ASA configuration with different DMZ interfaces?

[mennojd]

I am trying to configure a cisco ASA 5510 with 2 different DMZ interfaces.
Outside interface is security lvl 0, inside is security lvl 100 and the 2 DMZ interfaces are security lvl 50.
I have 1 public ip range that I route with static NAT rules to the hosts in the different DMZ interfaces.

Whenever I open a tcp or udp port to 1 of the public ip adresses on the outside interface, it is not working. Traffic from outside is still blocked by th ACL on the outside interface unless I change the rule to protocol ip instead of tcp or udp. If I permit IP any any everything works, but that I do not wanna do....

Anyone has any idea on how to setup the configuration of a asa with more than 1 DMZ interfaces?

 

[Supergrrover]

Post your scrubbed config

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[mennojd]

Please find attached my fictional and simplified config. I have been testing with this some more today and it seems that only the tcp rules in the ACL's are not working. Udp and esp are working fine. I have to change the rules with tcp into IP protocol to make it work. I am stunned. Hope you can help me..

ASA Version 8.0(4)
!
hostname firewall
domain-name test.local
enable password test
passwd test
names
name 192.168.100.2 HOST1
name 192.168.50.2 HOST2
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.0.0.34 255.255.255.240
!
interface Ethernet0/1
nameif dmz1
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz2
security-level 50
ip address 192.168.50.1 255.255.255.248
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 172.20.0.1 255.255.252.0
!
interface Management0/0
shutdown
nameif management
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name test.local
same-security-traffic permit intra-interface
access-list inside_access_out extended permit tcp host 172.20.0.100 eq 3000 any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended deny ip any any
access-list outside_access_in extended permit esp any host 10.0.0.36
access-list outside_access_in extended permit udp any eq 4500 host 10.0.0.36
access-list outside_access_in extended permit udp any eq isakmp host 10.0.0.36
access-list outside_access_in extended permit tcp any eq 10000 host 10.0.0.36
access-list outside_access_in extended permit tcp any eq smtp host 10.0.0.35
access-list outside_access_in extended permit tcp any eq

http://www host

10.0.0.35
access-list outside_access_in extended permit tcp any eq https host 10.0.0.35
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list dmz1_access_in extended permit ip host HOST1 any
access-list dmz1_access_in extended permit icmp any any
access-list dmz1_access_in extended deny ip any any
access-list dmz2_access_in extended permit esp host HOST2 any
access-list dmz2_access_in extended permit udp host HOST2 eq isakmp any
access-list dmz2_access_in extended permit udp host HOST2 eq 4500 any
access-list dmz2_access_in extended permit icmp any any
access-list dmz2_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu dmz_vpn 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
nat-control
static (dmz2,outside) 10.0.0.36 HOST2 netmask 255.255.255.255
static (dmz1,outside) 10.0.0.35 HOST1 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz1_access_in in interface dmz1
access-group dmz2_access_in in interface dmz2
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 172.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 172.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.20.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 172.20.0.100 source inside prefer
username test password test privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9d6159be2bfb451cb0e9553e733b6d0f
: end

 

[Supergrrover]

Your acl format is wrong

acl_name permit tcp source_ip destination_ip eq port

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[mennojd]

Thanks a lot!

Although I should have seen that one myself... Sorry for my stupidity.

Thanks again for your help.