ASA5505 DMZ issue

Question

I have ASA5505 , connected to the WAN on port 0 (called Vlan2), and connected to my development LAN on port 7 (Called Vlan1).

I want to add DMZ, and I connected switch and servers to port 3, and called it Vlan3.

this is my settings:

interface Vlan1  
 nameif inside  
 security-level 100
 ip address x.x.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.3.1 255.255.255.240
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 51
 ip address x.x.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 3
!

also, I added DYNAMIC NAT rule to the DMZ interface , and STATIC POLICY NAT rule so all the HTTP and HTTPS connections to the x.x.3.3 (the Blog external IP address) will forward to x.x.2.3 (Blog internal IP).

I can connect to the web site outside the world, but i cannot connect to it from my LAN (Vlan1) - ping or ssh to x.x.3.3 is not available, and also ping or ssh to the Vlan3 interface x.x.3.1 (the ASA ip on Vlan3).

IPs: x.x.1.1 = Vlan1 ASA ip
x.x.1.x/24 = Vlan1 - Development LAN
x.x.2.1 = Vlan2 ASA ip
x.x.2.3 = Blog external IP
x.x.3.1 = Vlan3 ASA ip
x.x.3.3 = Blog Internal ip
I need to be able to ping from x.x.1.x to x.x.3.x (From my Vlan1 development LAN to the Vlan3 DMZ LAN)

Version and Lic:

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.3(1)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 157 days 18 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is d0d0.fd22.622c, irq 11
 1: Ext: Ethernet0/0         : address is d0d0.fd22.6224, irq 255
 2: Ext: Ethernet0/1         : address is d0d0.fd22.6225, irq 255
 3: Ext: Ethernet0/2         : address is d0d0.fd22.6226, irq 255
 4: Ext: Ethernet0/3         : address is d0d0.fd22.6227, irq 255
 5: Ext: Ethernet0/4         : address is d0d0.fd22.6228, irq 255
 6: Ext: Ethernet0/5         : address is d0d0.fd22.6229, irq 255
 7: Ext: Ethernet0/6         : address is d0d0.fd22.622a, irq 255
 8: Ext: Ethernet0/7         : address is d0d0.fd22.622b, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

The NAT rules:

access-list dmz_nat_static line 1 extended permit ip host x.x.3.3 any 
static (dmz,outside)  x.x.2.3 access-list dmz_nat_static tcp 0 0 udp 0
nat (dmz) 1 x.x.3.0 255.255.255.0  tcp 0 0 udp 0 

I can see it is DMZ restricted, but can I build "DMZ-like" solution with the 3 Vlans I have in my license?

Thanks.

Answer 1

The Base license restricts you to three(3) VLAN's, with the third VLAN only being able to initiate communicate with one of the other two.

This means that if you have inside, outside, and dmz. Inside and Outside will work as expected, but dmz will only be able to initiate communicate with outside. Note, this does not stop inside from initiating the communication with the dmz.

I can see it is DMZ restricted, but can I build "DMZ-like" solution with the 3 Vlans I have in my license?

With your current setup, you should still be able to access the dmz from the inside. What you will not be able to do is initiate communication FROM the dmz to the inside. This could pose a problem if your public facing application servers need to access internal resources.

The problem likely exists in your NAT rules, or possibly an ACL. Please post them and I will update this answer.

Edit:

You should be using your global (outside) address in this NAT rule, as well as translating for both the outside and inside interfaces. This should allow you to use the global address (x.x.3.3) to access the server in the DMZ regardless of whether you are on the outside or inside network.

Old:

static (dmz,outside)  x.x.2.3

New:

static (dmz,any)  x.x.3.3

If you are still experiencing issues, you can use packet-tracer to see where the flow is getting caught up:

packet-tracer input inside tcp x.x.1.3 1025 x.x.3.3 80

Answer 2

I had a very similar setup, and the packet tracer showed that it should work both ways. I was a bit stumped. My issue, and something I should not have overlooked, was providing a route to my DMZ subnet from my Layer 3 device on my LAN. In my setup, we have a core L3 switch that handles our routing. Since the DMZ subnet is not being broadcast, I needed to add a static route on my core switch, and voila, it worked.

Hopefully you got this figured out by now though!