Cisco ASA 5520 – General Issues with DMZ Access

cisco-asanetworking

I just got my software upgraded from v8.2(x) to v.9.1(7), but I have some general issues with access to and from my DMZ:

No internet access from DMZ
No access to web or mail server from outside to DMZ

Here is my running-config:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 109.xxx.yyy.zzz 255.255.255.128
!
interface GigabitEthernet0/1
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
 nameif data
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Management0/0
 nameif mgmt
 security-level 0
 ip address 192.168.128.1 255.255.255.0
!
...
object network obj-dmz-subnet
 subnet 172.16.1.0 255.255.255.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-lan-subnet
 subnet 192.168.1.0 255.255.255.0
object network obj-data-subnet
 subnet 10.0.0.0 255.255.255.0
object network obj-mgmt-subnet
 subnet 192.168.128.0 255.255.255.0
object network web_server
 host 172.16.1.30
object network web_server_http
 host 172.16.1.30
object network web_server_https
 host 172.16.1.30
object network mail_server_smtp
 host 172.16.1.40
object network mail_server_pop3
 host 172.16.1.40
object network mail_server_imap
 host 172.16.1.40
object network mail_server_pop3s
 host 172.16.1.40
object network mail_server_imaps
 host 172.16.1.40
object network mail_server_smtps
 host 172.16.1.40
object-group network web_servers
 network-object host 172.16.1.30
object-group network mail_servers
 network-object host 172.16.1.40
object-group service web_services tcp
 port-object eq www
 port-object eq https
object-group service mail_services tcp
 port-object eq smtp
 port-object eq imap4
 port-object eq pop3
 port-object eq 995
 port-object eq 993
 port-object eq 465
object-group service zabbix_services tcp
 port-object eq 10050
 port-object eq 10051
access-list ACL_IN extended permit ip any4 any4
access-list OUTSIDE_TO_DMZ extended permit ip any4 any4
access-list OUTSIDE_TO_DMZ extended permit tcp any object-group web_servers object-group web_services
access-list OUTSIDE_TO_DMZ extended permit tcp any object-group mail_servers object-group mail_services
access-list OUTSIDE_TO_DMZ extended deny ip any any log
access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet host 192.168.1.4 object-group zabbix_services
!
object network obj-dmz-subnet
 nat (dmz,outside) dynamic interface
object network obj_any
 nat (dmz,outside) dynamic interface
object network obj-lan-subnet
 nat (inside,outside) dynamic interface
object network web_server_http
 nat (dmz,outside) static interface service tcp www www
object network web_server_https
 nat (dmz,outside) static interface service tcp https https
object network mail_server_smtp
 nat (dmz,outside) static interface service tcp smtp smtp
object network mail_server_pop3
 nat (dmz,outside) static interface service tcp pop3 pop3
object network mail_server_imap
 nat (dmz,outside) static interface service tcp imap4 imap4
object network mail_server_pop3s
 nat (dmz,outside) static interface service tcp 995 995
object network mail_server_imaps
 nat (dmz,outside) static interface service tcp 993 993
object network mail_server_smtps
 nat (dmz,outside) static interface service tcp 465 465
access-group OUTSIDE_TO_DMZ in interface outside
access-group DMZ_TO_INSIDE in interface dmz
access-group ACL_IN in interface inside
route outside 0.0.0.0 0.0.0.0 109.xxx.yyy.zzz 1

What am I missing in my configuration?

Edit:
The NAT statement clean-up was the solution to one of the problems. Now I have full access to my web and mail server. However, Internet access to the DMZ still fails.
Here is the result of the packet-tracer command "packet-tracer input dmz tcp 172.16.1.100 80 8.8.8.8 80":

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Edit: I think I have made everything work now. It helped insert the following access list:

access-list FROM_DMZ extended permit ip any any

Now I can send ping commands to the big wide world and get my machines upgraded in the DMZ.
It seemed almost too easy. Is there something I have to take into account or something I have forgotten?

Best Answer

Let's clean up your NAT statements a bit before we troubleshoot.

Here, we'll temporarily remove your "global" NAT statements

 object network obj-dmz-subnet
     no nat (dmz,outside) dynamic interface
 object network obj-lan-subnet
     no nat (inside,outside) dynamic interface

This next object is a default object created on ASAs, which has a corresponding NAT statement that has been known to cause problems (due to how broad it is) if you don't remove it. You aren't using it, from what I can see, so we will remove it completely.

no object network obj_any

The next 2 lines are to create your global NAT statements again, but as manual NATs (rather than auto NATs) and also using the after-auto keyword in each to make sure that they are only used as a sort of last-resort (if traffic doesn't match against any other NAT statement first).

nat (dmz,outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface

Now that the NAT statements are in a bit better order, can you show me some packet-tracer outputs?

packet-tracer input dmz tcp 172.16.1.100 1234 8.8.8.8 80

packet-tracer input outside tcp 8.8.8.8 1234 <your public IP for your web-server> 80

Edit:

Please add:

access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet any eq 80

along with

access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet any eq 443

and then perform the same packet-tracer command as you tried a moment ago. The reason it didn't work before is because you currently only allow the DMZ subnet to access your Zabbix servers.

I would suggest, since we are now NOT limiting your DMZ to only access the Zabbix servers, that you rename your DMZ access-list to make more sense.

If you want to rename your access-list, you can do so by using the command:

access-list DMZ_TO_INSIDE rename <new name>

For example: access-list DMZ_TO_INSIDE rename from_DMZ

FYI, renaming an access-list (or object) has no impact on traffic, as ASAs use an access-list and/or object's hex ID, not its name, which does not change by using the rename command. This means you can change it without fear of impacting users/servers.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Vlan – ASA 5505 Assign Outbound IP to VLAN

This is an old question, but I recently ran into this same issue, and after some trial and error, I was able to come up with a solution. The following applies to ASA Version 9.1. I have two VLANs on our network: one for PCs, and one for VoIP. I wanted the VoIP VLAN to use its own outside address, separate from the outside address used by the PCs. Here's what the configuration ended up looking like (IP addresses have been obfuscated slightly). These are only the pertinent parts of the configuration, not a complete dump:

: ASA Version 9.1(2) 

interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/6
 switchport access vlan 50
!
interface Vlan1
  nameif outside
  security-level 0
  ip address 65.65.65.10 255.255.255.192 
!
interface Vlan2
 nameif net-inside
 security-level 100
 ip address 10.1.10.1 255.255.248.0 
!
interface Vlan50
 nameif net-voip
 security-level 100
 ip address 172.16.0.1 255.255.255.0 
!
object network net-voip
 subnet 172.16.0.0 255.255.255.0
 nat (net-voip,outside) dynamic 65.65.65.20
!
nat (net-inside,outside) after-auto source dynamic any interface
!
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd address 172.16.0.100-172.16.0.127 net-voip
dhcpd dns 8.8.8.8 interface net-voip
dhcpd enable net-voip

I also included the part of my configuration which sets up DHCP on the VoIP VLAN for the phones. One snag I ran into (which should've been obvious in retrospect), the net-voip VLAN needs to have a security level higher than the outside VLAN, otherwise it won't be allowed out.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Vlan – ASA 5505 Assign Outbound IP to VLAN

Related Topic