Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1402
Views
0
Helpful
3
Replies

Since PBR isn't supported, best way to route to the DMZ from the inside?

enelson11
Level 1
Level 1

‎08-07-2013 01:13 PM - edited ‎03-10-2019 12:05 AM

I'm working on an ASA 5510 for a customer and they want to be able to access their SMTP server from the inside via RDP and the SMTP to be able to send SMTP traffic to the inside. They want everything done at the ASA level and do not want to have the router to do any of the work. I've done similar things on Junipers and PBRs with them easily enough, but turns out I will not be able to do it on the 5510. Trying to think of a way from within the ASA to figure this out.

I attacted the topology of the network and the issue. Red is what is not working.

this is the output of some of the ASA. I was thinking doing a NAT policy, but am unsure the best way to do it.

interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.16.2.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address 10.10.1.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
access-list DMZ_access_in extended permit tcp host 10.10.1.10 host <omitted> eq smtp 
access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.51 object-group rdp 
access-list DMZ_access_in extended permit ip any any 
access-list WAN_access_in extended permit tcp any host <omitted> eq smtp 
access-list WAN_access_in extended permit tcp any host <omitted> eq www 
access-list WAN_access_in extended permit tcp any host <omitted> eq https 
access-list WAN_access_in extended permit tcp any host <omitted> object-group rdp 
access-list LAN_access_in extended permit tcp host 10.16.2.4 host 10.10.1.10 eq smtp 
access-list LAN_access_in extended permit tcp host 10.16.2.51 host <omitted> object-group rdp 
access-list LAN_access_in extended permit ip any any 
global (Outside) 101 interface
nat (management) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) tcp <omitted> smtp 10.10.1.10 smtp netmask 255.255.255.255 
static (Inside,Outside) tcp <omitted> www 10.16.2.15 www netmask 255.255.255.255 
static (Inside,Outside) tcp <omitted> https 10.16.2.15 https netmask 255.255.255.255 
static (Inside,Outside) tcp interface 3389 10.163.2.51 3389 netmask 255.255.255.255 
static (Inside,DMZ) tcp 10.10.1.10 smtp 10.16.2.4 smtp netmask 255.255.255.255 
static (DMZ,Inside) tcp <omitted> 3389 10.10.1.10 3389 netmask 255.255.255.255 
access-group LAN_access_in in interface Inside
access-group DMZ_access_in in interface DMZ
access-group WAN_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 159.87.36.64 1
Labels:
Preview file
18 KB
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎08-07-2013 01:23 PM

Hi,

I am not quite sure what part of this would require PBR (Policy Based Routing)

Both the DMZ accessing INSIDE or the INSIDE accessing DMZ is just achieved with normal routing through the ASA.

If the actual problem is that you can't form connections between these interfaces networks then I would suggest trying the following NAT configuration

static (Inside,DMZ) 10.16.2.0 10.16.2.0 netmask 255.255.255.0

This should enable both networks to communicate directly between eachother

Though looking at your current configuration I am not sure how you want to NAT between these interfaces.

  • One INSIDE host is NATed to a DMZ network address towards DMZ
  • One DMZ host is NATed to a some unknown (public IP?) address towards INSIDE

- Jouni

0 Helpful

enelson11
Level 1
Level 1
In response to Jouni Forss

‎08-07-2013 01:41 PM

the omitted portion is for the outside IPs. I'm in the process of cleaning things up on the ASA, but my FW experience is mostly in Junipers.

So just NAT'ing the 10.16.2.X network from inside to the DMZ that way should allow traffic between the two? What would need to happen if they only wanted SMTP to go into the INSIDE network and RDP to go into the DMZ network? All the while leaving current abilities inact (SMTP to the OUTSIDE).

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to enelson11

‎08-07-2013 01:56 PM

Hi,

If you aim is to limit the traffic between the 2 network segments to only a few allowed services and only between certain hosts then you could use the following ACL format which is almost the same as the current.

I presume in the below ACL that you will actually allow the SMTP and RDP towards the local/real IP addresses in the other network segment. If you want to NAT them to some public IP address towards the other network segment then thats OK too but requires changed to the configuration.

access-list DMZ_access_in remark Allowed traffic DMZ to LAN

access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.x eq smtp

access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.51 object-group rdp

access-list DMZ_access_in remark Deny All the rest for DMZ to LAN

access-list DMZ_access_in deny ip 10.10.1.0 255.255.255.0 10.16.2.0 255.255.255.0

access-list DMZ_access_in remark Permit All Outbound traffic

access-list DMZ_access_in extended permit ip 10.10.1.0 255.255.255.0 any

access-list LAN_access_in remark Allowed Traffic LAN to DMZ

access-list LAN_access_in extended permit tcp host 10.16.2.4 host 10.10.1.10 eq smtp

access-list LAN_access_in extended permit tcp host 10.16.2.51 host 10.10.1.x object-group rdp

access-list LAN_access_in renark Deny All the rest for LAN to DMZ

access-list LAN_access_in deny ip 10.16.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list LAN_access_in remark Permit All Outbound traffic

access-list LAN_access_in extended permit ip 10.16.2.0 255.255.255.0 any

As you can see, we first allow the specific hosts and specific services to the other network segment from both LAN and DMZ. We then block ALL traffic both LAN to DMZ and DMZ to LAN. Since we already allowed the traffic we need before in the ACL then this "deny" statement will only block all traffic that doesnt match the rules above it.

Finally we allow all other traffic. Since we have blocked the LAN to DMZ or DMZ to LAN earlier in the ACL then permitting traffic to "any" destination WONT allow traffic between the network segment.

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents