Announcement

Collapse
No announcement yet.

access from high security level to low security level

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • access from high security level to low security level

    i have asa 5510 and i have problem with access from high security level to low security level( inside to outside, inside-dmz).I have on outside mail server which on address x.x.x.179, in DMZ i have web server on address 172.16.20.200. when i try access to my mail server or web server, i can't do it.I can just ping these machines from inside, but i can't use no one service.
    My configuration of asa 5510 is:
    Code:
    ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name domen.coml
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.178 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    !
    interface Ethernet0/2
    description Mreza za virtualne masine- mail server, wsus....
    nameif DMZ
    security-level 50
    ip address 172.16.20.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    .....
    access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list DMZ_access_in extended permit tcp any any eq echo
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq smtp
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq pop3
    access-list DMZ_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.20
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
    access-group outside_access_in in interface outside
    access-group DMZ_access_in_1 in interface DMZ
    route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
    ....
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_x.x.x.223 internal
    group-policy GroupPolicy_x.x.x.223 attributes
    vpn-tunnel-protocol ikev1 ikev2
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    split-tunnel-network-list value Split_Tunnel_List
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group domen
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group x.x.x.223
    type ipsec-l2l
    tunnel-group x.x.x.223
    general-attributes
    default-group-policy GroupPolicy_x.x.x.223
    tunnel-group 195.222.96.223 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect http
      inspect icmp
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:eb77b38e3dfe0b52e655fac7854e7e2c
    : end
    when i disable global policy>inspection default ICMP my ping also doesn't works.
    on computers, where i want that they go to asa5510, i put static route, for example: for DMZ - route add 172.16.20.0 mask 255.255.255.0 192.168.0.10 -p
    what i do that i use http,pop3,smtp etc?
    thanks
    Last edited by gogi100; 9th November 2012, 14:01. Reason: add text

  • #2
    Re: access from high security level to low security level

    access-group outside_access_in in interface outside

    I dont see the corresponding ACL referenced in this access-group command


    Also with 8.4 for access to servers from the outside to inside you reference the "internal" ip address and not the "public ip" with older code (8.2 and below)

    I would clean up your config to make it easier to read.

    I also dont see any nat configuration going from the inside to the outside except for you static for vpn traffic.


    You also have this ACL applied inbound on the DMZ interface. Why is tcp used here? Should be icmp. High to low traffic is always allowed. by default. Since you are inspecting icmp traffic, when you ping from high to low the traffic is permittted


    access-list DMZ_access_in extended permit tcp any any eq echo


    The best thing to do is turn on logging on the ASA and initiate some traffic and see where the problem is. You can also use packet tracer to simulate a flow from say inside to dmz to see where its being dropped.


    when i disable global policy>inspection default ICMP my ping also doesn't works.
    This is because the return traffic is being dropped by the ACL I referenced above. Since you turned off the inspection policy the ASA isn't inspecting the icmp traffic from high to low so the return traffic is dropped. When icmp is inspected the return traffic from the dmz is allowed as the state table is checked before the ACL.
    Last edited by auglan; 9th November 2012, 15:51.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: access from high security level to low security level

      i think that users from inside or DMZ LAN can access internet without the rules or NAT's, but they don't it. why?
      When i put my mail server front of ASA5510 and my mail server have dns server like in DMZ zone x.x.x.177. my mail server have internet but when my mail server in dmz zone, he have not internet.
      Last edited by gogi100; 11th November 2012, 14:13. Reason: add text

      Comment


      • #4
        Re: access from high security level to low security level

        i think that users from inside or DMZ LAN can access internet without the rules or NAT's, but they don't it. why?
        Unless there is an upstream device doing nat or your using public ip space on your lan, nat will be required as RFC1918 addresses are not routable.


        When i put my mail server front of ASA5510 and my mail server have dns server like in DMZ zone x.x.x.177. my mail server have internet but when my mail server in dmz zone, he have not internet.

        This ACL is blocking all traffic from the dmz to anywhere except what is allowed in the ACE.

        access-list DMZ_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.20


        access-group DMZ_access_in_1 in interface DMZ

        And again unless there is an upstream device performing nat, you will need it from the dmz to the outside.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: access from high security level to low security level

          Unless there is an upstream device doing nat or your using public ip space on your lan, nat will be required as RFC1918 addresses are not routable
          my provider gave me scope of public ip addresses(5 addresses). when i make static nat on my mail server in DMZ to outside, again he cannot access to internet.

          Comment


          • #6
            Re: access from high security level to low security level

            I dont see that configuration in your post


            sh run nat


            sh run object



            If the nat is a static PAT to port 25 then outside users can reach your internal server using that public ip, but only on port 25. Traffic from the server itself will not be matched on that nat statement if is confined to a particular port. I cant see the configuration so I can only assume.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: access from high security level to low security level

              i made static nat 172.16.20.200 to x.x.x.180
              my show run nat
              nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
              !
              object network mail
              nat (DMZ,outside) static x.x.x.180
              my show run object
              object network VPN-POOL
              subnet 192.168.50.0 255.255.255.0
              description VPN Client pool
              object network LAN-NETWORK
              subnet 192.168.0.0 255.255.255.0
              description LAN Network
              object network NETWORK_OBJ_192.168.0.0_24
              subnet 192.168.0.0 255.255.255.0
              object network 192.168.0.10
              host 192.168.0.10
              object service ssl
              service tcp destination eq 465
              object service tls
              service tcp destination eq 995
              object network mail_server
              host 172.16.20.200
              object service StartTLS
              service tcp destination eq 587
              object service admin_port
              service tcp destination eq 444
              object service ODMR
              service tcp destination eq 366
              object service SSL-IMAP
              service tcp destination eq 993
              object network remote
              host 172.16.20.200
              object network test
              host 192.168.0.22
              object network mail
              host 172.16.20.200
              object network DMZ
              host 172.16.20.200
              object network Inside_DMZ
              host 192.168.0.20
              object service rdp
              service tcp destination eq 3389
              object service microsoft_dc
              service tcp destination eq 445

              Comment


              • #8
                Re: access from high security level to low security level

                Okay the nat config looks good. The issue again is the acl applied to the dmz interface inbound. Remove that acl from the interface and see if that server can get out to the internet.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: access from high security level to low security level

                  thank's problem is solved. i remove acl on DMZ inbound. but how i enable that i can access from dmz to inside network?
                  one more time thank's

                  Comment


                  • #10
                    Re: access from high security level to low security level

                    Going from dmz to inside will require an acl permitting such traffic inbound on the dmz interface as the flow is from a lower security interface to a higher security interface. This acl however will affect traffic from the dmz to anywhere so you will need to add the appropriate exceptions.


                    Example: This acl will allow traffic from dmz to inside plus smtp traffic to outside and web traffic to outside


                    access-list DMZ permit ip 172.16.20.0 255.255.255.0 192.168.0.0 255.255.255.0 (Allows all traffic from dmz to inside - you can tighten this down)
                    access-list DMZ permit tcp host 172.16.20.200 any eq smtp (Allows smtp from only mail server to outside)
                    access-list DMZ permit tcp 172.16.20.0 255.255.255.0 any eq www (Allows web traffic from all hosts in the dmz)
                    access-list DMZ deny tcp any any eq smtp (Deny's all other smtp traffic outbound from other hosts)

                    access-group DMZ in interface dmz
                    Last edited by auglan; 12th November 2012, 16:40.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: access from high security level to low security level

                      thank's very much

                      Comment


                      • #12
                        Re: access from high security level to low security level

                        No problem
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment

                        Working...
                        X