Solved: Re: Configure Dmz on ASA5505

Thomas_Madsen · ‎12-21-2011

I've been doing a quick search without finding the correct answere to my problem, might be that i should done some more searching but here it goes.

I have a asa 5505 Sec plus with 3vlan, inside, outside and dmz.

On the outside i have 5 ip's for my use, and in the dmz i have a webserver that need to communicate with one sql server on the inside.

The "sql" also needs to be accessible from outside and thus has a static nat with a dynamic nat so it replies from same ip as on nat ie 72.72.72.5

webserver is natted with 72.72.72.6

sql inside ip is 192.168.1.2, gw 192.168.1.1

webserver ip is 192.168.2.100 gw 192.168.2.1

sec lvl on inside is 100 and on dmz 50

with a dynamic policy running inside-net/24 to dmz-network/24 translagt to dmz 192.168.2.2 i can get it to ping 1 way from inside to dmz, but not the other way around...

All i need is to open 1 port ie 6677 both ways for this communication to work.

I'm not very familiar with the CLI and do most stuf in GUI (know i should learn CLI, but time doesnt let me)...

any tips on what i need to do ???

on access rules i have just added everything from any to any using , ip, icmp, tcp and udp just to be sure... :-)

Happy for any pointers...

Julio Carvajal · ‎12-21-2011

Hello Thomas,

No that cannot be done with the command same-security command.

You can have connectivity between them using the same ip address just by configuring identity nat:

static(dmz,inside) tcp 10.40.96.2 6677 10.40.96.2 6677

Regards,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-22-2011

Hello Thomas,

That is the exact nat statement you need to acomplish a identity nat, witch seems like what you are looking for, it will not affect something else, just that if a host on the other interface wants to access one of those servers will need to to go the real ip address instead of one natted as usual.

Do not worry for the security level, you configured the ACLs to allow the communication with them.

Please do rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-21-2011

Hello Thomas,

You want to mantain communication between the DMZ an inside right?

You will need an ACL on the DMZ permitting the traffic to the Inside

Also you will need a static (inside,dmz).

Can you post your configuration, also the IP address of the host on the dmz that needs to talk with a host on the Inside( Host IP)

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas_Madsen · ‎12-21-2011

Result of the command: "show conf"

: Saved
: Written by hm-k at 12:21:10.213 UTC Mon Dec 19 2011
!
ASA Version 8.2(1)
!
hostname cisco
domain-name friends.local
enable password ********* encrypted
passwd ********** encrypted
names
name 10.40.96.250 SQL-Server_Innside
name 217.111.111.108 Utside-Ekte_IP_108
name 217.111.111.242 Utside-Ekte-IP-242
name 217.111.111.243 Utside-Ekte-IP-243
name 217.111.111.244 Utside-Ekte-IP-244
name 217.111.111.245 Utside-Ekte-IP-245
name 217.111.111.246 Utside-Ekte-IP-246
name 10.40.97.254 Inside-Webserver
!
interface Vlan1
nameif inside
security-level 100
ip address 10.40.96.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Utside-Ekte-IP-242 255.255.255.248
!
interface Vlan12
nameif DMZ
security-level 50
ip address 10.40.97.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name friends.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Giant-Leap tcp
port-object eq 2077
port-object eq 2020
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq https
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq 2040
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-244 eq www
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 object-group Giant-Leap
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq www
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-244 eq https
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-246 eq www
access-list inside_nat0_outbound extended permit ip any 10.40.96.128 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool IP-VPN-Pool 10.40.96.150-10.40.96.175 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 Utside-Ekte-IP-246 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp Utside-Ekte-IP-246 www Inside-Webserver www netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2040 10.40.96.27 2040 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 https 10.40.96.252 https netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2077 SQL-Server_Innside 2077 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2020 SQL-Server_Innside 2020 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 www SQL-Server_Innside www netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.111.111.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-Friends protocol radius
aaa-server VPN-Friends (inside) host 10.40.96.254
timeout 5
key xxxxxxxxx
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_Friends internal
group-policy VPN_Friends attributes
dns-server value 10.40.96.254
default-domain value friends.local
address-pools value IP-VPN-Pool
username hm-k password xxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group VPN_Friends type remote-access
tunnel-group VPN_Friends general-attributes
address-pool (outside) IP-VPN-Pool
authentication-server-group VPN-Friends LOCAL
authentication-server-group (outside) VPN-Friends LOCAL
default-group-policy VPN_Friends
tunnel-group VPN_Friends ipsec-attributes
pre-shared-key *
tunnel-group VPN_Friends ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I've changed the outside ip's just in case, and removed i think all passwords and stuff :-)

Julio Carvajal · ‎12-21-2011

Hello Thomas,

Ok lets say the IP address of the host on the inside ( SQL server) is 10.40.97.2 and the Web server on the DMZ is 10.40.96.2.

You need to have communication between those two servers on port 6677.

