I just got my software upgraded from v8.2(x) to v.9.1(7), but I have some general issues with access to and from my DMZ:
- No internet access from DMZ
- No access to web or mail server from outside to DMZ
Here is my running-config:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 109.xxx.yyy.zzz 255.255.255.128
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif data
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Management0/0
nameif mgmt
security-level 0
ip address 192.168.128.1 255.255.255.0
!
...
object network obj-dmz-subnet
subnet 172.16.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-lan-subnet
subnet 192.168.1.0 255.255.255.0
object network obj-data-subnet
subnet 10.0.0.0 255.255.255.0
object network obj-mgmt-subnet
subnet 192.168.128.0 255.255.255.0
object network web_server
host 172.16.1.30
object network web_server_http
host 172.16.1.30
object network web_server_https
host 172.16.1.30
object network mail_server_smtp
host 172.16.1.40
object network mail_server_pop3
host 172.16.1.40
object network mail_server_imap
host 172.16.1.40
object network mail_server_pop3s
host 172.16.1.40
object network mail_server_imaps
host 172.16.1.40
object network mail_server_smtps
host 172.16.1.40
object-group network web_servers
network-object host 172.16.1.30
object-group network mail_servers
network-object host 172.16.1.40
object-group service web_services tcp
port-object eq www
port-object eq https
object-group service mail_services tcp
port-object eq smtp
port-object eq imap4
port-object eq pop3
port-object eq 995
port-object eq 993
port-object eq 465
object-group service zabbix_services tcp
port-object eq 10050
port-object eq 10051
access-list ACL_IN extended permit ip any4 any4
access-list OUTSIDE_TO_DMZ extended permit ip any4 any4
access-list OUTSIDE_TO_DMZ extended permit tcp any object-group web_servers object-group web_services
access-list OUTSIDE_TO_DMZ extended permit tcp any object-group mail_servers object-group mail_services
access-list OUTSIDE_TO_DMZ extended deny ip any any log
access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet host 192.168.1.4 object-group zabbix_services
!
object network obj-dmz-subnet
nat (dmz,outside) dynamic interface
object network obj_any
nat (dmz,outside) dynamic interface
object network obj-lan-subnet
nat (inside,outside) dynamic interface
object network web_server_http
nat (dmz,outside) static interface service tcp www www
object network web_server_https
nat (dmz,outside) static interface service tcp https https
object network mail_server_smtp
nat (dmz,outside) static interface service tcp smtp smtp
object network mail_server_pop3
nat (dmz,outside) static interface service tcp pop3 pop3
object network mail_server_imap
nat (dmz,outside) static interface service tcp imap4 imap4
object network mail_server_pop3s
nat (dmz,outside) static interface service tcp 995 995
object network mail_server_imaps
nat (dmz,outside) static interface service tcp 993 993
object network mail_server_smtps
nat (dmz,outside) static interface service tcp 465 465
access-group OUTSIDE_TO_DMZ in interface outside
access-group DMZ_TO_INSIDE in interface dmz
access-group ACL_IN in interface inside
route outside 0.0.0.0 0.0.0.0 109.xxx.yyy.zzz 1
What am I missing in my configuration?
Edit:
The NAT statement clean-up was the solution to one of the problems. Now I have full access to my web and mail server. However, Internet access to the DMZ still fails.
Here is the result of the packet-tracer command "packet-tracer input dmz tcp 172.16.1.100 80 8.8.8.8 80":
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Edit: I think I have made everything work now. It helped insert the following access list:
access-list FROM_DMZ extended permit ip any any
Now I can send ping commands to the big wide world and get my machines upgraded in the DMZ.
It seemed almost too easy. Is there something I have to take into account or something I have forgotten?
Best Answer
Let's clean up your NAT statements a bit before we troubleshoot.
Here, we'll temporarily remove your "global" NAT statements
This next object is a default object created on ASAs, which has a corresponding NAT statement that has been known to cause problems (due to how broad it is) if you don't remove it. You aren't using it, from what I can see, so we will remove it completely.
The next 2 lines are to create your global NAT statements again, but as manual NATs (rather than auto NATs) and also using the after-auto keyword in each to make sure that they are only used as a sort of last-resort (if traffic doesn't match against any other NAT statement first).
Now that the NAT statements are in a bit better order, can you show me some packet-tracer outputs?
Edit:
Please add:
access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet any eq 80
along with
access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet any eq 443
and then perform the same packet-tracer command as you tried a moment ago. The reason it didn't work before is because you currently only allow the DMZ subnet to access your Zabbix servers.
I would suggest, since we are now NOT limiting your DMZ to only access the Zabbix servers, that you rename your DMZ access-list to make more sense.
If you want to rename your access-list, you can do so by using the command:
For example:
access-list DMZ_TO_INSIDE rename from_DMZ
FYI, renaming an access-list (or object) has no impact on traffic, as ASAs use an access-list and/or object's hex ID, not its name, which does not change by using the rename command. This means you can change it without fear of impacting users/servers.