Need some help with my ASA 5510 setup

Answered Question
Mar 12th, 2007

I could really use some help getting this ASA 5510 configuration done. I?m by no means a firewall guru but since I?m the only network engineer at my company I?ve been asked to make the new Firewall/VPN work. I?m trying to setup the network to have a DMZ for our web servers and OWA so everything in the DMZ will have an IP of 192.168.2.0. My Internal network will have an IP of 192.168.0.0 and the people coming in on the VPN will get an IP of 192.168.3.0. Is this the best way to do it or can someone give me some tips on what?s the best way to do it? The servers in the DMZ and Inside network need to be able to communicate between each other for Active Directory and DNS traffic plus my users on the VPN and Internal networks need to be able to Remote Desktop into the servers in the DMZ and Internal network. I?ll paste my config below so any help would be greatly appreciated. Thanks. I guess it's to much data so I'll put the other half in the next post and I'll attach it as a doc to the original post.

ASA Version 7.2(2)

!

hostname asa5510

domain-name test.com

enable password XXXXXXXXXXX encrypted

names

dns-guard

!

interface Ethernet0/0

nameif External

security-level 0

ip address 209.x.x.10 255.255.255.248

!

interface Ethernet0/1

nameif Internal

security-level 90

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 80

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd XXXXXXXXXX encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

dns server-group DefaultDNS

domain-name test.com

access-list External_access_in extended permit tcp any host 209.254.99.65 eq www

access-list External_access_in extended permit tcp any host 209.254.99.66 eq ftp

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

access-list Internal_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any

access-list test_splitTunnelAcl standard permit any

access-list External_access_out extended permit ip 192.168.0.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu External 1500

mtu Internal 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN 192.168.3.1-192.168.3.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (External) 1 interface

nat (Internal) 0 access-list Internal_nat0_outbound

nat (DMZ) 1 0.0.0.0 0.0.0.0

nat (Internal) 1 0.0.0.0 0.0.0.0

static (DMZ,External) 209.254.99.65 192.168.2.2 netmask 255.255.255.255

static (DMZ,External) 209.254.99.66 192.168.2.3 netmask 255.255.255.255

access-group External_access_in in interface External

access-group External_access_out out interface External

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy NOS internal

group-policy NOS attributes

dns-server value 192.168.0.15

vpn-tunnel-protocol IPSec

username rabbit password XXXXXXXX encrypted privilege 0

username rabbit attributes

vpn-group-policy NOS

http server enable

http 192.168.0.0 255.255.255.0 Internal

no snmp-server location

no snmp-server contact

****SEE BELOW FOR THE REST****

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.grussner Mon, 03/12/2007 - 07:26

route External 0.0.0.0 0.0.0.0 209.254.99.9 1

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map External_dyn_map 20 set pfs

crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map External_dyn_map 40 set pfs

crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map

crypto map External_map interface External

crypto isakmp enable External

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group DefaultRAGroup general-attributes

address-pool VPN

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group NOS type ipsec-ra

tunnel-group NOS general-attributes

address-pool VPN

default-group-policy NOS

tunnel-group NOS ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 2048

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:XXXXXXXXXXXXXXXX

acomiskey Mon, 03/12/2007 - 07:34

Please explain what you are trying to do with External_access_out? It is pretty much blocking all traffic from inside or dmz.

For inside to dmz communication you need:

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

For dmz to vpn client you need a nat exemption:

nat (DMZ) 0 access-list dmz_nat0_outbound

access-list dmz_nat0_outbound permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

For dmz to inside communicaiton you need an acl applied "in interface DMZ"

access-list dmz_in permit .....

access-group dmz_in in interface DMZ

acomiskey Mon, 03/12/2007 - 07:37

You can also get rid of

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

and if you want your vpn clients to bypass interface access-lists add

sysopt connection permit-vpn

that should get you started please rate if it helped.

a.grussner Mon, 03/12/2007 - 08:03

Would you also recommend I turn Spoofing On for the External interface?

a.grussner Mon, 03/12/2007 - 17:27

I made all the changes but I'm having an issue getting Internet access from my DMZ. Any ideas what I missed? Thanks.

acomiskey Mon, 03/12/2007 - 19:27

Well, what are you using as a dns server for your servers on the dmz?

Did you create an acl in interface dmz? Is dns/http allowed etc.?

