Solved: Internet access and a question...

David Hunt · ‎12-07-2011

Hello Friends...

I am having issues with PC's in my DMZ to gain access to the internet...

I saw a post about a week ago with a simular issue, I added the rule that was recommended... and no change... so..

I have a PC with an IP address of 10.1.1.50/24 and a gateway address of 10.1.1.1.

From this DMZ... I can ping the gateway and also 10.11.144.3 which is my DNS \ AD server...

below is the config.... any ideas on what is stopping the PC in the DMZ to gain access to the internet?

Also...

I inherited this firewall from a previous admin who was dismissed... but something I noticed that does not make sense... and it has to do with a rule on the inside interface located right about my any - any implicit deny... and that is..

access-list inside_access_in extended permit ip any any

doesn't this negate the implicit deny? is this safe to allow any-any ip?

Thanks in advance....

Result of the command: "show run"

: Saved
:
ASA Version 8.2(4)
!
hostname XXXX
domain-name XXXX.org
enable password wZJefsykk8VmlkFg encrypted
passwd wZJefsykk8VmlkFg encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.x.x.70 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.11.144.253 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 10
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3

!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range Always
!
boot system disk0:/disk0asa727-k8.bin
boot system disk0:/asa824-k8.bin
boot system disk0:/asa824-k8,bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name xxxx.org
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq 2534
port-object eq 2533
port-object range 2701 2750
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host 66.x.x.77
network-object host 66.x.x.78
object-group network DM_INLINE_NETWORK_5
network-object host 60.x.x.77
network-object host 66.x.x.78
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list 120 extended permit ip 10.11.144.0 255.255.255.0 10.11.145.0 255.255.255.0
access-list 130 extended permit ip 10.11.144.0 255.255.255.0 10.11.146.0 255.255.255.0
access-list 140 extended permit ip 10.11.144.0 255.255.255.0 10.11.147.0 255.255.255.0
access-list 150 extended permit ip 10.11.144.0 255.255.255.0 10.11.148.0 255.255.255.0
access-list 160 extended permit ip 10.11.144.0 255.255.255.0 10.11.149.0 255.255.255.0
access-list 170 extended permit ip 10.11.144.0 255.255.255.0 10.11.150.0 255.255.255.0
access-list 180 extended permit ip 10.11.144.0 255.255.255.0 10.11.151.0 255.255.255.0
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.11.144.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip any 10.11.0.0 255.255.0.0
access-list nonat extended permit ip any 172.16.10.0 255.255.255.0
access-list outside_acl extended permit tcp any host 66.x.x.73 object-group DM_INLINE_TCP_0
access-list outside_acl extended permit icmp any any time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.77 eq www time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.78 object-group DM_INLINE_TCP_1 time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_5 eq smtp time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_4 eq pop3 time-range Always
access-list dmz_acl extended permit udp 10.1.1.0 255.255.255.0 host 10.11.144.3 eq domain time-range Always
access-list dmz_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.11.144.3 time-range Always
access-list dmz_acl extended permit tcp any any
access-list XXXVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list XXXVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool XXXVPN_IP_POOL 172.16.10.1-172.16.10.10
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
global (outside) 1 66.x.x.71 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 10.11.144.0 255.255.255.0
nat (inside) 1 10.11.145.0 255.255.255.0
nat (inside) 1 10.11.146.0 255.255.255.0
nat (inside) 1 10.11.147.0 255.255.255.0
nat (inside) 1 10.11.148.0 255.255.255.0
nat (inside) 1 10.11.149.0 255.255.255.0
nat (inside) 1 10.11.150.0 255.255.255.0
nat (inside) 1 10.11.151.0 255.255.255.0
static (inside,outside) 66.x.x.72 10.11.144.8 netmask 255.255.255.255
static (inside,outside) 66.x.x.78 10.11.144.12 netmask 255.255.255.255
static (inside,outside) 66.x.x.77 10.11.144.2 netmask 255.255.255.255
static (inside,outside) 66.x.x.85 10.11.144.25 netmask 255.255.255.255
static (inside,outside) 66.x.x.73 10.11.144.7 netmask 255.255.255.255
access-group outside_acl in interface outside
access-group inside_access_in in interface inside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 66.x.x.67 1
route inside 10.11.145.0 255.255.255.0 10.11.144.254 1
route inside 10.11.146.0 255.255.255.0 10.11.144.254 1
route inside 10.11.147.0 255.255.255.0 10.11.144.254 1
route inside 10.11.148.0 255.255.255.0 10.11.144.254 1
route inside 10.11.149.0 255.255.255.0 10.11.144.254 1
route inside 10.11.150.0 255.255.255.0 10.11.144.254 1
route inside 10.11.151.0 255.255.255.0 10.11.144.254 1
route inside 192.168.100.0 255.255.255.0 10.11.144.254 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server DOMAIN protocol nt
aaa-server DOMAIN (inside) host 10.11.144.3
nt-auth-domain-controller XXXdc1
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
url-server (inside) vendor websense host 10.11.144.9 timeout 30 protocol TCP version 1 connections 50
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication secure-http-client
filter url except 10.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url except 0.0.0.0 0.0.0.0 10.1.1.3 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.144.0 255.255.255.0 inside
http 10.11.0.0 255.255.0.0 inside
http 0.0.0.0 255.255.255.255 outside
snmp-server location Weber
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 20 esp-des esp-md5-hmac
crypto ipsec transform-set 30 esp-des esp-md5-hmac
crypto ipsec transform-set 50 esp-des esp-md5-hmac
crypto ipsec transform-set 60 esp-des esp-md5-hmac
crypto ipsec transform-set 70 esp-des esp-md5-hmac
crypto ipsec transform-set ENCRYPT esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OUTSIDEMAP 10 set transform-set ENCRYPT
crypto dynamic-map OUTSIDEMAP 30 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map VPN 20 match address 120
crypto map VPN 20 set peer 206.166.36.122
crypto map VPN 20 set transform-set 20
crypto map VPN 30 set peer 206.166.36.154
crypto map VPN 30 set transform-set 30
crypto map VPN 50 set peer 206.166.36.146
crypto map VPN 50 set transform-set 50
crypto map VPN 60 set peer 206.166.36.150
crypto map VPN 60 set transform-set 60
crypto map VPN 70 set peer 206.166.36.126
crypto map VPN 70 set transform-set 70
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpnspd.XXX.org
subject-name CN=sslvpnspd
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 50d23f4d
    308201e9 30820152 a0030201 02020450 d23f4d30 0d06092a 864886f7 0d010105
    05003039 31123010 06035504 03130973 736c7670 6e737064 31233021 06092a86
    4886f70d 01090216 1473736c 76706e73 70642e73 6b6f6b69 652e6f72 67301e17
    0d313130 31323631 37323930 355a170d 32313031 32333137 32393035 5a303931
    12301006 03550403 13097373 6c76706e 73706431 23302106 092a8648 86f70d01
    09021614 73736c76 706e7370 642e736b 6f6b6965 2e6f7267 30819f30 0d06092a
    864886f7 0d010101 05000381 8d003081 89028181 00b7ec4e 59cbac48 0887a91f
    6a093ce6 96b98eff 5276cb30 5d7831a3 d1fec4ae a6ecdd56 d64e3140 b3acb7b0
    a6c77aa5 732e5e28 6dae291f f0af8af9 d0b8d245 8351879b e2d7d36a 8890ee3a
    6c873537 98a30ca1 9ec5efae 5866656b 278573f0 be1990d7 0f9dfc67 dbc8d63d
    33bce9af b786a396 d695be7a 12dcecdc 61b54119 31020301 0001300d 06092a86
    4886f70d 01010505 00038181 001de265 7c0d1343 b15718e6 9e7fd220 12f17499
    d72a723b bd5841a8 d4d30ef3 dab4e858 f078089b 0602b3da 76dad4b7 9eb47466
    44914b5a f30f11f9 7ad3f2f5 9cdc027b db32f06a 9f548a68 6a0ca0a6 623833ee
    d4b2f7f2 75602be6 927d3b3e 1def6021 1bd71e18 c9e2a4fe cc7bc65d 6c7b608a
    cfdbd3d7 421a40c6 b7472323 d8
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 10.11.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.11.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
url-block url-mempool 1500
url-block url-size 4
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.11.144.3 10.11.144.8
dns-server value 10.11.144.3 10.11.144.8
vpn-tunnel-protocol IPSec
backup-servers clear-client-config
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy SPDVPN internal
group-policy SPDVPN attributes
wins-server value 10.11.144.3 10.11.144.8
dns-server value 10.11.144.3 10.11.144.8
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPDVPN_splitTunnelAcl
default-domain value xxx.org
username xxx password sE2H9HubIXI75SNz encrypted privilege 15
username xxx attributes
vpn-group-policy SPDVPN
username admin password 6YI.p7lD7uzHZBBs encrypted privilege 15
tunnel-group SPDVPN type remote-access
tunnel-group SPDVPN general-attributes
authentication-server-group DOMAIN
default-group-policy SPDVPN
dhcp-server 10.11.144.3
tunnel-group SPDVPN webvpn-attributes
group-alias SPD enable
tunnel-group SPDVPN ipsec-attributes
pre-shared-key *****
tunnel-group 206.x.x.126 type ipsec-l2l
tunnel-group 206.x.x.126 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect mgcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:de6cc013b7f352d3ae23801e154d8a3b
: end