So here is the commands you need:

static(dmz,inside) 10.40.96.2 10.46.96.2

static (inside, dmz) tcp 72.72.72.6 6677 10.40.97.2 6677

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

Please rate helpful posts,

Give it a try and let me know the result!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas_Madsen · ‎12-21-2011

if sql uses 10.40.96.100 and webserver uses 10.40.97.200

should i then use

static(dmz,inside) 10.40.97.200 10.40.96.100

static (inside, dmz) tcp 10.40.96.100 6677 10.40.97.200 6677

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

Julio Carvajal · ‎12-21-2011

Hello Thomas,

No, They got to be natted to different ip address ( available ip addresses not the ones for the servers on each interface)

You got to know this first?

When the web-server wants to go to the SQL server what IP address do you want as destination (SQL server)

When the SQL server wants to go to the Inside Web-server what ip address do you want as the destination (Web-server)?

Then create the Static translation based on that.

Do you understand my point here?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas_Madsen · ‎12-21-2011

yeah that was what i was thinking but not fully understanding :-) so what i need then is this ??

If webserver runs on 10.40.97.200 and sqlserver runs on 10.40.96.250

static(dmz,inside) 10.40.97.200 10.40.96.2

static (inside, dmz) tcp 10.40.96.250 6677 10.40.97.2 6677

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

would this solve it ?

Should static(dmz,inside) 10.40.97.200 10.40.96.2

be static(dmz,inside) tcp 10.40.97.200 6677 10.40.96.2 6677

Julio Carvajal · ‎12-21-2011

Hello Thomas,

Yes, that should do it.

Now regarding the second question:Should static(dmz,inside) 10.40.97.200 10.40.96.2

be static(dmz,inside) tcp 10.40.97.200 6677 10.40.96.2 6677?

R/ You can use both of them, I think you will go for the Port forwarding, because that is what you are looking for.

So (dmz,inside) tcp 10.40.97.200 6677 10.40.96.2 6677 will work as well.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas_Madsen · ‎12-21-2011

if i need them to reach eachoter on the actual ip adr of the servers, can i do this by setting same securitylvl ?

Julio Carvajal · ‎12-21-2011

Hello Thomas,

No that cannot be done with the command same-security command.

You can have connectivity between them using the same ip address just by configuring identity nat:

static(dmz,inside) tcp 10.40.96.2 6677 10.40.96.2 6677

Regards,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas_Madsen · ‎12-21-2011

So if I want the webserver to use the sql internal ip adress and same with webserver to be reached from webserver using the webservers dmz ip i have to do this ??

static(dmz,inside) 10.40.97.200 6677 10.40.97.200 6677

static (inside, dmz) tcp 10.40.96.250 6677 10.40.97.250 6677

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

Is this command correct if the webserver ip in dmz is 10.40.97.200 and sql server on inside is 10.40.96.250 ?

Will the ASA do the subnet or does the subnet has to be changed from /29 to /28 ?

Will this affect any other NAT settings ??

Can i still have inside on lvl 100 and dmz on lvl50 or do i have to have them on lvl 100 ??

Julio Carvajal · ‎12-22-2011

Hello Thomas,

That is the exact nat statement you need to acomplish a identity nat, witch seems like what you are looking for, it will not affect something else, just that if a host on the other interface wants to access one of those servers will need to to go the real ip address instead of one natted as usual.

Do not worry for the security level, you configured the ACLs to allow the communication with them.

Please do rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas_Madsen · ‎12-22-2011

might be me beeing stupid here but i did the following

static (inside, dmz) 10.40.96.250 10.40.97.250

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

skipped the protocol and port to be sure to get it up'n running, then i can add the ports later :-)

I can ping from both sides now, but the program i'm trying to use doesnt work so i have to go to the customer tomorrow and set the servers on same network to be sure it's not the firewall messing with my head...

But if i got it right thoose settings should do what i need it to do..

all other machines are on inside vlan and can access the server as usual, and the webserver are only to be reached from outside or from sql server. The webserver on dmz vlan are aslo only to be able to reach the sql server on the inside vlan on given ports when i've got the communication up'n running :-)

Thnks for all help....

Julio Carvajal · ‎12-22-2011

Hello Thomas,

My pleasure, glad to hear that you can ping from both sides now.

If you have any other problem just let me know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas_Madsen · ‎12-23-2011

Is there any other things that can stop the communication between the dmz and inside ?

I've done the following

static (inside, dmz) 10.40.96.250 10.40.96.250

static (dmz, inside) 10.40.97.254 10.40.97.254

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

If i try unc it works, i can type \\ip and get shares, i can ping, i can access the webservice on both sides but the program i need working does not communicate.

I changed the ip of the "webserver" and tried the webservice once more and then it connects to 10.40.96.250 without problem. Move the webserver back to dmz and nothing.....

Any idea ?????

Would the identity nat work just as well if i just did

static (inside, dmz) 10.40.96.250 10.40.96.250

if i got this right i can then access the 96.250 ip from all ip's on the dmz, but only 96.250 can access ip's from the dmz ??

And if i just did

static (dmz, inside) 10.40.97.254 10.40.97.254

then i can access all ip's in the inside lan can access 97.254 but only 97.254 can access ip's in the insizde vlan ?