03-12-2007 07:25 AM - edited 03-11-2019 02:45 AM
I could really use some help getting this ASA 5510 configuration done. I?m by no means a firewall guru but since I?m the only network engineer at my company I?ve been asked to make the new Firewall/VPN work. I?m trying to setup the network to have a DMZ for our web servers and OWA so everything in the DMZ will have an IP of 192.168.2.0. My Internal network will have an IP of 192.168.0.0 and the people coming in on the VPN will get an IP of 192.168.3.0. Is this the best way to do it or can someone give me some tips on what?s the best way to do it? The servers in the DMZ and Inside network need to be able to communicate between each other for Active Directory and DNS traffic plus my users on the VPN and Internal networks need to be able to Remote Desktop into the servers in the DMZ and Internal network. I?ll paste my config below so any help would be greatly appreciated. Thanks. I guess it's to much data so I'll put the other half in the next post and I'll attach it as a doc to the original post.
ASA Version 7.2(2)
!
hostname asa5510
domain-name test.com
enable password XXXXXXXXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
nameif External
security-level 0
ip address 209.x.x.10 255.255.255.248
!
interface Ethernet0/1
nameif Internal
security-level 90
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 80
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd XXXXXXXXXX encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns server-group DefaultDNS
domain-name test.com
access-list External_access_in extended permit tcp any host 209.254.99.65 eq www
access-list External_access_in extended permit tcp any host 209.254.99.66 eq ftp
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list Internal_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any
access-list test_splitTunnelAcl standard permit any
access-list External_access_out extended permit ip 192.168.0.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN 192.168.3.1-192.168.3.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (External) 1 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (Internal) 1 0.0.0.0 0.0.0.0
static (DMZ,External) 209.254.99.65 192.168.2.2 netmask 255.255.255.255
static (DMZ,External) 209.254.99.66 192.168.2.3 netmask 255.255.255.255
access-group External_access_in in interface External
access-group External_access_out out interface External
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy NOS internal
group-policy NOS attributes
dns-server value 192.168.0.15
vpn-tunnel-protocol IPSec
username rabbit password XXXXXXXX encrypted privilege 0
username rabbit attributes
vpn-group-policy NOS
http server enable
http 192.168.0.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
****SEE BELOW FOR THE REST****
Solved! Go to Solution.
03-16-2007 08:57 AM
Assumed you wanted radius...try this.
03-12-2007 07:26 AM
route External 0.0.0.0 0.0.0.0 209.254.99.9 1
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 20 set pfs
crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 40 set pfs
crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map External_map interface External
crypto isakmp enable External
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool VPN
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group NOS type ipsec-ra
tunnel-group NOS general-attributes
address-pool VPN
default-group-policy NOS
tunnel-group NOS ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXX
03-12-2007 07:34 AM
Please explain what you are trying to do with External_access_out? It is pretty much blocking all traffic from inside or dmz.
For inside to dmz communication you need:
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
For dmz to vpn client you need a nat exemption:
nat (DMZ) 0 access-list dmz_nat0_outbound
access-list dmz_nat0_outbound permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
For dmz to inside communicaiton you need an acl applied "in interface DMZ"
access-list dmz_in permit .....
access-group dmz_in in interface DMZ
03-12-2007 07:37 AM
You can also get rid of
access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
and if you want your vpn clients to bypass interface access-lists add
sysopt connection permit-vpn
that should get you started please rate if it helped.
03-12-2007 08:03 AM
Would you also recommend I turn Spoofing On for the External interface?
03-12-2007 05:27 PM
I made all the changes but I'm having an issue getting Internet access from my DMZ. Any ideas what I missed? Thanks.
03-12-2007 07:27 PM
Well, what are you using as a dns server for your servers on the dmz?
Did you create an acl in interface dmz? Is dns/http allowed etc.?
Please rate these if they helped.
03-12-2007 07:59 AM
I started off using the ASDM so I must have made a change that put the External_access_out statement in there and then I missed it when I switched to configuring it from a command prompt. I'll remove it and make the changes you listed and I'll let you know what happens. Thanks for the help.
03-13-2007 12:03 PM
Looking through my response, noticed your name for inside is Internal...so you would need to make the change from what I originally posted.
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
should be...
static (Internal,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
03-14-2007 08:07 AM
I assumed that's what you mean't so when I made the change I used Internal. I'm using a DNS server that sits on my Internal network with an IP of 192.168.0.15. Do I need something added so my servers in the DMZ can access that DNS server on my Internal network? I've only made the changes you recommended so do I need to add anything else? Thanks again for all your help.
03-14-2007 08:11 AM
you need to allow udp 53 from dmz to inside dns server. Please post output of show run access-list
03-14-2007 08:35 AM
What would the correct syntax be for the udp 53 command line?
Here's the access-list:
access-list External_access_in extended permit tcp any host 209.254.66.65 eq www
access-list External_access_in extended permit tcp any host 209.254.66.66 eq ftp
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any
access-list Test_splitTunnelAcl standard permit any
access-list dmz_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list dmz_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list winter_splitTunnelAcl standard permit any
access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
asa5510#
03-14-2007 08:43 AM
do you have this "access-group dmz_in in interface DMZ" ?
If so, then you need to do this, you are already allowing dmz to inside with what you have in your dmz_in acl. But remember, there is an explicit deny at the end of the acl. So it is allowing communication to inside but is denying everything else (internet).
The purpose of a dmz is to segment from your inside network. If you allow all traffic to the inside, you are kind of defeating the purpose of a dmz at all. It should be like this..
access-list dmz_in extended permit udp 192.168.2.0 255.255.255.0 host 192.168.0.15 eq domain
access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list dmz_in extended permit ip any any
access-group dmz_in in interface DMZ
If you need to allow more than just dns, you would do so before the "access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0" line.
03-14-2007 09:20 AM
Yes I have this access-group dmz_in in interface DMZ in the config. I need to add the other statements. I also have an Exchange 2003 front-end OWA server that will be in the DMZ and need to communicate with the back-end Exchange 2003 server on the Internal network. What will need to be added for those 2 servers to communicate? Thanks.
03-14-2007 11:09 AM
Have a look here...
http://download.microsoft.com/download/d/e/1/de1578d8-d082-49e8-964a-fbe4505158f8/E2k3FrontBack.doc
This will probably involve opening rpc ports. You could also just allow all traffic between the servers.
access-list dmz_in extended permit ip host
Please rate these if they have helped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide