access from high security level to low security level

Home Forums Networking Cisco Security – PIX/ASA/VPN access from high security level to low security level

This topic contains 11 replies, has 2 voices, and was last updated by Avatar Anonymous 6 years, 9 months ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • Avatar
    gogi100
    Member
    #160298

    i have asa 5510 and i have problem with access from high security level to low security level( inside to outside, inside-dmz).I have on outside mail server which on address x.x.x.179, in DMZ i have web server on address 172.16.20.200. when i try access to my mail server or web server, i can’t do it.I can just ping these machines from inside, but i can’t use no one service.
    My configuration of asa 5510 is:
    ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name domen.coml
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.178 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    !
    interface Ethernet0/2
    description Mreza za virtualne masine- mail server, wsus….
    nameif DMZ
    security-level 50
    ip address 172.16.20.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    …..
    access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list DMZ_access_in extended permit tcp any any eq echo
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq smtp
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq pop3
    access-list DMZ_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.20
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
    access-group outside_access_in in interface outside
    access-group DMZ_access_in_1 in interface DMZ
    route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
    ….
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_x.x.x.223 internal
    group-policy GroupPolicy_x.x.x.223 attributes
    vpn-tunnel-protocol ikev1 ikev2
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    split-tunnel-network-list value Split_Tunnel_List
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group domen
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group x.x.x.223
    type ipsec-l2l
    tunnel-group x.x.x.223
    general-attributes
    default-group-policy GroupPolicy_x.x.x.223
    tunnel-group 195.222.96.223 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
    inspect icmp
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:eb77b38e3dfe0b52e655fac7854e7e2c
    : end[/CODE]
    when i disable global policy>inspection default ICMP my ping also doesn’t works.
    on computers, where i want that they go to asa5510, i put static route, for example: for DMZ – route add 172.16.20.0 mask 255.255.255.0 192.168.0.10 -p
    what i do that i use http,pop3,smtp etc?
    thanks[CODE]ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name domen.coml
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.178 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    !
    interface Ethernet0/2
    description Mreza za virtualne masine- mail server, wsus….
    nameif DMZ
    security-level 50
    ip address 172.16.20.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    …..
    access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list DMZ_access_in extended permit tcp any any eq echo
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq smtp
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq pop3
    access-list DMZ_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.20
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
    access-group outside_access_in in interface outside
    access-group DMZ_access_in_1 in interface DMZ
    route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
    ….
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_x.x.x.223 internal
    group-policy GroupPolicy_x.x.x.223 attributes
    vpn-tunnel-protocol ikev1 ikev2
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    split-tunnel-network-list value Split_Tunnel_List
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group domen
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group x.x.x.223
    type ipsec-l2l
    tunnel-group x.x.x.223
    general-attributes
    default-group-policy GroupPolicy_x.x.x.223
    tunnel-group 195.222.96.223 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
    inspect icmp
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:eb77b38e3dfe0b52e655fac7854e7e2c
    : end[/CODE]
    when i disable global policy>inspection default ICMP my ping also doesn’t works.
    on computers, where i want that they go to asa5510, i put static route, for example: for DMZ – route add 172.16.20.0 mask 255.255.255.0 192.168.0.10 -p
    what i do that i use http,pop3,smtp etc?
    thanks

    Avatar
    Anonymous
    #373516

    Re: access from high security level to low security level

    Quote:
    access-group outside_access_in in interface outside

    I dont see the corresponding ACL referenced in this access-group command

    Also with 8.4 for access to servers from the outside to inside you reference the “internal” ip address and not the “public ip” with older code (8.2 and below)

    I would clean up your config to make it easier to read.

    I also dont see any nat configuration going from the inside to the outside except for you static for vpn traffic.

    You also have this ACL applied inbound on the DMZ interface. Why is tcp used here? Should be icmp. High to low traffic is always allowed. by default. Since you are inspecting icmp traffic, when you ping from high to low the traffic is permittted

    access-list DMZ_access_in extended permit tcp any any eq echo

    The best thing to do is turn on logging on the ASA and initiate some traffic and see where the problem is. You can also use packet tracer to simulate a flow from say inside to dmz to see where its being dropped.

    Quote:
    when i disable global policy>inspection default ICMP my ping also doesn’t works.

    This is because the return traffic is being dropped by the ACL I referenced above. Since you turned off the inspection policy the ASA isn’t inspecting the icmp traffic from high to low so the return traffic is dropped. When icmp is inspected the return traffic from the dmz is allowed as the state table is checked before the ACL.

