ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
sosipator
New Member
Posts:
5
Joined:
Sat May 19, 2012 6:50 am

ASA access rule problem

Sat May 19, 2012 7:31 am

Hello everybody,

I have a Cisco ASA 5510 device with very simple configuration. There are two interfaces outside and inside. I've configured dynamic NAT, and a bunch of static NAT rules for some services running on the inside network.
The http server on the outside interface is accessible from the internet, but not from the inside network. I can access it only on the inside address.
I can't ping also the outside interface address from any host on the inside network.
here's the rule:
access-list outside_access_in extended permit tcp any host 78.90.177.133 eq www (78.90.177.133 being my outside interface address)
also there is a rule to permit traffic to any less secure network. (inside is 100, outside is 0)

I would highly appreciate if somebody gives me an idea why would that be, cause I'm complete noob in the networking.

Thanks
Attachments
access_rules.png
access_rules.png (62.8 KiB) Viewed 1238 times
packet_trace.png
packet_trace.png (45.2 KiB) Viewed 1238 times

auglan
Junior Member
Posts:
89
Joined:
Fri Jun 25, 2010 7:55 am
Certs:
CCNP

Re: ASA access rule problem

Sat May 19, 2012 11:08 am

The ASA/Pix by design will not let you ping an interface that isnt facing you.(Not sure if there is a workaround for this but in reality I can't figure out why you would want this behavior anyway - I think the management-interface command will make this work, may want to look it up) In the real world users should not be pinging your firewall at all. If anything let them ping through the device (inside to internet etc). You would need to inspect icmp or put an entry in you ACL coming outside to inside to allow the echo replies back in.

Also ACL's for icmp traffic applied to interfaces do not affect icmp traffic terminating on the ASA itself. For that you use the icmp command.

sosipator
New Member
Posts:
5
Joined:
Sat May 19, 2012 6:50 am

Re: ASA access rule problem

Sat May 19, 2012 1:22 pm

The ICMP ping is not the problem. Actually, there is no DNS server on the inside network. When users from the inside try to reach some service by the domain name, the DNS servers of the IPS provider point to the outside interface address of the ASA. And it isn't reachable. However, it is perfectly available from outside the network. The port 80 for example. You can reach it from the internet, but not from the inside network. If i put an entry in the hosts file on each and every machine it will work, but there has to be a way to configure the ASA to let certain protocols on the outside interface to be permitted.

User avatar
Exstart
Junior Member
Posts:
85
Joined:
Sat Oct 08, 2011 12:58 pm
Certs:
CCNP/SP/DP CCNP-S, LPIC-1 VCP5, JNCIS-ENT

Re: ASA access rule problem

Sat May 19, 2012 2:27 pm

You need to perform a dns rewrite to reach an inside host with a public resolved ip address.

Just add the keyword "dns" to the static nat rule, the ASA will translate the public ip to its private counterpart.

sosipator
New Member
Posts:
5
Joined:
Sat May 19, 2012 6:50 am

Re: ASA access rule problem

Fri Jun 01, 2012 2:03 am

Hello again, either I'm stupid, or these firewalls just don't make sense.

There is a web server on the internal network, which can be perfectly accessed from outside because of the static NAT rule. But when trying to reach it from the inside, it can't be accessed. I've tried to remove the implicit rule, that stops the traffic from the inside network to reach the outside interface, but I can't remove it. What should I do, please help. No IP traffic is allowed from inside network to reach outside interface and from there to NAT again to inside web server. People in the office just can't write internal IP addresses in the web browser address bar, and the DNS points to the outside interface IP address.

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: ASA access rule problem

Fri Jun 01, 2012 2:42 am

Hmmm... off the top of my head, how about entering same-security-traffic permit intra-interface on the inside interface?

User avatar
matgar
Ultimate Member
Posts:
743
Joined:
Wed Nov 17, 2010 5:53 pm
Certs:
CCNP, CCIP, CCNA Security

Re: ASA access rule problem

Fri Jun 01, 2012 2:47 am

sosipator wrote:Hello again, either I'm stupid, or these firewalls just don't make sense.

There is a web server on the internal network, which can be perfectly accessed from outside because of the static NAT rule. But when trying to reach it from the inside, it can't be accessed. I've tried to remove the implicit rule, that stops the traffic from the inside network to reach the outside interface, but I can't remove it. What should I do, please help. No IP traffic is allowed from inside network to reach outside interface and from there to NAT again to inside web server. People in the office just can't write internal IP addresses in the web browser address bar, and the DNS points to the outside interface IP address.

Extart already gave you a solution for your problem.

Here's a link related to DNS rewrite.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#problem

sosipator
New Member
Posts:
5
Joined:
Sat May 19, 2012 6:50 am

Re: ASA access rule problem

Tue Jun 05, 2012 3:57 am

matgar wrote:
sosipator wrote:Hello again, either I'm stupid, or these firewalls just don't make sense.

There is a web server on the internal network, which can be perfectly accessed from outside because of the static NAT rule. But when trying to reach it from the inside, it can't be accessed. I've tried to remove the implicit rule, that stops the traffic from the inside network to reach the outside interface, but I can't remove it. What should I do, please help. No IP traffic is allowed from inside network to reach outside interface and from there to NAT again to inside web server. People in the office just can't write internal IP addresses in the web browser address bar, and the DNS points to the outside interface IP address.

Extart already gave you a solution for your problem.

Here's a link related to DNS rewrite.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#problem


It's not a DNS issue, cause no IP traffic is allowed from inside network from inside to access inside via outside NAT. The scenario is the following:
Inside host sends packet to outside interface, which is NAT-ed back to the inside host.

I've added the rule that permits inside network to the outside interface, but still no luck.

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 78.90.177.133 eq www

when I "packet trace" through the ASDM it says packet drop by the implicit rule (the highlighted one on the picture below)

I have no idea why would that be.
Attachments
acc_rule.png
acc_rule.png (35.84 KiB) Viewed 1056 times

User avatar
matgar
Ultimate Member
Posts:
743
Joined:
Wed Nov 17, 2010 5:53 pm
Certs:
CCNP, CCIP, CCNA Security

Re: ASA access rule problem

Tue Jun 05, 2012 6:42 am

sosipator wrote:
matgar wrote:
sosipator wrote:Hello again, either I'm stupid, or these firewalls just don't make sense.

There is a web server on the internal network, which can be perfectly accessed from outside because of the static NAT rule. But when trying to reach it from the inside, it can't be accessed. I've tried to remove the implicit rule, that stops the traffic from the inside network to reach the outside interface, but I can't remove it. What should I do, please help. No IP traffic is allowed from inside network to reach outside interface and from there to NAT again to inside web server. People in the office just can't write internal IP addresses in the web browser address bar, and the DNS points to the outside interface IP address.

Extart already gave you a solution for your problem.

Here's a link related to DNS rewrite.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#problem


It's not a DNS issue, cause no IP traffic is allowed from inside network from inside to access inside via outside NAT. The scenario is the following:
Inside host sends packet to outside interface, which is NAT-ed back to the inside host.

I've added the rule that permits inside network to the outside interface, but still no luck.

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 78.90.177.133 eq www

when I "packet trace" through the ASDM it says packet drop by the implicit rule (the highlighted one on the picture below)

I have no idea why would that be.


Due to the fact of how cisco ASA works you cant come from the inside interface and access the outside interface ie 78.90.177.133.
If you apply the DNS rewrite, the ASA will change the dns replys for the lookups your internal hosts make to reflect the internal IP of your www server.
The hosts will den directly access the www server on its 192.168.1.x/24 address and not need to go through the ASA.
Last edited by matgar on Tue Jun 05, 2012 8:08 am, edited 1 time in total.

sosipator
New Member
Posts:
5
Joined:
Sat May 19, 2012 6:50 am

Re: ASA access rule problem

Tue Jun 05, 2012 7:29 am

That should work, I've already done it as Exstart suggested earlier, but it doesn't somehow.

here's the line:

static (inside,outside) tcp interface www 192.168.1.4 www netmask 255.255.255.255 dns

what could go wrong?

User avatar
matgar
Ultimate Member
Posts:
743
Joined:
Wed Nov 17, 2010 5:53 pm
Certs:
CCNP, CCIP, CCNA Security

Re: ASA access rule problem

Tue Jun 05, 2012 8:32 am

You might want to read the entire document i linked earlier.
But anyways, dns doctoring requires dns inspection. Are you inspecting dns traffic?

I'm not sure if the fact that your using PAT on the outside interface ip might interfere somehow.

As an alternative you could try allowing hairpinning

same-security-traffic permit intra-interface

'

Return to Cisco Security

Who is online

Users browsing this forum: Google Feedfetcher and 15 guests