Please rate these if they helped.

a.grussner Mon, 03/12/2007 - 07:59

I started off using the ASDM so I must have made a change that put the External_access_out statement in there and then I missed it when I switched to configuring it from a command prompt. I'll remove it and make the changes you listed and I'll let you know what happens. Thanks for the help.

acomiskey Tue, 03/13/2007 - 12:03

Looking through my response, noticed your name for inside is Internal...so you would need to make the change from what I originally posted.

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

should be...

static (Internal,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

a.grussner Wed, 03/14/2007 - 08:07

I assumed that's what you mean't so when I made the change I used Internal. I'm using a DNS server that sits on my Internal network with an IP of 192.168.0.15. Do I need something added so my servers in the DMZ can access that DNS server on my Internal network? I've only made the changes you recommended so do I need to add anything else? Thanks again for all your help.

acomiskey Wed, 03/14/2007 - 08:11

you need to allow udp 53 from dmz to inside dns server. Please post output of show run access-list

a.grussner Wed, 03/14/2007 - 08:35

What would the correct syntax be for the udp 53 command line?

Here's the access-list:

access-list External_access_in extended permit tcp any host 209.254.66.65 eq www

access-list External_access_in extended permit tcp any host 209.254.66.66 eq ftp

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any

access-list Test_splitTunnelAcl standard permit any

access-list dmz_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list dmz_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list winter_splitTunnelAcl standard permit any

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

asa5510#

acomiskey Wed, 03/14/2007 - 08:43

do you have this "access-group dmz_in in interface DMZ" ?

If so, then you need to do this, you are already allowing dmz to inside with what you have in your dmz_in acl. But remember, there is an explicit deny at the end of the acl. So it is allowing communication to inside but is denying everything else (internet).

The purpose of a dmz is to segment from your inside network. If you allow all traffic to the inside, you are kind of defeating the purpose of a dmz at all. It should be like this..

access-list dmz_in extended permit udp 192.168.2.0 255.255.255.0 host 192.168.0.15 eq domain

access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list dmz_in extended permit ip any any

access-group dmz_in in interface DMZ

If you need to allow more than just dns, you would do so before the "access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0" line.

a.grussner Wed, 03/14/2007 - 09:20

Yes I have this access-group dmz_in in interface DMZ in the config. I need to add the other statements. I also have an Exchange 2003 front-end OWA server that will be in the DMZ and need to communicate with the back-end Exchange 2003 server on the Internal network. What will need to be added for those 2 servers to communicate? Thanks.

a.grussner Fri, 03/16/2007 - 07:07

It's working much better now. I'm going to try and schedule some time over the weekend to put it in place for some testing. I opened up communication between the 2 email servers by IP address instead dealing with all the ports between them. What do I need to do so it'll communicate with my Active Directory for user authentication? Thanks for all the help so far.

acomiskey Fri, 03/16/2007 - 07:28

"Active Directory Communication

To communicate with Active Directory, the Exchange front-end server requires LDAP ports to be open. Both TCP and UDP are required: Windows 2000 on the front-end server will send a 389/UDP LDAP request to a domain controller to check if it is available for use; the LDAP traffic after that uses TCP. Windows 2000 Kerberos authentication is also used; therefore, the Kerberos ports must also be open. Both TCP and UDP are required for Kerberos as well: Windows uses UDP/88 by default, but when the data is larger than the maximum packet size for UDP, it uses TCP. Table 3 lists the ports required for communicating with Active Directory."

Taken from the following article...

http://www.microsoft.com/technet/prodtechnol/exchange/2000/maintain/e2kfront.mspx

a.grussner Fri, 03/16/2007 - 07:59

Then I should be OK for the Exchange server sitting in my DMZ since I opened up all communication between that server and my back-end server on the Internal network. What I need to know is how I can setup my VPN users to authenticate to Active Directory when they login on the VPN instead of having to create accounts on the 5510.

acomiskey Fri, 03/16/2007 - 08:16

In the asa you will define a aaa-server and assign that to the vpn group. You can then set up IAS (Internet Authentication Service) on your domain controller. Here you will define a radius client (asa) and a remote access policy. You must then register the service with active directory. You will then be able to authenticate your vpn clients with your ad.

a.grussner Fri, 03/16/2007 - 08:45

Is this setup any different than setting it up on a 3005 concentrator? I watched a fellow engineer set one up and he pointed the concentrator to the domain controller and specified port 139 on the server. I don't remember him setting anything else up on the server for authentication. Did I miss something in his setup maybe? There was nothing setup on the 3005 for Radius and nothing under AAA.

a.grussner Tue, 04/03/2007 - 09:52

Thanks for all the help. I have another issue but I'll post a new topic.

Actions

This Discussion