    Avatar
    gogi100
    Member
    #334973

    Re: access from high security level to low security level

    i think that users from inside or DMZ LAN can access internet without the rules or NAT’s, but they don’t it. why?
    When i put my mail server front of ASA5510 and my mail server have dns server like in DMZ zone x.x.x.177. my mail server have internet but when my mail server in dmz zone, he have not internet.

    Avatar
    Anonymous
    #373517

    Re: access from high security level to low security level

    Quote:
    i think that users from inside or DMZ LAN can access internet without the rules or NAT’s, but they don’t it. why?

    Unless there is an upstream device doing nat or your using public ip space on your lan, nat will be required as RFC1918 addresses are not routable.

    Quote:
    When i put my mail server front of ASA5510 and my mail server have dns server like in DMZ zone x.x.x.177. my mail server have internet but when my mail server in dmz zone, he have not internet.

    This ACL is blocking all traffic from the dmz to anywhere except what is allowed in the ACE.

    access-list DMZ_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.20

    access-group DMZ_access_in_1 in interface DMZ

    And again unless there is an upstream device performing nat, you will need it from the dmz to the outside.

    Avatar
    gogi100
    Member
    #334974

    Re: access from high security level to low security level

    Quote:
    Unless there is an upstream device doing nat or your using public ip space on your lan, nat will be required as RFC1918 addresses are not routable

    my provider gave me scope of public ip addresses(5 addresses). when i make static nat on my mail server in DMZ to outside, again he cannot access to internet.

    Avatar
    Anonymous
    #373518

    Re: access from high security level to low security level

    I dont see that configuration in your post

    sh run nat

    sh run object

    If the nat is a static PAT to port 25 then outside users can reach your internal server using that public ip, but only on port 25. Traffic from the server itself will not be matched on that nat statement if is confined to a particular port. I cant see the configuration so I can only assume.

    Avatar
    gogi100
    Member
    #334975

    Re: access from high security level to low security level

    i made static nat 172.16.20.200 to x.x.x.180
    my show run nat

    Quote:
    nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
    !
    object network mail
    nat (DMZ,outside) static x.x.x.180

    my show run object

    Quote:
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    object network NETWORK_OBJ_192.168.0.0_24
    subnet 192.168.0.0 255.255.255.0
    object network 192.168.0.10
    host 192.168.0.10
    object service ssl
    service tcp destination eq 465
    object service tls
    service tcp destination eq 995
    object network mail_server
    host 172.16.20.200
    object service StartTLS
    service tcp destination eq 587
    object service admin_port
    service tcp destination eq 444
    object service ODMR
    service tcp destination eq 366
    object service SSL-IMAP
    service tcp destination eq 993
    object network remote
    host 172.16.20.200
    object network test
    host 192.168.0.22
    object network mail
    host 172.16.20.200
    object network DMZ
    host 172.16.20.200
    object network Inside_DMZ
    host 192.168.0.20
    object service rdp
    service tcp destination eq 3389
    object service microsoft_dc
    service tcp destination eq 445
    Avatar
    Anonymous
    #373519

    Re: access from high security level to low security level

    Okay the nat config looks good. The issue again is the acl applied to the dmz interface inbound. Remove that acl from the interface and see if that server can get out to the internet.

    Avatar
    gogi100
    Member
    #334976

    Re: access from high security level to low security level

    thank’s problem is solved. i remove acl on DMZ inbound. but how i enable that i can access from dmz to inside network?
    one more time thank’s

    Avatar
    Anonymous
    #373520

    Re: access from high security level to low security level

    Going from dmz to inside will require an acl permitting such traffic inbound on the dmz interface as the flow is from a lower security interface to a higher security interface. This acl however will affect traffic from the dmz to anywhere so you will need to add the appropriate exceptions.

    Example: This acl will allow traffic from dmz to inside plus smtp traffic to outside and web traffic to outside

    access-list DMZ permit ip 172.16.20.0 255.255.255.0 192.168.0.0 255.255.255.0 (Allows all traffic from dmz to inside – you can tighten this down)
    access-list DMZ permit tcp host 172.16.20.200 any eq smtp (Allows smtp from only mail server to outside)
    access-list DMZ permit tcp 172.16.20.0 255.255.255.0 any eq www (Allows web traffic from all hosts in the dmz)
    access-list DMZ deny tcp any any eq smtp (Deny’s all other smtp traffic outbound from other hosts)

    access-group DMZ in interface dmz

    Avatar
    gogi100
    Member
    #334977

    Re: access from high security level to low security level

    thank’s very much

    Avatar
    Anonymous
    #373521

    Re: access from high security level to low security level

    No problem 8)

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.

Register for this Petri Webinar!

Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

Tuesday, August 27, 2019 @ 1:00 pm EDT

A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

Register Now

Sponsored By