Solved: DMZ configration problem on ASA5510 using ASDM 6.3.5

kmigmar805 · ‎01-12-2011

Dear Experts,

I am a newbie in CiscoLand.

I am trying to configure DMZ on ASA5510 using ASDM 6.3(5) with IOS version ASA 8.3(2).

Here is our network setup:

Internet <----->Router <----> ASA5510<---> LAN clients

|

DMZ network (Webserver and DNS)

outside interface (200.100.50.30)

inside interface (192.168.168.1)

dmz interface (10.10.10.1)

Webserver (Public IP - 200.100.50.27 and real IP 10.10.10.2)

DNS server (Public IP - 200.100.50.26 and real IP 10.10.10.3)

At this points here is what happening:

Inside LAN clients are able to access the Internet (OK)

Webserver is able to access the Internet (OK)

Internet users are NOT able to access our Webserver (FAIL)

Inside LAN clients are NOT able to access Webserver (FAIL)

I would greatly appreciate if you point out where I am making mistakes from the attached file which contains running config of the ASA appliance.

Thank you so much in advance!

Kureli Sankar · ‎01-15-2011

inside to dmz:

access-list nonat extended permit ip 192.168.168.0 255.255.252.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

inside to outside:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

only 2 servers in the dmz can go out to the internet:
static (dmz,outside) 200.100.50.27 10.10.10.2 netmask 255.255.255.255
static (dmz,outside) 200.100.50.26 10.10.10.3 netmask 255.255.255.255

only server in the dmz can be accessed from the inside using the outside address:
static (dmz,inside) 200.100.50.27 10.10.10.2 netmask 255.255.255.255

Only one server can be accessed from the internet and that too only on one port - 80:

access-list outside_access_in extended permit tcp any host 200.100.50.27 eq www

You need to add this line for the correct ports that the server listens on:

access-list outside_access_in extended permit tcp any host 200.100.50.26 eq www

Pls. try the following and tell the result.

1. from one of the inside computers (192.168.168.x) try to go to http://10.10.10.2 and http://10.10.10.3 - does it work?

2. from a computer on the internet try http://200.100.50.27 and http://200.100.50.26 - does this work?

If any of the above doesn't work gather the syslogs from the time of trying and post it.

conf t

logging on

logging bufferred 7

exit

sh logg | i 10.10.10.2

sh logg | i 10.10.10.3

depending on which server you are trying.

-KS

View solution in original post

Federico Coto Fajardo · ‎01-12-2011

Hi,

I think you need a dynamic NAT rule between inside and DMZ to allow internal users to access the DMZ server:

object network LAN_INTERNET_TRAFFIC
nat (inside,dmz) dynamic interface

For inbound access to the DMZ server you can use the Packet-Tracer utility on ASDM to emulate an imcoming connection to the web server.

Federico.

kmigmar805 · ‎01-12-2011

Hello Federico,

Thanks a lot for your advice. I really appreciate it.

I followed to the letter DMZ config guide from CIsco: Cisco ASA 5500 Series Getting Started Guide, (Software version 8.3)

http://www.cisco.com/en/US/customer/docs/security/asa/asa83/getting_started/5500/guide/dmz.html

But it did not work out well as expected.

I did run the Packet tracer on ASDM and it tells that there is no error. By the way on the ACL I tried both the real address (webserver's DMZ adress which is 10.10.10.2) and translated public addresses. As you know from ASA IOS version 8.3 Cisco migrated to use Real IP on Access rules. In our case should we use real Ip or translated public IP on Access Rules? Please advice.

Still can't figure out what is wrong... From Webserver I can reach the Internet but not vice versa. From Inside can reach Internet but not able to access Webserver in DMZ. And the Packet tracer shows no errors...

Anyone?

Thanks a lot!

Federico Coto Fajardo · ‎01-13-2011

Ken,

When you say that from the inside cannot reach the webserver it means you cannot open the page or cannot even PING it?

Same to access from the web server to the Internet (cannot display pages or cannot PING for example 4.2.2.2)?

To discard a DNS problem, can you reach open the webpage using the IP address instead than the name?

Make sure you're inspecting ICMP before trying.

policy-map global_policy
class inspection_default

inspect icmp

Federico.

kmigmar805 · ‎01-13-2011

Hi Federico,

Thanks a lot for replying!

Both internet and inside clients are not able to open our company webpages from the Webserver in the DMZ.

I tried to access the Webserver by IP address but it is still unreachable.

I am guessing that since the Webserver itself can reach internet - for instance display www.microsoft.com pages or google.com - it could be that I am configuring the Access rules incorrectly. Currently the two extended ACLs applied to outside interface are permitting http and dns traffic to DMZ.

The above mentioned Cisco configuration guide does not say that more ACLs required.

I am thinking to downgrade the current ASA software version from 8.3(2) to 8.2.(4) tomorrow.

Federico Coto Fajardo · ‎01-13-2011

Ken,

Before doing the downgrade you can do a quicktest....

access-list outside_access_in permit tcp any any eq 80

By adding the above line the ASA is going to permit any inbound traffic

destined to port 80 through.

If it works, we know then that it's just a matter of adjusting the ACL.

If it does not work, we need to further investigate... but since you suspect

on the ACL you might want to give this a try.

Federico.

On Thu, Jan 13, 2011 at 9:13 AM, kmigmar805 <

kmigmar805 · ‎01-14-2011

Hi Federico,

Tried changing the ACL on outside interface to:

access-list outside_access_in permit tcp any any eq 80.

Still, no success. Weird thing is the Packet tracer shows that traffic is ok from internet to the webserver in DMZ. As well as traffic from inside to the webserver in DMZ. But in actuality no webpage displayed....

On the Realtime Log Viewer any connection from internet to webserver is torn down like this:

112.138.27.81 (source IP) 10.10.10.2 (destination IP) Teardown conenction xxxx for outside: 112.138.27.81/52277 to dmz:10.10.10.2/80 duration 0:01:06 bytes 0 TCP Reset-I

What am I doing wrong....

kmigmar805 · ‎01-14-2011

Update:

Downgraded to ASA 8.2(4) version. Interestingly, it is exactly the same.

DMZ can access the Internet.

Inside users can access the Internet.

Internet users cannot reach Webserver in DMZ

Inside users can not reach WEbserver in DMZ.

I have followed the DMZ configuration guide for ASA 8.2:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/getting_started/asa5500/quick/guide/dmz.html

Why why why it is not working....

Federico Coto Fajardo · ‎01-14-2011

Ken,

Please post your running config now running 8.2

Federico.

Nagaraja Thanthry · ‎01-14-2011

Hello,

If you have already downgraded the code to 8.2, then can you try the following:

access-list dmz_access_in permit ip any any

access-group dmz_access_in in interface DMZ

access-list nonat permit ip 192.168.168.0 255.255.252.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

This should enable communication between inside and the DMZ. Now to enable communication between the DMZ and outside, please open up appropriate ports on the outside ACL.

Hope this helps.

Regards,

NT

kmigmar805 · ‎01-15-2011

Hello,

Thank you so much for the reply. I've followed Nagaraja's suggestions and the result is the same.

Please see the attached running config.

Since the downgrade is not solving the issue, I've decided to upgrade it back to ASA 8.3.2 version.

I can ping the webserver in DMZ and it responds with its public address. And, webserver can open webpages from the internet. So I suppose the NAT translations are setup correctly. Therefore it is more likely the ACLs.

Thanks to all!

Looking forward for your reply

Kureli Sankar · ‎01-15-2011

inside to dmz:

access-list nonat extended permit ip 192.168.168.0 255.255.252.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

inside to outside:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

only 2 servers in the dmz can go out to the internet:
static (dmz,outside) 200.100.50.27 10.10.10.2 netmask 255.255.255.255
static (dmz,outside) 200.100.50.26 10.10.10.3 netmask 255.255.255.255

only server in the dmz can be accessed from the inside using the outside address:
static (dmz,inside) 200.100.50.27 10.10.10.2 netmask 255.255.255.255

Only one server can be accessed from the internet and that too only on one port - 80:

access-list outside_access_in extended permit tcp any host 200.100.50.27 eq www

You need to add this line for the correct ports that the server listens on:

access-list outside_access_in extended permit tcp any host 200.100.50.26 eq www

Pls. try the following and tell the result.

1. from one of the inside computers (192.168.168.x) try to go to http://10.10.10.2 and http://10.10.10.3 - does it work?

2. from a computer on the internet try http://200.100.50.27 and http://200.100.50.26 - does this work?

If any of the above doesn't work gather the syslogs from the time of trying and post it.

conf t

logging on

logging bufferred 7

exit

sh logg | i 10.10.10.2

sh logg | i 10.10.10.3

depending on which server you are trying.

-KS

kmigmar805 · ‎01-19-2011

Thank you so much all of you! The firwall is working now.

o.rtterud · ‎04-29-2012

What solved the problem?

Sent from Cisco Technical Support iPad App