8/24/2019 Asa 5505 No Dmz Name If
Dec 3, 2018 - Packet Tracer 7.2 DMZ lab using Cisco ASA 5506 firewall to securely. Of ASA 5506-X firewall is used to configure the NAT rules that allow the hosts on the. The name of each interface, configured with nameif, is used in the.
We have an ASA 5505 with a VLAN setup for each of outside, inside and two dmz interfaces. The outside interface is set to security level 0, inside set to 100, and both dmz interfaces set to 50.
Unfortunately, the device is not passing traffic from one of the dmz interfaces (other is currently disabled) to the outside interface by default, as I'm expecting. I'm expecting that going from higher security to lower security, traffic should not get caught by an implicit ACL. However, the packet-tracer tool shows this to be the case - that it is getting blocked at step2 by an implicit ACL. I added an ACE to allow traffic to outside IPs, and the traffic does flow now. However, this shouldn't need to be done. It will create a management burden going forward, defining all allowed ranges of IPs, ports, protocols, etc.
The license on the ASA has Security Plus. Show version lists:
Cisco Adaptive Security Appliance Software Version 8.4(4)Device Manager Version 6.4(9)
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
sjwsjw
1 Answer
Well, first off
I added an ACE to allow traffic to outside IPs, and the traffic does flow now. However, this shouldn't need to be done. It will create a management burden going forward, defining all allowed ranges of IPs, ports, protocols, etc.
That's actually best practice to properly configure security devices by filtering using the proper IPs and Ports. Solely using security levels to filter traffic is bad practice in my opinion.
That being said, the traffic from a higher security interface to a lower security interface will pass without ACL's only if you use NAT between the two interfaces.
Edit to answer the questions in comments
In order to allow your DMZ to go on Internet but not in your LAN, the easiest way to do that is with two ACLs.
Lets say your internal network is using 192.168.1.0/24 and your DMZ is 10.0.0.0/27
The rules are read from top to bottom and the firewall will use the first one that match.
The other way to do it is to have ACLs on your Inside interface but with an access-group assigned to the outbound traffic.
And the filter the traffic that you allow to leave the inside interface.
![]()
Although you can filter the traffic going out of an interface, as opposed to going in the interface, I rarely use it. It can get confusing when your rule base gets bigger.
Do note that you should restrict the traffic as much as you can. This is really just an example.
AlexAlex
Not the answer you're looking for? Browse other questions tagged ciscocisco-asa or ask your own question.
ASA Version 8.2(5)
!
names
name 172.20.49.2 webserver name 172.20.49.0 dmz name 172.20.48.2 Comcast-Router name 50.196.x.x webserver-external-ip name 172.20.48.0 inside-subnet ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 172.20.48.2 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 50.x.x.162 255.255.255.248 ! interface Vlan5 nameif dmz security-level 50 ip address 172.20.49.1 255.255.255.248 ! ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server xDC1 name-server xDC2 domain-name x.org same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network DNS_Servers description xx DNS Servers network-object host xDC1 network-object host xDC2 object-group service DM_INLINE_SERVICE_2 object-group service DM_INLINE_SERVICE_3 object-group service DM_INLINE_SERVICE_4 object-group service DM_INLINE_SERVICE_5 object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object udp object-group network xx_Domain_Controllers description xx DCs and xx(DNS, DHCP, DS) network-object host xCDC1 network-object host xdc4 network-object host xDC3_2 network-object host xDC1_2 network-object host xDC1 network-object host xDC2 network-object host EHI_DHCP_1 network-object host EHI_DHCP_2 object-group protocol DM_INLINE_PROTOCOL_4 protocol-object ip protocol-object udp protocol-object tcp object-group network DM_INLINE_NETWORK_2 network-object xx_63 255.255.255.0 object-group service DM_INLINE_TCP_3 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object tcp protocol-object udp object-group protocol DM_INLINE_PROTOCOL_3 protocol-object ip protocol-object udp protocol-object tcp object-group network DM_INLINE_NETWORK_1 network-object xx_Domain_Svcs 255.0.0.0 network-object dmz 255.255.255.252 network-object xx_63 255.255.255.0 access-list DMZ_to_Inside extended permit ip interface dmz interface inside access-list outside_access_in extended permit tcp any host webserver-external-ip object-group DM_INLINE_TCP_3 access-list outside_access_in extended permit tcp any host 50.196.x.x object-group DM_INLINE_TCP_1 access-list outside_access_in remark Directory Services - Domain Contoller Ports access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group xx_Domain_Controllers inside-subnet 255.255.255.0 access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 xx_Domain_Svcs 255.0.0.0 inside-subnet 255.255.255.0 access-list outside_access_in extended permit tcp any host webserver eq www access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 inside-subnet 255.255.255.0 any log debugging access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 inside-subnet 255.255.255.0 xx_Domain_Svcs 255.0.0.0 access-list inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_1 access-list tcp_bypass extended permit tcp inside-subnet 255.255.255.224 any access-list global_mpc extended permit ip inside-subnet 255.255.255.0 object-group DM_INLINE_NETWORK_2 pager lines 24 logging enable logging timestamp logging trap informational logging asdm informational logging host inside 172.20.48.16 mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 inside-subnet 255.255.255.0 nat (dmz) 1 dmz 255.255.255.252 static (inside,outside) tcp interface www 172.20.48.2 www netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 50.x.x.166 1 route inside xx_Domain_Svcs 255.0.0.0 172.20.48.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http inside-subnet 255.255.255.0 inside snmp-server host inside 172.20.48.16 poll community ***** no snmp-server location no snmp-server contact snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection timewait crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 172.20.48.26 255.255.255.255 inside telnet 172.20.48.25 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd address webserver-172.20.49.3 dmz dhcpd dns 75.75.75.75 75.75.76.76 interface dmz dhcpd lease 604800 interface dmz dhcpd enable dmz ! ![]()
threat-detection basic-threat
threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 216.228.192.69 source outside prefer webvpn ! class-map inspection-default class-map inspection_default match default-inspection-traffic class-map tcp_bypass description TCP traffic that bypasses stateful firewall match access-list global_mpc ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp class tcp_bypass set connection advanced-options tcp-state-bypass ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum: Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |