Unable to access DMZ from Internet

B

Bedrock1977

n00b
Joined
Dec 20, 2010
Messages
61
Here is a generic diagram of my home and Cisco Lab environments. The Lab is located in the DMZ and should be accessible from the Internet, as well as from the inside. I can ping the DMZ from the inside, ping from the DMZ to the outside, and telnet directly to the Cisco Access Server 172.16.0.253 from the inside. I can also SSH into the ASA from the outside. Maybe there is something that I am missing here.

Once I am able to fully access the lab from the outside, I want to start considering options to access the lab remotely, but from some other way than telnet. The Cisco equipment I have does not support VPN/SSH. Is it possible to SSH directly to the ASA, then open a telnet session to the lab's access server?

1498osy.png


Code: 
ASA Version 9.1(5)
!
hostname ASA1
enable password XXXXX encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 speed 100
 duplex full
!
interface Ethernet0/3
 speed 100
 duplex full
!
interface Ethernet0/4
 speed 100
 duplex full
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group PPPoE
 ip address pppoe setroute
!
interface Vlan3
 description LINK TO CISCO RACK
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.16.0.254 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network power_switch_static
 host 192.168.1.110
object network cisco_lab_static
 host 172.16.0.253
object network dmz_to_outside
 subnet 172.16.0.0 255.255.255.0
access-list outside_in extended permit tcp any host 172.16.0.253 eq telnet
access-list outside_in extended permit tcp any host 192.168.1.110 eq 5000
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network cisco_lab_static
 nat (dmz,outside) static interface service tcp telnet telnet
object network dmz_to_outside
 nat (dmz,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
no ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 inside
ssh XXXXX 255.255.255.255 outside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group PPPoE request dialout pppoe
vpdn group PPPoE localname XXXXX
vpdn group PPPoE ppp authentication pap
vpdn username XXXXX password ***** store-local

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 216.146.35.35 216.146.36.36 interface inside
dhcpd enable inside
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.113.32.5 source outside
username XXXXX password XXXXX encrypted privilege 15
username XXXXX attributes
 service-type nas-prompt
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 
No, this is not tied to school at all...it's just what I am trying to put together so I can continuing working through my Cisco studies.
 
Yes can but it appears that you have an DHCP configured outside interface, this makes it more tricky as you will need to have a DDNS service inside to get back to your outside address.

Also what cisco kit do you have that doesn't support SSH exactly?
 
The bit that does this is your line

ssh XXXXX 255.255.255.255 outside

but if the XXXXX doesn't match your DHCP assigned address it won't work.
 
acra2 said:
Yes can but it appears that you have an DHCP configured outside interface, this makes it more tricky as you will need to have a DDNS service inside to get back to your outside address.

Also what cisco kit do you have that doesn't support SSH exactly?
Click to expand...

As far as the kit is concerned, the access server is an old 2509-RJ running 12.2(26) software. All of the routers are 2500 series, except for a couple 1721. I have (2) 2950 switches, and (1) 3550 L3 switch. However, I don't want to leave the rack on all the time. So I have a web-power-switch on the 192.168.1.0 network, that I can log into, turn the rack on when I want to study, then shut it off when I'm finished. Once I get everything set, I will probably end up moving the power switch to the DMZ.
 
acra2 said:
The bit that does this is your line

ssh XXXXX 255.255.255.255 outside

but if the XXXXX doesn't match your DHCP assigned address it won't work.
Click to expand...

The XXXXX is the public IP address here at work. I had to enter that command so I could SSH into the ASA to configure it remotely.
 
Sorry I misread, I thought you didn't have that bit working.... right so the issue is that you want to telnet from the ASA to the rest of the estate?

If that is the case you are out of luck, they don't support it (SSH or Telnet)

You can get your 1721's to support SSH you need firmware:- c1700-k8o3sy7-mz.122-8YN.bin

Then you'll need to put in an SSH NAT / PAT to it and go from there, does mean leaving a 1721 on which isn't great but better than nothing.

You can also put SSH on your 3550 with the K9 versions of the firmware.
 
acra2 said:
Sorry I misread, I thought you didn't have that bit working.... right so the issue is that you want to telnet from the ASA to the rest of the estate?
Click to expand...

That is correct, just the lab network.


