access from high security level to low security level

Home Forums Networking Cisco Security – PIX/ASA/VPN access from high security level to low security level

Viewing 1 post (of 1 total)
  • Author
    Posts

  • gogi100
    Member
    #160298

    i have asa 5510 and i have problem with access from high security level to low security level( inside to outside, inside-dmz).I have on outside mail server which on address x.x.x.179, in DMZ i have web server on address 172.16.20.200. when i try access to my mail server or web server, i can’t do it.I can just ping these machines from inside, but i can’t use no one service.
    My configuration of asa 5510 is:
    ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name domen.coml
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.178 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    !
    interface Ethernet0/2
    description Mreza za virtualne masine- mail server, wsus….
    nameif DMZ
    security-level 50
    ip address 172.16.20.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    …..
    access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list DMZ_access_in extended permit tcp any any eq echo
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq smtp
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq pop3
    access-list DMZ_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.20
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
    access-group outside_access_in in interface outside
    access-group DMZ_access_in_1 in interface DMZ
    route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
    ….
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_x.x.x.223 internal
    group-policy GroupPolicy_x.x.x.223 attributes
    vpn-tunnel-protocol ikev1 ikev2
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    split-tunnel-network-list value Split_Tunnel_List
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group domen
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group x.x.x.223
    type ipsec-l2l
    tunnel-group x.x.x.223
    general-attributes
    default-group-policy GroupPolicy_x.x.x.223
    tunnel-group 195.222.96.223 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
    inspect icmp
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:eb77b38e3dfe0b52e655fac7854e7e2c
    : end[/CODE]
    when i disable global policy>inspection default ICMP my ping also doesn’t works.
    on computers, where i want that they go to asa5510, i put static route, for example: for DMZ – route add 172.16.20.0 mask 255.255.255.0 192.168.0.10 -p
    what i do that i use http,pop3,smtp etc?
    thanks[CODE]ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name domen.coml
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.178 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    !
    interface Ethernet0/2
    description Mreza za virtualne masine- mail server, wsus….
    nameif DMZ
    security-level 50
    ip address 172.16.20.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    …..
    access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list DMZ_access_in extended permit tcp any any eq echo
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq smtp
    access-list outside_dmz extended permit tcp any host x.x.x.179 eq pop3
    access-list DMZ_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.20
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
    access-group outside_access_in in interface outside
    access-group DMZ_access_in_1 in interface DMZ
    route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
    ….
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_x.x.x.223 internal
    group-policy GroupPolicy_x.x.x.223 attributes
    vpn-tunnel-protocol ikev1 ikev2
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    split-tunnel-network-list value Split_Tunnel_List
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group domen
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group x.x.x.223
    type ipsec-l2l
    tunnel-group x.x.x.223
    general-attributes
    default-group-policy GroupPolicy_x.x.x.223
    tunnel-group 195.222.96.223 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
    inspect icmp
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:eb77b38e3dfe0b52e655fac7854e7e2c
    : end[/CODE]
    when i disable global policy>inspection default ICMP my ping also doesn’t works.
    on computers, where i want that they go to asa5510, i put static route, for example: for DMZ – route add 172.16.20.0 mask 255.255.255.0 192.168.0.10 -p
    what i do that i use http,pop3,smtp etc?
    thanks

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: