Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Since PBR isn't supported, best way to route to the DMZ from the inside?

I'm working on an ASA 5510 for a customer and they want to be able to access their SMTP server from the inside via RDP and the SMTP to be able to send SMTP traffic to the inside. They want everything done at the ASA level and do not want to have the router to do any of the work. I've done similar things on Junipers and PBRs with them easily enough, but turns out I will not be able to do it on the 5510. Trying to think of a way from within the ASA to figure this out.

I attacted the topology of the network and the issue. Red is what is not working.

this is the output of some of the ASA. I was thinking doing a NAT policy, but am unsure the best way to do it.

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.16.2.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif DMZ

security-level 50

ip address 10.10.1.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

access-list DMZ_access_in extended permit tcp host 10.10.1.10 host <omitted> eq smtp

access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.51 object-group rdp

access-list DMZ_access_in extended permit ip any any

access-list WAN_access_in extended permit tcp any host <omitted> eq smtp

access-list WAN_access_in extended permit tcp any host <omitted> eq www

access-list WAN_access_in extended permit tcp any host <omitted> eq https

access-list WAN_access_in extended permit tcp any host <omitted> object-group rdp

access-list LAN_access_in extended permit tcp host 10.16.2.4 host 10.10.1.10 eq smtp

access-list LAN_access_in extended permit tcp host 10.16.2.51 host <omitted> object-group rdp

access-list LAN_access_in extended permit ip any any

global (Outside) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) tcp <omitted> smtp 10.10.1.10 smtp netmask 255.255.255.255

static (Inside,Outside) tcp <omitted> www 10.16.2.15 www netmask 255.255.255.255

static (Inside,Outside) tcp <omitted> https 10.16.2.15 https netmask 255.255.255.255

static (Inside,Outside) tcp interface 3389 10.163.2.51 3389 netmask 255.255.255.255

static (Inside,DMZ) tcp 10.10.1.10 smtp 10.16.2.4 smtp netmask 255.255.255.255

static (DMZ,Inside) tcp <omitted> 3389 10.10.1.10 3389 netmask 255.255.255.255

access-group LAN_access_in in interface Inside

access-group DMZ_access_in in interface DMZ

access-group WAN_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 159.87.36.64 1

Everyone's tags (4)
3 REPLIES
Super Bronze

Since PBR isn't supported, best way to route to the DMZ from the

Hi,

I am not quite sure what part of this would require PBR (Policy Based Routing)

Both the DMZ accessing INSIDE or the INSIDE accessing DMZ is just achieved with normal routing through the ASA.

If the actual problem is that you can't form connections between these interfaces networks then I would suggest trying the following NAT configuration

static (Inside,DMZ) 10.16.2.0 10.16.2.0 netmask 255.255.255.0

This should enable both networks to communicate directly between eachother

Though looking at your current configuration I am not sure how you want to NAT between these interfaces.

  • One INSIDE host is NATed to a DMZ network address towards DMZ
  • One DMZ host is NATed to a some unknown (public IP?) address towards INSIDE

- Jouni

Community Member

Since PBR isn't supported, best way to route to the DMZ from the

the omitted portion is for the outside IPs. I'm in the process of cleaning things up on the ASA, but my FW experience is mostly in Junipers.

So just NAT'ing the 10.16.2.X network from inside to the DMZ that way should allow traffic between the two? What would need to happen if they only wanted SMTP to go into the INSIDE network and RDP to go into the DMZ network? All the while leaving current abilities inact (SMTP to the OUTSIDE).

Super Bronze

Since PBR isn't supported, best way to route to the DMZ from the

Hi,

If you aim is to limit the traffic between the 2 network segments to only a few allowed services and only between certain hosts then you could use the following ACL format which is almost the same as the current.

I presume in the below ACL that you will actually allow the SMTP and RDP towards the local/real IP addresses in the other network segment. If you want to NAT them to some public IP address towards the other network segment then thats OK too but requires changed to the configuration.

access-list DMZ_access_in remark Allowed traffic DMZ to LAN

access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.x eq smtp

access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 10.16.2.51 object-group rdp

access-list DMZ_access_in remark Deny All the rest for DMZ to LAN

access-list DMZ_access_in deny ip 10.10.1.0 255.255.255.0 10.16.2.0 255.255.255.0

access-list DMZ_access_in remark Permit All Outbound traffic

access-list DMZ_access_in extended permit ip 10.10.1.0 255.255.255.0 any

access-list LAN_access_in remark Allowed Traffic LAN to DMZ

access-list LAN_access_in extended permit tcp host 10.16.2.4 host 10.10.1.10 eq smtp

access-list LAN_access_in extended permit tcp host 10.16.2.51 host 10.10.1.x object-group rdp

access-list LAN_access_in renark Deny All the rest for LAN to DMZ

access-list LAN_access_in deny ip 10.16.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list LAN_access_in remark Permit All Outbound traffic

access-list LAN_access_in extended permit ip 10.16.2.0 255.255.255.0 any

As you can see, we first allow the specific hosts and specific services to the other network segment from both LAN and DMZ. We then block ALL traffic both LAN to DMZ and DMZ to LAN. Since we already allowed the traffic we need before in the ACL then this "deny" statement will only block all traffic that doesnt match the rules above it.

Finally we allow all other traffic. Since we have blocked the LAN to DMZ or DMZ to LAN earlier in the ACL then permitting traffic to "any" destination WONT allow traffic between the network segment.

Hope this helps

- Jouni

709
Views
0
Helpful
3
Replies
CreatePlease to create content