Cisco ASA, and Secure Servers

[Haven]

I have an internal secure network that my client wants to put on his network but still keep it secured so only certain machines can access it. So I have set up a Cisco ASA to sit between the two networks. However I can't get it to work right.

I know I have done something wrong, but I can't seem to figure it out.

I have four machines that the techs use and those machines have static IP addresses now. They are supposed to be allowed inside the network, but when I have the rules setup Packet Tracer says the packets won't go through.

Diagram of network setup.

From what I thought I did, any device that is in the CL_Workstations should be allowed through on the Secure_Ports ports to the NAT'ed IPs.

Cisco Config

hostname Secure-Lab
domain-name test.lab
enable password encrypted
passwd encrypted
names
name 10.214.119.11 NAT_10.214.119.11
name 10.214.119.12 NAT_10.214.119.12
name 10.214.119.13 NAT_10.214.119.13
name 10.214.119.14 NAT_10.214.119.14
name 192.10.1.11 S_192.10.1.11
name 192.10.1.12 S_192.10.1.12
name 192.10.1.13 S_192.10.1.13
name 192.10.1.14 S_192.10.1.14
name 10.214.119.81 W_10.214.119.81
name 10.214.119.82 W_10.214.119.82
name 10.214.119.83 W_10.214.119.83
name 10.214.119.84 W_10.214.119.84
name 192.10.1.1 G_192.10.1.1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.10.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.214.119.4 255.255.255.0
!
interface Vlan4
nameif dmz
security-level 50
ip address G_192.10.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 4
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name indy.gov
object-group service Secure_Ports
service-object tcp-udp eq 137
service-object tcp eq 3389
service-object tcp eq 445
service-object tcp eq netbios-ssn
service-object udp eq netbios-dgm
object-group network CL_Workstations
network-object host W_10.214.119.81
network-object host W_10.214.119.82
network-object host W_10.214.119.83
network-object host W_10.214.119.84
object-group network NAT_IPs
network-object host NAT_10.214.119.11
network-object host NAT_10.214.119.12
network-object host NAT_10.214.119.13
network-object host NAT_10.214.119.14
object-group network Secure_Servers
network-object host S_192.10.1.11
network-object host S_192.10.1.12
network-object host S_192.10.1.13
network-object host S_192.10.1.14
access-list outside_access_in extended permit object-group Secure_Ports object-group CL_Workstations host NAT_10.214.119.14
access-list outside_access_in extended permit object-group Secure_Ports object-group CL_Workstations host NAT_10.214.119.13
access-list outside_access_in extended permit object-group Secure_Ports object-group CL_Workstations host NAT_10.214.119.12
access-list outside_access_in extended permit object-group Secure_Ports object-group CL_Workstations host NAT_10.214.119.11
nat (inside) 101 0.0.0.0 0.0.0.0
static (dmz,outside) NAT_10.214.119.11 S_192.10.1.11 netmask 255.255.255.255
static (dmz,outside) NAT_10.214.119.12 S_192.10.1.12 netmask 255.255.255.255
static (dmz,outside) NAT_10.214.119.13 S_192.10.1.13 netmask 255.255.255.255
static (dmz,outside) NAT_10.214.119.14 S_192.10.1.14 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.214.119.1 1

Any ideas what I did wrong.

 

[Jay_2]

What ASA are you using?

Also what is 192.10.0.x and 192.10.1.x used for?

 

[Haven]

It is a Cisco ASA 5505.

192.168.0.x is for "internal" which is to say nothing really.

192.168.1.x is used for the secure machines that need to be accessed by the 10.214.219.x specific machines.

And I have just been informed by the customer that they no longer want to do that, they just want to block all access to the secure machines, but let the secure machines out on port 443 to a Citrix server. Which I had working a month ago till they changed their mind.

Thanks for the help. I'm going to go bang my head against the desk.

 

[stormy1]

I used vpn to do it.
Only connection from unsecured to secure was by individual vpn connections with short timeouts so they didn't get left open all the time and full logging.

 

[charold]

It looks like your IP address on the dmz is wrong? I'm not sure why you are using

ip address G_192.10.1.1 255.255.255.0

That's something I'm at least unfamiliar with.

Also, it appears you are using pre 8.3 based ASA firmware, which means, I believe you will have to create a no NAT statement when traversing between DMZ and Outside interfaces. The syntax should be

access-list DMZ_NONAT extended permit ip 192.10.1.0 255.255.255.0 10.214.119.0 255.255.255.0
nat (dmz) 0 access-list DMZ_NONAT

ASA 8.2 and earlier versions are made to NAT to the outside automatically, so you need to NAT exempt traffic. 8.3 and on it did not perform NAT unless you told it to. This may be solved by renaming the outside to something else as well, but don't quote me on that.

You can reset stats, and run

show nat

It will show you how many times each nat rule has been applied. Or go through packet-tracer and determine if it's being routed.

Do a

packet-tracer input outside tcp 10.214.119.11 123 192.10.1.11 3389 detailed

Let us know the results. One thing I like about the ASDM is when you do the packet-tracer tool, it can show you the specific access-list rule thats blocking it (usually the implicit rule). That should get you going though.