08-07-2013 01:13 PM - edited 03-10-2019 12:05 AM
I'm working on an ASA 5510 for a customer and they want to be able to access their SMTP server from the inside via RDP and the SMTP to be able to send SMTP traffic to the inside. They want everything done at the ASA level and do not want to have the router to do any of the work. I've done similar things on Junipers and PBRs with them easily enough, but turns out I will not be able to do it on the 5510. Trying to think of a way from within the ASA to figure this out.
I attacted the topology of the network and the issue. Red is what is not working.
this is the output of some of the ASA. I was thinking doing a NAT policy, but am unsure the best way to do it.
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.16.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 10.10.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
access-list DMZ_access_in extended permit tcp host 10.10.1.10 host <omitted> eq smtp
access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.51 object-group rdp
access-list DMZ_access_in extended permit ip any any
access-list WAN_access_in extended permit tcp any host <omitted> eq smtp
access-list WAN_access_in extended permit tcp any host <omitted> eq www
access-list WAN_access_in extended permit tcp any host <omitted> eq https
access-list WAN_access_in extended permit tcp any host <omitted> object-group rdp
access-list LAN_access_in extended permit tcp host 10.16.2.4 host 10.10.1.10 eq smtp
access-list LAN_access_in extended permit tcp host 10.16.2.51 host <omitted> object-group rdp
access-list LAN_access_in extended permit ip any any
global (Outside) 101 interface
nat (management) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) tcp <omitted> smtp 10.10.1.10 smtp netmask 255.255.255.255
static (Inside,Outside) tcp <omitted> www 10.16.2.15 www netmask 255.255.255.255
static (Inside,Outside) tcp <omitted> https 10.16.2.15 https netmask 255.255.255.255
static (Inside,Outside) tcp interface 3389 10.163.2.51 3389 netmask 255.255.255.255
static (Inside,DMZ) tcp 10.10.1.10 smtp 10.16.2.4 smtp netmask 255.255.255.255
static (DMZ,Inside) tcp <omitted> 3389 10.10.1.10 3389 netmask 255.255.255.255
access-group LAN_access_in in interface Inside
access-group DMZ_access_in in interface DMZ
access-group WAN_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 159.87.36.64 1
08-07-2013 01:23 PM
Hi,
I am not quite sure what part of this would require PBR (Policy Based Routing)
Both the DMZ accessing INSIDE or the INSIDE accessing DMZ is just achieved with normal routing through the ASA.
If the actual problem is that you can't form connections between these interfaces networks then I would suggest trying the following NAT configuration
static (Inside,DMZ) 10.16.2.0 10.16.2.0 netmask 255.255.255.0
This should enable both networks to communicate directly between eachother
Though looking at your current configuration I am not sure how you want to NAT between these interfaces.
- Jouni
08-07-2013 01:41 PM
the omitted portion is for the outside IPs. I'm in the process of cleaning things up on the ASA, but my FW experience is mostly in Junipers.
So just NAT'ing the 10.16.2.X network from inside to the DMZ that way should allow traffic between the two? What would need to happen if they only wanted SMTP to go into the INSIDE network and RDP to go into the DMZ network? All the while leaving current abilities inact (SMTP to the OUTSIDE).
08-07-2013 01:56 PM
Hi,
If you aim is to limit the traffic between the 2 network segments to only a few allowed services and only between certain hosts then you could use the following ACL format which is almost the same as the current.
I presume in the below ACL that you will actually allow the SMTP and RDP towards the local/real IP addresses in the other network segment. If you want to NAT them to some public IP address towards the other network segment then thats OK too but requires changed to the configuration.
access-list DMZ_access_in remark Allowed traffic DMZ to LAN
access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.x eq smtp
access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.51 object-group rdp
access-list DMZ_access_in remark Deny All the rest for DMZ to LAN
access-list DMZ_access_in deny ip 10.10.1.0 255.255.255.0 10.16.2.0 255.255.255.0
access-list DMZ_access_in remark Permit All Outbound traffic
access-list DMZ_access_in extended permit ip 10.10.1.0 255.255.255.0 any
access-list LAN_access_in remark Allowed Traffic LAN to DMZ
access-list LAN_access_in extended permit tcp host 10.16.2.4 host 10.10.1.10 eq smtp
access-list LAN_access_in extended permit tcp host 10.16.2.51 host 10.10.1.x object-group rdp
access-list LAN_access_in renark Deny All the rest for LAN to DMZ
access-list LAN_access_in deny ip 10.16.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list LAN_access_in remark Permit All Outbound traffic
access-list LAN_access_in extended permit ip 10.16.2.0 255.255.255.0 any
As you can see, we first allow the specific hosts and specific services to the other network segment from both LAN and DMZ. We then block ALL traffic both LAN to DMZ and DMZ to LAN. Since we already allowed the traffic we need before in the ACL then this "deny" statement will only block all traffic that doesnt match the rules above it.
Finally we allow all other traffic. Since we have blocked the LAN to DMZ or DMZ to LAN earlier in the ACL then permitting traffic to "any" destination WONT allow traffic between the network segment.
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide