07-19-2013 08:19 AM - edited 03-11-2019 07:14 PM
Hello All
Need some help with our DMZ SERVERS?
We need our Web, VPN servers to have internet access, we configured the ACL to allow this, and the logs show this failing.
Do we need NAT plus the ACL to allow this?
Please give commands for ASDM - step-by-step on what we need to make this
Thank you
Solved! Go to Solution.
07-19-2013 08:32 AM
Hi,
I can help with the needed configurations on the CLI but not really with the ASDM as I dont use or want to use the ASDM for configurations purposes.
I would say that usually you need a NAT configurations for a network atleast. If the interface doesnt have any ACL then they are usually atleast allowed to access the Internet on the basis of the interfaces "security-level".
Could you share the logs you are seeing?
Or could you share the CLI format configuration?
You can do this also through ASDM by going to
- Jouni
07-19-2013 09:49 AM
Hi,
You seem to have Dynamic PAT configurations for all DMZ hosts.
You also seem to have a couple of Static NAT configurations.
Since the IP addresses are masked I am not 100% sure if the public IP addresses are part of the same network that is configured on your "outside" interface. IF NOT then your problems might be due to missing this command "arp permit-nonconnected"
With regards to the ACL rules you only seem to have allowed traffic from a single host IP address on the DMZ. All other hosts traffic will therefore be blocked. So if you have other hosts other than the one that has an ACL rule then you will have to configure additional ACL rules to allow traffic for the rest of the hosts behind the DMZ interface.
- Jouni
07-19-2013 10:01 AM
Hi,
If you want your DMZ hosts to be able to connect to Internet then you will have to add ACL rules to your current DMZ interfaces ACL to allow the outbound connections.
You wont have to allow the return traffic as the ASA is a statefull firewall which keeps track of the connections through it. So when a connections has already been allowed through the firewall (according to the ACL rule) then the return traffic for that particular connection/flow will be allowed back through the firewall.
- Jouni
07-19-2013 11:46 AM
Hi,
That ACL rule wont allow traffic to everywhere on the "outside"
What it actually does is allow traffic from "any" source address to the IP address of the "outside" interface. And since you cant connect to an ASA interface from behind another interface it really wont have any effect.
If you wanted to allow all access from the DMZ you would have to simply use
access-list PCSFTP_access_in permit ip any any
Or alternatively use the actual DMZ network as the source address instead of "any"
Naturally this will allow traffic to other networks behind the ASA unless you blocke the traffic before doing this "permit ip any any" rule.
- Jouni
07-19-2013 08:32 AM
Hi,
I can help with the needed configurations on the CLI but not really with the ASDM as I dont use or want to use the ASDM for configurations purposes.
I would say that usually you need a NAT configurations for a network atleast. If the interface doesnt have any ACL then they are usually atleast allowed to access the Internet on the basis of the interfaces "security-level".
Could you share the logs you are seeing?
Or could you share the CLI format configuration?
You can do this also through ASDM by going to
- Jouni
07-19-2013 08:48 AM
removed
07-19-2013 09:49 AM
Hi,
You seem to have Dynamic PAT configurations for all DMZ hosts.
You also seem to have a couple of Static NAT configurations.
Since the IP addresses are masked I am not 100% sure if the public IP addresses are part of the same network that is configured on your "outside" interface. IF NOT then your problems might be due to missing this command "arp permit-nonconnected"
With regards to the ACL rules you only seem to have allowed traffic from a single host IP address on the DMZ. All other hosts traffic will therefore be blocked. So if you have other hosts other than the one that has an ACL rule then you will have to configure additional ACL rules to allow traffic for the rest of the hosts behind the DMZ interface.
- Jouni
07-19-2013 09:58 AM
All public address used on the ASA from same subnet 98.101.x.x /24
All we need is the "arp permit-nonconnected" , then create ACL to allow DMZ server access to the outside interface, do we need a return path ACL for this traffic?
Thank you Jouni
07-19-2013 10:01 AM
Hi,
If you want your DMZ hosts to be able to connect to Internet then you will have to add ACL rules to your current DMZ interfaces ACL to allow the outbound connections.
You wont have to allow the return traffic as the ASA is a statefull firewall which keeps track of the connections through it. So when a connections has already been allowed through the firewall (according to the ACL rule) then the return traffic for that particular connection/flow will be allowed back through the firewall.
- Jouni
07-19-2013 10:06 AM
I really appreciate you helping me with this; hate to make changes to something that works unless we know the results, really appreciate your experience with the ASA.
P/S have a nice quiet vacation
Thank you Jouni
07-19-2013 11:15 AM
Hi,
I put this ACL in place and still not allowed to use the internet from the DMZ servers, log showing the drops
access-list PCSFTP_access_in line 3 remark ACL_DMZ_Internet_Access_7_19_13
access-list PCSFTP_access_in line 4 extended permit ip any interface outside
Please help
07-19-2013 11:46 AM
Hi,
That ACL rule wont allow traffic to everywhere on the "outside"
What it actually does is allow traffic from "any" source address to the IP address of the "outside" interface. And since you cant connect to an ASA interface from behind another interface it really wont have any effect.
If you wanted to allow all access from the DMZ you would have to simply use
access-list PCSFTP_access_in permit ip any any
Or alternatively use the actual DMZ network as the source address instead of "any"
Naturally this will allow traffic to other networks behind the ASA unless you blocke the traffic before doing this "permit ip any any" rule.
- Jouni
07-19-2013 11:54 AM
That worked Jouni
Thank you my friend
Have a great vacation
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: