pally
@dslextreme.com
|  [Config] cisco 5520
Hi Everyone,
I've been trying to configure the DMZ on my cisco 5520 firewall to allow my internal network to connect to my web server that is on the DMZ. My web server have two nics, one is connected to my DMZ interface and the other nic is connected directly to my internal network. I would to have it a do a "loop back," from a computer in the internal network go outside the firewall and then back to connect to the web server through the DMZ interface. Is that possible or is there a better method to do it? Below is the 5520's configuration:
ciscoasa# show run
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name helpme.org
enable password *********** encrypted
names
name 10.30.30.30 WebServer
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 76.*.*.40 255.255.255.240
ospf cost 10
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
ospf cost 10
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.30.30.1 255.255.0.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd ************* encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name culvercitypd.org
access-list DMZACL extended permit ip host WebServer 10.30.0.0 255.255.0.0
access-list DMZACL extended permit icmp any any
access-list DMZACL extended permit tcp host WebServer host 76.*.*.41 eq www inact
ive
access-list DMZACL extended permit tcp host WebServer eq www any eq www
access-list sec1 remark allow internet to access WebServer
access-list sec1 extended permit tcp any eq www host 76.*.*.41 eq www inacti
ve
access-list sec1 remark allow internet to ping WebServer
access-list sec1 extended permit icmp any host 76.*.*.41
access-list sec1 extended permit tcp any eq www host WebServer eq www inactive
access-list sec1 extended permit tcp any eq www host 76.*.*.41 inactive
access-list sec1 extended permit tcp any host 76.*.*.41 eq www
pager lines 30
logging enable
logging asdm informational
logging host inside 10.1.1.2
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 76.*.*.34-76.*.*.38 netmask 255.0.0.0
global (outside) 1 76.*.*.39 netmask 255.0.0.0
global (outside) 200 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp 76.*.*.41 www WebServer www netmask 255.255.255.255
static (inside,DMZ) 172.20.0.0 172.20.0.0 netmask 255.255.0.0
static (DMZ,inside) WebServer 76.*.*.41 netmask 255.255.255.255
access-group sec1 in interface outside
access-group DMZACL in interface DMZ
route outside 0.0.0.0 0.0.0.0 76.*.*.33 1
route inside 172.20.0.0 255.255.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.20.0.5 255.255.255.255 inside
telnet 172.20.0.4 255.255.255.255 inside
telnet 172.20.1.200 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map IPS_Traffic
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS_Traffic
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:003708f673ce758743fadf0c69beefb1
: end
I hope I was clear in my explanation, please help! thanks! |
|
aryoba
Premium,MVM
join:2002-08-22 | said by pally :
My web server have two nics, one is connected to my DMZ interface and the other nic is connected directly to my internal network.
Is there a reason of such setup? |
|
pally
@dslextreme.com
| Originally, I tried it with one nic, but I couldn't get the internal network to talk to the web server. That is why I added the second nic into the mix as a work around. Any suggestions or advice would be appreciated to get one nic on the web server to talk to the Internet and the internal network. Thanks! |
|
aryoba
Premium,MVM
join:2002-08-22
| There are some questionable stuff on the ASA configurations.
1. ip address 10.1.1.1 255.255.0.0 command under inside interface and 10.30.30.1 255.255.0.0 command under DMZ interface
Why do you have a Class-B network on each interface? Won't Class-C network be sufficient?
2. ospf cost 10 command under interface
I see OSPF cost command but I don't see the ASA run OSPF. If there is no plan to have ASA running OSPF, then remove the command since it is not needed
3. access-list sec1 extended permit icmp any host 76.*.*.41 command
It is not wise to permit all incoming ICMP-type packets from the Internet. Typically you only need to permit ICMP Type 0 (Echo Reply), 3 (Destination Unreachable), and 11 (Time Exceeded).
This is what I would do
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list sec1 extended permit icmp any host 76.*.*.41 object-group ICMP-INBOUND
4. global (outside) 200 interface command
There is no nat 200 command, so why do you keep the global 200 command?
5. Commands of
static (inside,DMZ) 172.20.0.0 172.20.0.0 netmask 255.255.0.0
static (DMZ,inside) WebServer 76.*.*.41 netmask 255.255.255.255
You don't need to have this mess. By implementing no nat policy, it should do the job.
Example of no nat policy
object-group network INSIDE
network-object 10.1.0.0 255.255.0.0
network-object 172.20.0.0 255.255.0.0
object-group network DMZ
network-object 10.30.0.0 255.255.0.0
access-list nonat remark No NAT from Inside to DMZ
access-list nonat extended permit ip object-group INSIDE object-group DMZ
nat (inside) 0 access-list nonat
6. said by pally :
Any suggestions or advice would be appreciated to get one nic on the web server to talk to the Internet and the internal network How do you like the web server on the DMZ to talk to the Internet and the internal network? Just web (HTTP or TCP port 80), or are there others? |
|
pally
@dslextreme.com
| I'll have to look into what you're advising, obviously I'm a newbie. More like absorbing what you're saying. Regarding your question, just web at the moment. Easiest to test with. I think. I appreciate the help, please, keep it coming!  |
|
pally
@dslextreme.com | FYI, I've also removed one of the nic, so now I only have one nic which connects directly to the DMZ interface... |
|
pally
@dslextreme.com
| reply to pally
Hi,
I tried your no nat policy, which works. Thanks! But, now I'm trying to get the WebServer from the DMZ to send information into the internal network. I've added the following:
access-list nonat extended permit ip object-group DMZ object-group INSIDE
access-list DMZACL extended ip host WebServer object-group INSIDE
nat(DMZ) 0 access-list nonat
I've tried telnet into one of the machine within the internal network, but its not going through. Any ideas/suggestions? Thanks! |
|
pally
@dslextreme.com | reply to aryoba
I pretty much inherited this duty, so, I can't tell you why it is configured this way. I'm a noob at this. Any kind of help is appreciated! |
|
aryoba
Premium,MVM
join:2002-08-22 | 1st of all, clean up the configuration. Then post the updated configuration.
Without these being done 1st, there would be just pile of junk over junks |
|
pally
@dslextreme.com
| Hi Aryoba,
Below is the new configuration, thanks for helping!
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name helpme.org
enable password ************ encrypted
names
name 10.30.30.30 WebServer
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 76.*.*.40 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.30.30.1 255.255.0.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd ************** encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name helpme.org
object-group icmp-type ICMP-INBOUND
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
object-group network INSIDE
network-object 10.1.0.0 255.255.0.0
network-object 172.20.0.0 255.255.0.0
object-group network DMZ
network-object 10.30.0.0 255.255.0.0
object-group network DENY_LIST
network-object host *.*.*.*
network-object host *.*.*.*
network-object host *.*.*.*
network-object host *.*.*.*
access-list DMZACL extended permit ip host WebServer 10.30.0.0 255.255.0.0 inactive
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside
interface to be set to work.
access-list DMZACL extended permit icmp any any
access-list DMZACL extended permit ip host WebServer object-group INSIDE
access-list sec1 extended permit tcp any host 76.*.*.41 eq www
access-list sec1 extended permit icmp any host 76.*.*.41 object-group ICMP-I
NBOUND
access-list sec1 extended deny ip object-group DENY_LIST any
access-list nonat remark No NAT from Inside To DMZ
access-list nonat extended permit ip object-group INSIDE object-group DMZ
access-list nonat remark No NAT from Inside to DMZ
pager lines 30
logging enable
logging asdm informational
logging host inside 10.1.1.2
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 76.*.*.34-76.*.*.38 netmask 255.0.0.0
global (outside) 1 76.*.*.39 netmask 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 76.*.*.41 WebServer netmask 255.255.255.255
access-group sec1 in interface outside
access-group DMZACL in interface DMZ
route outside 0.0.0.0 0.0.0.0 76.*.*.33 1
route inside 172.20.0.0 255.255.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.20.0.5 255.255.255.255 inside
telnet 172.20.0.4 255.255.255.255 inside
telnet 172.20.1.200 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map IPS_Traffic
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS_Traffic
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:71cac0fc2c6bbf19dc13eed1810c348c
: end |
|
aryoba
Premium,MVM
join:2002-08-22
| 1. ospf cost 10 under interface Management0/0
You miss one
2. access-list DMZACL
access-list DMZACL extended permit ip host WebServer 10.30.0.0 255.255.0.0 inactive
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside
interface to be set to work.
access-list DMZACL extended permit icmp any any
access-list DMZACL extended permit ip host WebServer object-group INSIDE
You don't really need those line, especially permit any IP traffic from the web server to any machines in Inside network. There is no point of having the server on DMZ if you permit any IP traffic to Inside. Just open necessary hole.
For instance, the web server only needs to access DNS server within Inside network at 10.1.0.125 and to access FTP server within Inside network at 10.1.0.126 in addition to some ICMP traffic, then the access-list DMZACL should look something like this.
object-group network Inside_DNS
network-object host 10.1.0.125
object-group network Inside_FTP
network-object host 10.1.0.126
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
object-group service DNS tcp-udp
port-object eq 53
object-group service FTP tcp
port-object range 20 21
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside interface to be set to work.
access-list DMZACL extended permit icmp object-group DMZ any
access-list DMZACL extended permit object-group TCP-UDP host WebServer object-group Inside_DNS object-group DNS
access-list DMZACL extended permit tcp host WebServer object-group Inside_FTP object-group FTP
3. access-list sec1
The order is reversed. It should be like this
access-list sec1 extended deny ip object-group DENY_LIST any
access-list sec1 extended permit tcp any host 76.*.*.41 eq www
access-list sec1 extended permit icmp any host 76.*.*.41 object-group ICMP-INBOUND |
|
pally
@dslextreme.com
| Hi Aryoba,
I did what you suggested and thanks for pointing out the ospf. I still can't get my DNS to return my nslookup query on my WebServer. Nor can I view my intranet website with my WebServer. I created an object-group Inside_HTTP and an ACL to allow my WebServer to view my intranet website but didn't work. Below is the new configuration based on what you suggested. Hope it helps! Thanks again for all your help!
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name helpme.net
enable password tVAoFm9hTH4bBHtx encrypted
names
name 10.30.30.30 WebServer
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 76.*.*.40 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.30.30.1 255.255.0.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd tVAoFm9hTH4bBHtx encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name helpme.net
object-group icmp-type ICMP-INBOUND
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
object-group network INSIDE
network-object 10.1.0.0 255.255.0.0
network-object 172.20.0.0 255.255.0.0
object-group network DMZ
network-object 10.30.0.0 255.255.0.0
object-group network DENY_LIST
network-object host *.*.*.*
network-object host *.*.*.*
network-object host *.*.*.*
network-object host *.*.*.*
object-group network Inside_DNS
network-object host 172.20.0.9
network-object host 172.20.0.2
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
object-group service DNS tcp-udp
port-object eq domain
object-group network Inside_HTTP
network-object host 172.20.0.3
object-group service HTTP tcp
port-object eq www
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside
interface to be set to work.
access-list DMZACL extended permit icmp any any inactive
access-list DMZACL extended permit ip host WebServer object-group INSIDE inactive
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside
interface to be set to work.