Julio Carvajal · ‎12-07-2011

Hello David,

All you are missing is the Nat statement for the DMZ to be able to get to th outside.

Please add the following:

Nat (dmz 1 0 0

Now regarding your ACL question, of course if you add a permit ip any any, the implicit deny is going to do nothing, but remember you will be allowing all trafffic from the DMZ to any other interface, so it will be just outbound traffic not inbound traffic to that interface.

Regards,

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-07-2011

Hello David,

Yes, I saw it, actually I answered to that one on the previous response as well.

Here is the answer just in case,

Now regarding your ACL question, of course if you add a permit ip any any, the implicit deny is going to do nothing, but remember you will be allowing all trafffic from the inside to any other interface, so it will be just outbound traffic not inbound traffic to that interface.

Regards,

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-07-2011

Hello David,

All you are missing is the Nat statement for the DMZ to be able to get to th outside.

Please add the following:

Nat (dmz 1 0 0

Now regarding your ACL question, of course if you add a permit ip any any, the implicit deny is going to do nothing, but remember you will be allowing all trafffic from the DMZ to any other interface, so it will be just outbound traffic not inbound traffic to that interface.

Regards,

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

David Hunt · ‎12-07-2011

wow... that was quick and it works!!!! thank you Julio...

did you see the other question?

I inherited this firewall from a previous admin who was dismissed... but something I noticed that does not make sense... and it has to do with a rule on the inside interface located right above my any - any implicit deny... and that is..

access-list inside_access_in extended permit ip any any

doesn't this negate the implicit deny? is this safe to allow any-any ip?

Julio Carvajal · ‎12-07-2011

Hello David,

Yes, I saw it, actually I answered to that one on the previous response as well.

Here is the answer just in case,

Now regarding your ACL question, of course if you add a permit ip any any, the implicit deny is going to do nothing, but remember you will be allowing all trafffic from the inside to any other interface, so it will be just outbound traffic not inbound traffic to that interface.

Regards,

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC