the outside interface; however, when I connect a device in the DMZ and give it an IP of 192.168.1.10 and a gateway of 192.168.1.1 I have no internet connectivity. Am I missing something?

Harish Balakrishnan · ‎09-29-2012

Hello Eric,

I have just simulated your scenario, and please find the following working configuration

Please remove all other acls and NAT

I am able to access

1. Inside to DMZ

2. DMZ-Inside

3.Inside- internet (pc connected outside)

4.DMZ-internet (pc connected outside)

------------------------------------------------
fixup protocol icmp

interface Ethernet1.2
description INSIDE
vlan 200
nameif INSIDE
security-level 100
ip address 172.18.10.1 255.255.255.0

!
interface Ethernet1.1
description DMZ
vlan 100
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0

!
interface Ethernet0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 10.24.10.2 255.255.255.0

!

global (outside) 1 interface
nat (inside) 1 172.18.10.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,dmz) 172.18.10.0 172.18.10.0 netmask 255.255.255.0

access-list dmz-in extended permit ip any any
access-group dmz-in in interface DMZ

--------------------------------------------------------------

regards

Harish.

Famous_20 · ‎10-02-2012

Harish,

I applied this config to the ASA. I have connectivity from the inside interface to the outside, but have temporarily lost internet connectivity. I cannot access the outside of the ASA from the DMZ. I'm not sure what else to try at this point.

Harish Balakrishnan · ‎10-02-2012

Hello Eric,

You meant so say, you are not able to access outside interface of the ASA or outside world ? You will not be able to ping outside interface of the ASA from DMZ/Inside but you should be able to access internet,, Please do post your latest config so that I can check if we have missed out anything !

regards

Harish.

Famous_20 · ‎10-03-2012

Harish,

This is the updated config:

: Saved

:

PIX Version 8.0(4)

!

hostname Group10

domain-name Group10.com

enable password 8zN2iKai1VxwjKWN encrypted

passwd 8zN2iKai1VxwjKWN encrypted

names

!

interface Ethernet0

description OUTSIDE

nameif OUTSIDE

security-level 0

ip address 10.24.10.2 255.255.255.0

!

interface Ethernet1

no nameif

security-level 0

no ip address

!

interface Ethernet1.1

description DMZ

vlan 100

nameif DMZ

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet1.2

description INSIDE

vlan 200

nameif INSIDE

security-level 100

ip address 172.18.10.1 255.255.255.0

!

interface Ethernet2

no nameif

security-level 50

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name Group10.com

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

access-list dmz-in extended permit ip any any

no pager

mtu OUTSIDE 1500

mtu DMZ 1500

mtu INSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OUTSIDE

icmp permit any DMZ

icmp permit any INSIDE

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (DMZ) 1 192.168.1.0 255.255.255.0

nat (INSIDE) 1 172.18.10.0 255.255.255.0

static (INSIDE,DMZ) 172.18.10.0 172.18.10.0 netmask 255.255.255.0

access-group dmz-in in interface DMZ

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.24.10.0 255.255.255.0 INSIDE

telnet timeout 5

ssh 10.24.10.0 255.255.255.0 INSIDE

ssh timeout 5

console timeout 0

management-access INSIDE

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:774c3a24ef1b4127f4c630cc8fee1c1c

: end

With this configuration I gave my laptop a 172.18.10.10 address and I can get out through the outside interface but cannot access DNS or internet anymore. I also cannot ICMP to the DMZ. When giving the laptop a 192.168.1.10 address I cannot ICMP the server in the DMZ (192.168.1.2) or the outside interface 10.24.10.1. On the ASA I can ping each interface (INSIDE, OUTSIDE, DMZ). Again, there is a server on a vm in the DMZ and it cannot get out as well. There is also another firewall located internally on the 172.18.10.0 network, but I want to address one piece at a time.