access-list DMZACL extended permit icmp object-group DMZ any
access-list DMZACL extended permit tcp host WebServer object-group Inside_HTTP object
-group HTTP
access-list DMZACL extended permit object-group TCP-UDP host WebServer object-group I
nside_DNS object-group DNS
access-list sec1 extended deny ip object-group DENY_LIST any
access-list sec1 extended permit tcp any host 76.*.*.41 eq www
access-list sec1 extended permit icmp any host 76.*.*.41 object-group ICMP-I
NBOUND
access-list nonat remark No NAT from Inside To DMZ
access-list nonat extended permit ip object-group INSIDE object-group DMZ
access-list nonat remark No NAT from Inside to DMZ
pager lines 30
logging enable
logging asdm informational
logging host inside 10.1.1.2
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
asdm location 172.20.0.0 255.255.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 76.*.*.34-76.*.*.38 netmask 255.0.0.0
global (outside) 1 76.*.*.39 netmask 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 76.*.*.41 WebServer netmask 255.255.255.255
access-group sec1 in interface outside
access-group DMZACL in interface DMZ
route outside 0.0.0.0 0.0.0.0 76.*.*.33 1
route inside 172.20.0.0 255.255.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.20.0.5 255.255.255.255 inside
telnet 172.20.0.4 255.255.255.255 inside
telnet 172.20.0.9 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map IPS_Traffic
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS_Traffic
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:efc80f54abede220dbb9776e0891366e |
|
pally
@dslextreme.com
| reply to pally
Hi,
Let me rephrase that. The DNS is getting hit but not returning anything. Here's what I see on the Real-Time Log Viewer.
6 Nov 11 2008 17:18:19 302013 ccpd 41294 172.20.0.9 53 Built inbound TCP connection 219184 for DMZ:ccpd/41294 (ccpd/41294) to inside:172.20.0.9/53 (172.20.0.9/53)
And then I'll see this...
6 Nov 11 2008 17:18:49 302014 ccpd 41294 172.20.0.9 53 Teardown TCP connection 219184 for DMZ:ccpd/41294 to inside:172.20.0.9/53 duration 0:00:30 bytes 0 SYN Timeout
Any ideas? Thanks! |
|
aryoba
Premium,MVM
join:2002-08-22 | Did you check our DNS servers (172.20.0.9 and 172.20.0.2) to see if the DNS servers see incoming traffic from your Web server (10.30.30.30)? Run packet sniffer on your DNS server should provide the info. |
|
pally
@dslextreme.com
| reply to pally
I ran network monitor 3.2, looks like my dns query never reached my dns servers. When I ping 172.20.0.9, it does show that I am pinging the dns server. But when I do a dns query, I get nothing, nothing comes through. Does that mean the query is didn't make it pass the asa 5520? |
|
aryoba
Premium,MVM
join:2002-08-22 | Did the 172.20.0.9 see incoming traffic from 10.30.30.30? Packet analyzing software such as running Wireshark software on your 172.20.0.9 machine will tell you |
|
pally
@dslextreme.com | reply to pally
Hi,
I ran WireShark, it show that I can ping 172.20.0.9 from 10.30.30.30. But, no traffic coming from 10.30.30.30 when I do nslookup. |
|
pally
@dslextreme.com
| reply to pally
On 10.30.30.30, I ran traceroute to the DMZ interface which is 10.30.30.1, I'm not getting any response, no hops happening. I also ran tracepath, which also gave me the same result. I can ping the DMZ interface...Is the DMZ interface the issue, if so, what could it be? |
|
pally
@dslextreme.com
| reply to pally
Not sure if it means anything but when I ran the Cisco ASDM Packet Tracer
I chose DMZ interface and had 10.30.30.30 as Source IP Address, 172.20.0.9 as Destination IP Address
source port: 53 and destination port: 53, Packet Type: UDP
Everything looks good until the result, which gave me "DNS Inspect invalid packet". |
|
pally
@dslextreme.com | reply to pally
Hi Aryoba,
Mystery solved, forgot that 172.20.0.9 is behind another firewall. Anyways, thanks for all your help!  |
|
