Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
5
Replies

Roting and Nat asa 5505

Serpent2010
Level 1
Level 1

‎08-15-2014 08:13 PM - edited ‎03-11-2019 09:38 PM

 

I am try to make inside network communicate with DMZ server (bidirectional on two ports) but it did not work. I have Security Plus license with version 9.0 (3). Any help is appreciated
 
OUTSIDE (ISP) ====== (ASA5505) ======= inside (SWITCH) ====== ROUTER (172.16.1.X/24)
                                       + 
                                       +
                                       +
                                 (SWITCH)
                           (DMZ 172.16.0.71/24)
                          Application SERVER  (ports 7071,7072)
                          Should be accessed by inside network only and in bidirectional
Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎08-18-2014 12:06 AM

What you have to configure on the ASA:

  1. A route to the internal network behind the router.
  2. A permit statement for the traffic on the DMZ-ACL.
  3. A permit statement for the traffic on the inside-ACL if you have an ACL applied on inside.
  4. The security-level of DMZ should be lower then the security-level of inside.
  5. There shouldn't be a nat-statement for this communication.
0 Helpful

Serpent2010
Level 1
Level 1
In response to Karsten Iwen

‎08-18-2014 04:37 PM

Thanks, to ensure that I am following the direction correctly, I did 

ciscoasa(config)# show firewall
Firewall mode: Router

ciscoasa(config)# show switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/5  // Security level 100. 0/1 is connected to                                                                 Et0/6, Et0/7                        //other router (dhcpd) wh ich assign IP pool
                                                
2    ouside                         down      Et0/0                              //Security level 0. Currently I donot need to use                                                                                                    //it
5    dmz                              up       Et0/4                               // The application server is connect to this                                                                                                            // interface
ciscoasa(config)#

ciscoasa(config)# show ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 172.16.1.140  255.255.255.0   CONFIG
Vlan5                    dmz                    172.16.0.1      255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 172.16.1.140  255.255.255.0   CONFIG
Vlan5                    dmz                    172.16.0.1      255.255.255.0   manual

// Now I am testing ping dmz 

ciscoasa(config)# ping 172.16.0.71   // This is real ip of Application server that connected to                                                                             //   dmz direct
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.71, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

// Tesing ping inside 

ciscoasa(config)# ping 172.16.1.134  // ip of host in inside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.134, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

 

/*

Either when host (inside) ping app server doesnot work 

*/

 

// As maybe noticed that I can not ping inside or dmz from thr asa5505

/* 

However, my problem does not end at this point, furthermore, I want hosts in inside to access the APP Server by "http://172.16.0.71:7071 or 7072

and both direction from/to dmz to inside. So I did the following: 

*/

ciscoasa(config)# object network web-server-frominside
ciscoasa(config-network-object)# host 172.16.0.71
ciscoasa(config-network-object)# nat (dmz,inside) static interface service tcp www www

ciscoasa(config-network-object)# access-list dmztoinside extended permit tcp any host 172.16.0.71 eq 7071

ciscoasa(config-network-object)# access-list dmztoinside extended permit tcp any host 172.16.0.71 eq 7072

ciscoasa(config)# access-group dmztoinside in interface inside

ciscoasa(config)# route dmz 0 0 172.16.1.1 // is the router 1900 Default Gateway for inside

This is what I tried and did not work at all, so any help is really appreciated

 

 

0 Helpful

Serpent2010
Level 1
Level 1

‎08-18-2014 06:46 AM

Thanks for your reply.

The inside subnet is managed by the router 172.16.1.1 and not by the ASA5505 which has no dhcpd for the inside network but still in route mode. 

Any Client on the inside (100 Security Level), by default, should be able to ping DMZ (50 Security level) which is not work at all for me. 

What I want to do is: typing "http://172.16.0.71" on any client in the inside subnet in order to access the web application server in DMZ. (in bidirectional way connection) 

I tried ACL, NAT, and Route based on similar topology, I used object network, but I was unable to let them talk to each other. 

I used NAT for (inside,dmz) and ACL to allow tcp 7071 & 7072 only.

 

May I made it more complex rather than what it should to be, so any help is really appreciated.

 

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to Serpent2010

‎08-18-2014 07:08 AM

OK, this time http-access:

1) Do you have a route on the ASA to your internal network?

2) For this you don't need a DMZ-ACL, so we skip that point.

3) Is the internal ACL allowing the traffic?

4) security-levels are fine with 100/inside and 50/dmz.

5) The nat for (inside, outside) should be removed as it only adds unnessasary complexity.

Please show your config to help with that.

0 Helpful

Cisco-Learner1
Level 1
Level 1

‎08-18-2014 01:15 PM

All TCP and UPD traffic should be accessible through the firewall without any ACL entry untill unless any implicit or explicit rule is blocking the traffic.

1) Check you have reachibility to both the networks from the firewall.  Firewall should have proper routing in place. You can test by pinging the hosts at both DMZ and Inside network

2) Both subnets (Inside and DMZ) should have route; either static or default to reach to each other.

3) NAT should not be required in your case.

Best thing which you can do is to run a packet tracer and see where its being blocked. Based on the packet trracer output you can proceed further and take the required action.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card