Skip to main content

Can't hit DMZ Server.....http and pop3/smtp

More
15 years 9 months ago #29258 by timparker
Hopefully some of you have been following along on my travels in setting up a new ASA5505 and some Cisco 871's.....I have now stumbled onto a new "problem".....

This post sums up most of the set up and the changes that have been submitted and implemented. Anything currently on our Inside Interface can't seem to access our external Web/Email server -- which is naturally on our DMZ interface.

I am guessing that it has to do with "hairpinning" the traffic since it would be going out the external and then coming back in to the DMZ interface.

How should I handle this? TIA.
More
15 years 8 months ago #29260 by S0lo
It would help if you post your config since this can be caused by several reasons. You can mask out any private data.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 8 months ago #29264 by timparker
Sorry about that, I thought I put in a link to another post here where I had gotten some help and it had stuff in it. Here is the config. I think I masked everything of value....




Result of the command: "sh conf"

: Saved
: Written by enable_15 at 04:28:20.767 EST Sun Feb 15 2009
!
ASA Version 7.2(4)
!
hostname MOPS-ASA-5505
domain-name mops-ohio.local
enable password PASSWORD encrypted
passwd PASSWORD encrypted
names
name 192.168.116.0 Columbus-Net description Columbus Subnet
name 192.168.16.0 Lancaster-Net description Lancaster Subnet
name 192.168.216.0 LickingCounty-Net description Licking County Subnet
name 204.x.y.194 External_Web_Mail_Server description External_Web_Mail_Server
name 192.168.18.3 Internal_Web_Mail_Server description Internal_Web_Mail_Server
name 24.x.y.195 Router_Columbus description Cisco 871 - Columbus
name 74.x.y.178 Router_LickingCounty description Cisco 871 - Licking County
name 192.168.16.35 Tim_Work_Computer description WKSTN0020
name 192.168.16.5 MOPSSRV05 description Mail, Backup Server
name 192.168.5.0 Ext_VPN_Network
name 192.168.16.3 MOPSSRV01 description DC - 1
name 192.168.16.6 MOPSSRV06 description DC - 2
name 204.x.y.195 ASA_5505_Ext description Firewall
name 192.168.16.9 ASA_5505_Int description Internal Interface
name 192.168.116.71 Camera_Columbus1 description Reception Office
name 192.168.116.70 Camera_Columbus2 description Waiting Room Area
name 192.168.16.70 Camera_Lancaster1 description Reception Area #624
name 192.168.16.71 Camera_Lancaster2 description Reception Area #630
name 192.168.216.5 Camera_LickingCounty description Reception Area
name 192.168.116.9 Columbus_Cisco_Switch
name 192.168.16.4 MOPSSRV02 description Terminal Server #1
name 192.168.16.8 MOPSSRV07 description Terminal Server #2
name 192.168.116.3 MOPSSRV04 description Columbus - DC/File Server
name 204.x.y.198 MOPS_Thru_Dlink
name 204.x.y.197 MOPS_Thru_Watchguard
!
interface Vlan1
nameif inside
security-level 100
ip address ASA_5505_Int 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ASA_5505_Ext 255.255.255.248
!
interface Vlan12
nameif dmz
security-level 10
ip address 192.168.18.9 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server MOPSSRV01
name-server MOPSSRV06
domain-name mops-ohio.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
protocol-object esp
protocol-object ah
object-group network VPNRemote-Admin
description Administrative Users
network-object host VPNUser_Tim_Home
object-group network Router_RemoteOffices
description Remote Offices Router for Site-to-Site VPN
network-object host Router_Columbus
network-object host Router_LickingCounty
object-group network VPN_Pool_IP
network-object host 192.168.16.95
object-group service WindowsRemoteDesktop tcp
port-object eq 3389
object-group network DM_INLINE_NETWORK_1
network-object host Tim_Work_Computer
network-object host MOPSSRV05
object-group network DC_Group
network-object host MOPSSRV01
network-object host MOPSSRV06
object-group network DM_INLINE_NETWORK_2
network-object host Tim_Work_Computer
network-object host MOPSSRV05
object-group service DM_INLINE_UDP_1 udp
port-object eq netbios-dgm
port-object eq netbios-ns
object-group protocol TCPUDP1
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq ftp-data
object-group service DM_INLINE_TCP_1 tcp
group-object WindowsRemoteDesktop
port-object eq ftp
port-object eq ftp-data
object-group service Kerberos-New tcp-udp
port-object eq 88
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq ftp-data
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq smtp
port-object eq www
object-group network DM_INLINE_NETWORK_3
network-object host MOPS_Thru_Watchguard
network-object host MOPS_Thru_Dlink
object-group network DM_INLINE_NETWORK_4
network-object host MOPS_Thru_Watchguard
network-object host MOPS_Thru_Dlink
object-group service DM_INLINE_TCP_5 tcp
port-object eq ftp
port-object eq ftp-data
access-list outside_access_in remark Terminal Service and FTP access to external Web server.
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host External_Web_Mail_Server object-group DM_INLINE_TCP_1
access-list outside_access_in remark Allow Web, email to the DMZ www.mopsohio.com
access-list outside_access_in extended permit tcp any host External_Web_Mail_Server object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit object-group TCPUDP1 host External_Web_Mail_Server any eq domain
access-list outside_access_in extended permit object-group TCPUDP object-group Router_RemoteOffices host ASA_5505_Ext
access-list outside_access_in extended permit tcp host 192.168.5.95 object-group DM_INLINE_NETWORK_1 object-group WindowsRemoteDesktop
access-list outside_access_in extended permit object-group TCPUDP1 host ASA_5505_Ext object-group DC_Group object-group Kerberos-New
access-list outside_access_in extended permit tcp host External_Web_Mail_Server any eq smtp
access-list outside_access_in extended deny tcp any host ASA_5505_Ext eq telnet inactive
access-list mops-vpn_splitTunnelAcl standard permit Lancaster-Net 255.255.255.0
access-list mops-vpn_splitTunnelAcl standard permit Columbus-Net 255.255.255.0
access-list mops-vpn_splitTunnelAcl standard permit LickingCounty-Net 255.255.255.0
access-list outside_1_cryptomap extended permit ip Lancaster-Net 255.255.255.0 Columbus-Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip Lancaster-Net 255.255.255.0 Columbus-Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip Lancaster-Net 255.255.255.0 LickingCounty-Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip Ext_VPN_Network 255.255.255.0 Lancaster-Net 255.255.255.0
access-list outside_2_cryptomap extended permit ip Lancaster-Net 255.255.255.0 LickingCounty-Net 255.255.255.0
access-list outside_3_cryptomap extended permit ip Lancaster-Net 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip Lancaster-Net 255.255.255.0 any
access-list inside_access_in extended permit ip host 192.168.5.95 any
access-list inside_access_in extended permit udp object-group DC_Group Ext_VPN_Network 255.255.255.0 object-group DM_INLINE_UDP_1 inactive
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 Ext_VPN_Network 255.255.255.0 object-group WindowsRemoteDesktop inactive
access-list inside_access_in extended permit object-group TCPUDP1 object-group DC_Group host ASA_5505_Ext object-group Kerberos-New inactive
access-list inside_access_in extended permit tcp host ASA_5505_Int object-group DC_Group eq ldap inactive
access-list dmz_access_in extended permit tcp host Internal_Web_Mail_Server any object-group DM_INLINE_TCP_4
access-list dmz_access_in extended permit object-group TCPUDP1 host Internal_Web_Mail_Server any eq domain
access-list dmz_access_in remark FTP Access from MOPS Internal Network [Outbound]
access-list dmz_access_in extended permit tcp host Internal_Web_Mail_Server object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_5
access-list dmz_access_in extended permit tcp host External_Web_Mail_Server host Internal_Web_Mail_Server object-group DM_INLINE_TCP_3
access-list NoNAT extended permit ip Lancaster-Net 255.255.255.0 Columbus-Net 255.255.255.0
access-list NoNAT extended permit ip Lancaster-Net 255.255.255.0 Ext_VPN_Network 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address email@address.com
logging recipient-address email@address.com level errors
logging host inside 192.168.16.54 6/1470
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool NewIP 192.168.5.96-192.168.5.98 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location VPNUser_Tim_Home 255.255.255.255 inside
asdm location ASA_5505_Ext 255.255.255.255 inside
asdm location Columbus-Net 255.255.255.0 inside
asdm location LickingCounty-Net 255.255.255.0 inside
asdm location Internal_Web_Mail_Server 255.255.255.255 inside
asdm location External_Web_Mail_Server 255.255.255.255 inside
asdm location VPNUser_Kathy_Home 255.255.255.255 inside
asdm location Router_Columbus 255.255.255.255 inside
asdm location Router_LickingCounty 255.255.255.255 inside
asdm location 192.168.16.95 255.255.255.255 inside
asdm location Tim_Work_Computer 255.255.255.255 inside
asdm location MOPSSRV05 255.255.255.255 inside
asdm location MOPSSRV01 255.255.255.255 inside
asdm location MOPSSRV06 255.255.255.255 inside
asdm location ASA_5505_Int 255.255.255.255 inside
asdm location MOPSSRV02 255.255.255.255 inside
asdm location MOPSSRV07 255.255.255.255 inside
asdm location Camera_Lancaster1 255.255.255.255 inside
asdm location Camera_Lancaster2 255.255.255.255 inside
asdm location Columbus_Cisco_Switch 255.255.255.255 inside
asdm location Camera_Columbus2 255.255.255.255 inside
asdm location Camera_Columbus1 255.255.255.255 inside
asdm location Camera_LickingCounty 255.255.255.255 inside
asdm location MOPSSRV04 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 Lancaster-Net 255.255.255.0
static (outside,dmz) Internal_Web_Mail_Server External_Web_Mail_Server netmask 255.255.255.255
static (dmz,outside) External_Web_Mail_Server Internal_Web_Mail_Server netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route inside LickingCounty-Net 255.255.255.0 Router_LickingCounty 1
route outside 0.0.0.0 0.0.0.0 204.x.y.193 1
route outside 192.168.116.1 255.255.255.255 Router_Columbus 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server VPN_Authent protocol kerberos
aaa-server VPN_Authent (inside) host MOPSSRV06
kerberos-realm MOPS-OHIO.LOCAL
aaa-server VPN_Authent (inside) host MOPSSRV01
kerberos-realm MOPS-OHIO.LOCAL
aaa-server VPN_Authorz protocol ldap
aaa-server VPN_Authorz (inside) host MOPSSRV01
ldap-base-dn ou=mops-ohio.local
ldap-scope subtree
ldap-naming-attribute uid
ldap-login-password *
ldap-login-dn timparker
server-type microsoft
http server enable
http Lancaster-Net 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Login
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer Router_Columbus
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer Router_LickingCounty
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer VPNUser_Tim_Home
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet Tim_Work_Computer 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns MOPSSRV01 MOPSSRV06
dhcpd wins MOPSSRV01
dhcpd domain mops-ohio.local
dhcpd auto_config outside
dhcpd option 3 ip ASA_5505_Int
!

group-policy mops-vpn internal
group-policy mops-vpn attributes
wins-server value 192.168.16.3
dns-server value 192.168.16.3 192.168.16.6
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mops-vpn_splitTunnelAcl
default-domain value mops-ohio.local
address-pools value NewIP
group-policy Site2Site-Columbus internal
group-policy Site2Site-Columbus attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy Site2Site-LickingCounty internal
group-policy Site2Site-LickingCounty attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username timparker password PASSWORD encrypted privilege 15
username timparker attributes
vpn-group-policy mops-vpn
vpn-tunnel-protocol IPSec l2tp-ipsec
vpn-framed-ip-address 192.168.5.95 255.255.255.0
tunnel-group 24.x.y.195 type ipsec-l2l
tunnel-group 24.x.y.195 general-attributes
default-group-policy Site2Site-Columbus
tunnel-group 24.x.y.195 ipsec-attributes
pre-shared-key *
tunnel-group mops-vpn type ipsec-ra
tunnel-group mops-vpn general-attributes
address-pool NewIP
default-group-policy mops-vpn
tunnel-group mops-vpn ipsec-attributes
pre-shared-key *
tunnel-group 74.x.y.178 type ipsec-l2l
tunnel-group 74.x.y.178 general-attributes
default-group-policy Site2Site-LickingCounty
tunnel-group 74.x.y.178 ipsec-attributes
pre-shared-key *
tunnel-group 75.x.y.200 type ipsec-l2l
tunnel-group 75.x.y.200 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global
smtp-server 192.168.16.5
prompt hostname context
Cryptochecksum:checksum
More
15 years 8 months ago #29269 by Patiot
you need to have a security + license or higher to do that . Do you have it ?

If you have one please let update the post . We will get your issue fixed.
Thanks
Patiot
More
15 years 8 months ago #29270 by timparker
Yep we do have one. Just did sh ver:

"This platform has an ASA 5505 Security Plus license."

What specifically does that have to do with it?
More
15 years 8 months ago #29276 by Smurf
I always thought it was a case of issuing the following command;

[code:1]same-security-traffic permit intra-interface[/code:1]

Hmm, need to get hold of my ASA so i can start testing stuff, lol.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.145 seconds