Cisco ASA Security Levels

Hi Rene,

I have a similar ? like one of the others, im using packet tracer and with the 5505…I cant create a DMZ, it lets me create all except when I try and create NAMEIF it gives me:

ciscoasa(config-if)#nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured.

and the show ver - shows 3 vlans with DMZ restricted -

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual

Please explain why. Thanks

Hi Marcus,

The base license only allows you to create 3 VLANs, but the DMZ is restricted. Here’s how it works:

Let’s say you have an INSIDE, OUTSIDE and DMZ interface. This means you can have traffic like this:

INSIDE <> OUTSIDE
INSIDE <> DMZ
DMZ <> OUTSIDE

The ASA 5505 base license doesn’t allow these three different traffic paths. You need to disable one of the traffic paths and I believe in one direction only. You can use the no forward command for this. For example, you could use this to disable traffic from INSIDE > DMZ, once you do this, you should be able to use all 3 interfaces.

It is a kinda lame restriction. The security plus license gets rid of this…

Rene

I follow all step but I can’t ping from inside to outside.

When I telnet from R1 to 192.168.2.2

R1(config)#do telnet 192.168.2.2
Trying 192.168.2.2 ... 
% Destination unreachable; gateway or host down

R1(config)#

Do I have to configure route on ASA?

Hi Rene,

Thanks for that. Still want clarification on something. If I want a subnet in the DMZ to access a subnet on the INSIDE, do I put the ACL on DMZ interface OR Inside Interface OR on Both? It’s just that in my live environment I see ACL on the DMZ interface for DMZ subnet to access INSIDE subnet so not sure if it is required.

Hello Bounpasong!

Please check your configuration again, it should function correctly. If you still have problems, please share the relevant portions of your configuration.

Thanks!

Laz

Hello Zahan!

In order to allow a subnet on the DMZ to access a subnet on the INSIDE, you will require an access list on the DMZ interface. Depending on your NAT configuration, you may also be required to configure a static NAT translation.

You can find additional information at the following Cisco support community link: https://supportforums.cisco.com/discussion/11011491/asa-5520-config-dmz-inside-access.

I hope this has been helpful!

Laz

1 Like

Question about the icmp inspect. Does that automatically allow ping from outside to inside or outside to DMZ? Because typically when I would enable this is only to allow ping between DMZ and INSIDE.

Hi Ryan,

It won’t. You still have to explicitly permit the (ICMP) traffic if you want to go from a lower to a higher security level.

Rene

1 Like

Hey Rene,

Is there another protocol/command to allow http traffic through an Cisco ASA other than a ACL?

Hi @iniguezjuan,

For traffic from INSIDE to OUTSIDE (and the return traffic), the default security levels will permit this. No need to add ACLs. You only need to use ACLs if you want to permit traffic that originated in the OUTSIDE and that goes to the INSIDE (or DMZ).

Rene

1 Like

19 posts were merged into an existing topic: Cisco ASA Security Levels

Hi,quick question regarding the service policy placement on the ASA, not including global because that’s pretty self explanatory. I created just a simple topology where the ASA was in the middle and has 2 routers on either side, the outside interface had a security level of 0 and inside 100, the outside interface is also blocking all traffic coming in. I implemented NAT on the ASA as well to change the inside network IP’s to the outside interface.

My policy map inspects ICMP and i applied it to a service policy that was placed on the inside interface, i tested it and everything worked as it should. NAT worked and allowed the traffic back into the inside network, the outside router could not ping the outside ASA interface IP and any inside network addresses. So everything is fine there. The same was done for the outside interface and the same behaviour was present.

My main question is then, how does the traffic get back through when the service policy is placed on the inside interface, when the class map matches ICMP then the inspection is applied on the policy map and the service policy is assigned to the inside interface, so the source IP would be the private IP of the host on the inside network, it then goes through NAT where NAT changes the source IP to the outside IP, when the return traffic comes back then it comes back with a destination address of the ASA outside IP but the dynamic ACL return traffic is for the destination address of the private IP, so how does it get through when there is no ACL for the traffic coming into the outside interface?

This is different from assigning the service policy on the outside where the dynamic ACL is the outside IP as the destination which can then be allowed and then the NAT binding table can direct traffic along it’s merry way.

Does anyone know the answer to this?

Hi, Thanks From Post,
i have Done Everything and Worked find, unfortunately my firewall Dose not Allow DNS resolution from outside interface to in inside
should i apply another ACL or inspect DNS Traffic from outside to inside and VS ?
----------------------------------------------------------------------------------------------------------------------------

ASA3/SRV-A(config)# packet-tracer input TO-OUT tcp 0.0.0.0 53 6.6.6.6  53

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   6.6.6.6         255.255.255.255 inside

Result:
input-interface: TO-OUT
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

**ASA3/SRV-A(config)# show run**
: Saved
:
: Serial Number: 123456789AB
: Hardware:   ASA5520, 512 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16 <context>
!
hostname SRV-A
domain-name mod.gov.af
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 172.16.3.1 255.255.255.0
 hold-time eigrp 100 60
!
interface Ethernet2
 nameif TO-OUT
 security-level 0
 ip address 172.16.8.2 255.255.255.0
 hold-time eigrp 100 60
!
dns server-group DefaultDNS
 domain-name mod.gov.af
access-list icmp extended permit icmp any any
pager lines 24
mtu inside 1500
mtu TO-OUT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group icmp in interface TO-OUT
!
router eigrp 100
 eigrp router-id 33.33.33.33
 network 172.16.3.0 255.255.255.0
 network 172.16.5.0 255.255.255.0
 network 172.16.8.0 255.255.255.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  message-length maximum server auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:bc0fd5f01c98ca935e7632181d832257
: end

Hello John.

First of all, when you apply a global service policy as you have done here (service-policy global_policy global), it is applied as an ingress policy on all interfaces. So, for all inspections, including DNS, the inspection occurs on the inside interface for all outgoing DNS traffic and on the outside interface for all incoming DNS traffic. So inspection does indeed occur for both outside to inside and inside to outside directions for DNS.

Now I can’t see off hand why your DNS resolution requests are not being allowed through. Are you sure it’s just DNS traffic that is being blocked or all traffic? Can you try to apply an ACL for the specific DNS server you are using to see if that does allow it through? Let us know your results so we can further help you in the troubleshooting process.

I hope this has been helpful!

Laz

1 Like

Hello Rene, my name is Peter and I am new to this forum.
please can you post the syntax to permit icmp from outside?

Hello Peter

Take a look at this lesson which describes how to apply an access list to allow traffic from OUTSIDE to INSIDE. In the example, it is Telnet traffic that is allowed, but instead of Telnet you can apply it to ICMP.

I hope this has been helpful!

Laz

Hello Rene,

There is something magical in my Lab that I cannot figure out.

The topology is the same as in this lesson. I cannot ping from High security level to low security level. I can only ping Peer routers. I did this Lab on physical equipment and it was not working. I now did it on EVE-NG and still having same issue.

Here is my topology:
image

And here is my configuration:

R1#show run
Building configuration...

Current configuration : 2905 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
ip cef    
no ipv6 cef
!         
multilink bundle-name authenticated
!         
!         
!         
!         
!         
redundancy
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!         
interface GigabitEthernet0/1
 no ip address
 shutdown 
 duplex auto
 speed auto
 media-type rj45
!         
interface GigabitEthernet0/2
 no ip address
 shutdown 
 duplex auto
 speed auto
 media-type rj45
!         
interface GigabitEthernet0/3
 no ip address
 shutdown 
 duplex auto
 speed auto
 media-type rj45
!         
ip default-gateway 192.168.1.254
ip forward-protocol nd
!         
!         
no ip http server
no ip http secure-server
!         
!         
!         
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

/////////////////////////////////////////////////////////////////////////////////////////////////////

ASA# show run
: Saved
: 
: Serial Number: JMX1203L0NN
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16 
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface Ethernet1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.2.254 255.255.255.0 
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 192.168.3.254 255.255.255.0 
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:57778cb62f3fd7b1b912f6b3e6d00a12
: end

////////////////////////////////////////////////////////////////////////////////////////////////////

R2#show run
Building configuration...

Current configuration : 2909 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!         
! 
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 192.168.2.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

///////////////////////////////////////////////////////////////////////////////////////////

 R3#show run
Building configuration...

Current configuration : 1225 bytes
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
! 
!
!
!
!
!
!
!         
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.3.3 255.255.255.0
 duplex auto
!
interface Ethernet0/1
 no ip address
 shutdown
 duplex auto
!
interface Ethernet0/2
 no ip address
 shutdown
 duplex auto
!
interface Ethernet0/3
 no ip address
 shutdown
 duplex auto
!
interface Ethernet1/0
 no ip address
 shutdown
 duplex auto
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex auto
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex auto
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex auto
!
ip default-gateway 192.168.3.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login    
 transport input none
!
!
end

Hello Ayong

At first glance, there doesn’t seem to be anything wrong with your configs. I’m not sure what you mean when you say that you can only ping “peer routers”. I assume you mean you can ping from the ASA to each individual router?

If you are unable to ping, then there may be something else configured in the ASA that is blocking this. I believe the easiest way to find it is to use the packet tracer feature of the ASA. This will tell you how and why a particular packet is dropped. You can find out more about it at the following lesson:


Let us know how your troubleshooting efforts are going.

I hope this has been helpful!

Laz

1 Like

Thank you so much Laz.
I fixed it. All I needed was a vacation.

I forgot to enter the no ip routing command on R1, R2, and R3.

It so strange that I did same error on real router and repeatedly when I tried on EVE-NG. :smile: dont laugh at me. :smile:

1 Like

Hello Ayong

No worries, we’ve all been there!! :crazy_face: Sometimes it really just is a matter of needing a vacation… Thanks for sharing that the problem has been resolved!

Laz

1 Like