ASA5510 DMZ problems

Hi, I've been troubleshooting my DMZ for a while now and my brain is about to explode because I have set up other ASAs like this fine.

Goal: allow rdp access from internet (inet) and from the internal network (internal) to 192.168.60.15 (in dmz)


[code:1]
: Saved
: Written by enable_15 at 20:41:51.518 EEST Sun Nov 8 2009
!
ASA Version 8.2(1)
!
interface Ethernet0/0
description Internet connection
nameif inet
security-level 0
ip address EXTERNAL 255.255.255.252
!
interface Ethernet0/1

nameif internal
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 30
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!
---
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inet_access_in extended permit tcp any host EXTERNAL eq https
access-list inet_access_in extended permit tcp any host 192.168.60.15 object-group rdp log alerts
access-list inet_access_in extended deny icmp any any
access-list internal_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0
---
global (inet) 10 interface
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 10 0.0.0.0 0.0.0.0
static (dmz,inet) tcp interface 3389 192.168.60.15 3389 netmask 255.255.255.255
access-group inet_access_in in interface inet
route inet 0.0.0.0 0.0.0.0 EXT_GW 1
[/code:1]

This is the current status. I have so much other stuff on my ASA, else I would have flushed the whole box by now. That other stuff, crypto maps, for example, could also be part of that problem.. :roll:

I am now questioning every line of the config. If you know what lines to change, add, please explain what they do (differently) so you my correct my understanding about the ACL and NAT.


Thank you for your time!
Scrapper

I have now read this article here:
www.firewall.cx/ftopic-4429-days0-orderasc-10.html

and based on that I added another nat rule for dmz. no change.
DMZ is not accessible from anywhere else.

[code:1]: Saved
: Written by enable_15 at 11:32:34.672 EEST Tue Nov 10 2009
!
ASA Version 8.2(1)
!
---
dns-guard
!
interface Ethernet0/0
description Internet connection
nameif inet
security-level 0
ip address EXTERNAL 255.255.255.252
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 30
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa708-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
---
access-list inet_access_in extended permit tcp any host EXTERNAL eq https
access-list inet_access_in extended permit tcp any host 192.168.60.15 object-group rdp log alerts
access-list inet_access_in extended deny icmp any any
access-list internal_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu inet 1500
mtu internal 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN 192.168.21.0-192.168.21.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (inet) 10 interface
global (dmz) 10 interface
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 10 0.0.0.0 0.0.0.0
nat (dmz) 10 192.168.60.0 255.255.255.0
static (dmz,inet) tcp interface 3389 192.168.60.15 3389 netmask 255.255.255.255
access-group inet_access_in in interface inet
route inet 0.0.0.0 0.0.0.0 EXTERNALGW 1[/code:1]


Seems to be a stupid mistake somewhere.. makes no sense to me.
Please help.

Alright, I now found one pesky mistake: the GW on the dmz server was wrong. doh!

Now I can access the server over RDP from the internal network, but external access still doesn't work. I don't see anything in the logs either.


When I use ASDM to trace the packet then it fails at NAT. Makes sense because I basically allowed everything through ACL and made no difference.

The work environment has now a cheap DSL router replacing the ASA

[code:1]
access-list inet_access_in extended permit tcp any host EXTERNAL eq https
access-list inet_access_in extended deny icmp any any
access-list inet_access_in extended permit tcp any host 192.168.60.15 object-group rdp
access-list internal_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0

nat-control
global (inet) 10 interface
global (dmz) 10 interface
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 10 access-list internal_nat0_outbound
nat (internal) 10 192.168.50.0 255.255.255.0
nat (dmz) 0 access-list internal_nat0_outbound
nat (dmz) 10 access-list internal_nat0_outbound
nat (dmz) 10 192.168.60.0 255.255.255.0
static (dmz,inet) tcp interface 3389 192.168.60.15 3389 netmask 255.255.255.255 dns
access-group inet_access_in in interface inet
route inet 0.0.0.0 0.0.0.0 EXTERNAL GW 1
[/code:1]

nat show:
[code:1]NAT policies on Interface internal:
match ip internal 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 internal 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 16, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (EXTERNAL [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 internal 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 inet any
dynamic translation to pool 10 (EXTERNAL [Interface PAT])
translate_hits = 672, untranslate_hits = 88
match ip internal 192.168.50.0 255.255.255.0 internal any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz any
dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal any inet any
no translation group, implicit deny
policy_hits = 0
match ip internal any dmz any
no translation group, implicit deny
policy_hits = 0

NAT policies on Interface dmz:
match ip dmz 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match tcp dmz host 192.168.60.15 eq 3389 inet any
static translation to EXTERNAL/3389
translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (EXTERNAL [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.60.0 255.255.255.0 inet any
dynamic translation to pool 10 (EXTERNAL [Interface PAT])
translate_hits = 557, untranslate_hits = 530
match ip dmz 192.168.60.0 255.255.255.0 dmz any
dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip dmz any inet any
no translation group, implicit deny
policy_hits = 0

NAT policies on Interface management:
match ip management any inet any
no translation group, implicit deny
policy_hits = 0
match ip management any dmz any
no translation group, implicit deny
policy_hits = 0
[/code:1]

Why can't I access DMZ host 192.168.60.15 over the internet by RDP(TCP/3389)?

What happens when you add the following line (just temporarily):

[code:1]access-list inet_access_in extended permit ip any any [/code:1]

If this works then your problem is obviously in ACLs, other wise, please post your FULL config so that we have a clear look.

On second thought, yes I think there is an ACL problem in the following line:

[code:1]access-list inet_access_in extended permit tcp any host 192.168.60.15 object-group rdp [/code:1]

192.168.60.15 is the internal IP of the rdp server. You should use the external IP using the interface's. So try replacing the line with the following:

[code:1]access-list inet_access_in extended permit tcp any interface inet object-group rdp [/code:1]

Hope it helps.