You can get your 1721's to support SSH you need firmware:- c1700-k8o3sy7-mz.122-8YN.bin

Then you'll need to put in an SSH NAT / PAT to it and go from there, does mean leaving a 1721 on which isn't great but better than nothing.
Click to expand...

I will definitely consider this in the future. In the mean time, how we I make it so I can at least telnet to the access server in the DMZ from the outside?
 
Last edited:
Well I couple of choices for you, I guess that your DMZ and internal network are just two separate vlans on the same 3550 switch. You can set up a management address in the DMZ vlan and then Vlan access control lists on the 3550 (assuming your DMZ is supposed to be secure) and SSH onto the switch (assuming you put K9 software on), then from there onto the server with a telnet session from it.

Or stuff the 1721 (with K8 crypto firmware into DMZ) and use that as a relay to get to the server.

A few choices, I'd probably favour the 3550 and put the K9 software given the choice.
 
Sorry, I think I mislead you. The cisco gear is behind the access server with no physical connection to the inside network. The ASA has three VLANs configured, one for the outside (connected to the DSL modem on e0/0), one for the inside network (ports e0/1, 0/2, 0/3, 0/4), and the DMZ (e0/6). The access server is what is connected to the DMZ on port e0/6.

I do not have a router or switch between the modem and the ASA. Since I have the base license, I am pretty limited on what I can do with the DMZ. I can create the DMZ, but only if I enter the "no forward interface vlan 1" command.
 
Well the theory still will hold true as the DMZ has a security level of 50 and by default the ASA will allow all traffic from higher to lower levels statefully. Just make sure that the 3550 on the "inside" has either a default gateway pointing at the FW inside address or has a route for the DMZ network with a next hop of the FW inside address.
 
I'm still using the older ASA firmware but Cisco DMZ does not work like a home router's DMZ.

You need to define the access control for outside access to the DMZ.
To allow port 80 the old syntax would be something like:


access-list dmz-outside extended permit tcp 172.16.0.0 255.255.255.0 (whatever the PPPoe interface is) eq www
 
After much digging in the configuration guides, I was finally able to get this to work. I left the ASA connected directly to the DSL modem, the lab environment is left in the DMZ, and the inside networks remain segregated. Thanks for everyone's input.

If you are interested, here is the final configuration.

Code: 
ASA-5505# sh run
: Saved
:
ASA Version 9.1(5)
!
hostname ASA-5505
enable password XXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
!
interface Vlan1
 nameif INSIDE
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif OUTSIDE
 security-level 0
 pppoe client vpdn group DSL
 ip address pppoe setroute
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network INTERNAL_LAN
 subnet 192.168.1.0 255.255.255.0
object network INTERNAL_LAN_OUTSIDE
 subnet 192.168.1.0 255.255.255.0
object network DMZ_TO_OUTSIDE
 subnet 172.16.0.0 255.255.255.0
object network cisco_lab_static
 host 172.16.0.2
object network power_switch_static
 host 192.168.1.110
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit tcp any object cisco_lab_static eq telnet
access-list OUTSIDE_IN extended permit tcp any object power_switch_static eq 5000
access-list DMZ_IN extended permit ip any any
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1492
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network INTERNAL_LAN_OUTSIDE
 nat (INSIDE,OUTSIDE) dynamic interface
object network cisco_lab_static
 nat (DMZ,OUTSIDE) static interface service tcp telnet telnet
object network power_switch_static
 nat (INSIDE,OUTSIDE) static interface service tcp 5000 5000
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group OUTSIDE_IN in interface OUTSIDE
access-group DMZ_IN in interface DMZ
route INSIDE 192.168.2.0 255.255.255.0 192.168.1.100 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 INSIDE
telnet timeout 15
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 INSIDE
ssh XXXXXX 255.255.255.255 OUTSIDE
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname XXXXX
vpdn group DSL ppp authentication pap
vpdn username XXXXX password *****

dhcpd address 192.168.1.5-192.168.1.36 INSIDE
dhcpd dns 216.146.35.35 216.146.36.36 interface INSIDE
dhcpd enable INSIDE
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.113.32.5 source OUTSIDE
username XXXXX password XXXXX encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
 
You must log in or register to reply here.
Back
Top