cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1168
Views
0
Helpful
22
Replies

Need some help with my ASA 5510 setup

a.grussner
Level 1
Level 1

I could really use some help getting this ASA 5510 configuration done. I?m by no means a firewall guru but since I?m the only network engineer at my company I?ve been asked to make the new Firewall/VPN work. I?m trying to setup the network to have a DMZ for our web servers and OWA so everything in the DMZ will have an IP of 192.168.2.0. My Internal network will have an IP of 192.168.0.0 and the people coming in on the VPN will get an IP of 192.168.3.0. Is this the best way to do it or can someone give me some tips on what?s the best way to do it? The servers in the DMZ and Inside network need to be able to communicate between each other for Active Directory and DNS traffic plus my users on the VPN and Internal networks need to be able to Remote Desktop into the servers in the DMZ and Internal network. I?ll paste my config below so any help would be greatly appreciated. Thanks. I guess it's to much data so I'll put the other half in the next post and I'll attach it as a doc to the original post.

ASA Version 7.2(2)

!

hostname asa5510

domain-name test.com

enable password XXXXXXXXXXX encrypted

names

dns-guard

!

interface Ethernet0/0

nameif External

security-level 0

ip address 209.x.x.10 255.255.255.248

!

interface Ethernet0/1

nameif Internal

security-level 90

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 80

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd XXXXXXXXXX encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

dns server-group DefaultDNS

domain-name test.com

access-list External_access_in extended permit tcp any host 209.254.99.65 eq www

access-list External_access_in extended permit tcp any host 209.254.99.66 eq ftp

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

access-list Internal_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any

access-list test_splitTunnelAcl standard permit any

access-list External_access_out extended permit ip 192.168.0.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu External 1500

mtu Internal 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN 192.168.3.1-192.168.3.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (External) 1 interface

nat (Internal) 0 access-list Internal_nat0_outbound

nat (DMZ) 1 0.0.0.0 0.0.0.0

nat (Internal) 1 0.0.0.0 0.0.0.0

static (DMZ,External) 209.254.99.65 192.168.2.2 netmask 255.255.255.255

static (DMZ,External) 209.254.99.66 192.168.2.3 netmask 255.255.255.255

access-group External_access_in in interface External

access-group External_access_out out interface External

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy NOS internal

group-policy NOS attributes

dns-server value 192.168.0.15

vpn-tunnel-protocol IPSec

username rabbit password XXXXXXXX encrypted privilege 0

username rabbit attributes

vpn-group-policy NOS

http server enable

http 192.168.0.0 255.255.255.0 Internal

no snmp-server location

no snmp-server contact

****SEE BELOW FOR THE REST****

1 Accepted Solution
22 Replies 22

a.grussner
Level 1
Level 1

route External 0.0.0.0 0.0.0.0 209.254.99.9 1

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map External_dyn_map 20 set pfs

crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map External_dyn_map 40 set pfs

crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map

crypto map External_map interface External

crypto isakmp enable External

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group DefaultRAGroup general-attributes

address-pool VPN

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group NOS type ipsec-ra

tunnel-group NOS general-attributes

address-pool VPN

default-group-policy NOS

tunnel-group NOS ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 2048

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:XXXXXXXXXXXXXXXX

Please explain what you are trying to do with External_access_out? It is pretty much blocking all traffic from inside or dmz.

For inside to dmz communication you need:

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

For dmz to vpn client you need a nat exemption:

nat (DMZ) 0 access-list dmz_nat0_outbound

access-list dmz_nat0_outbound permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

For dmz to inside communicaiton you need an acl applied "in interface DMZ"

access-list dmz_in permit .....

access-group dmz_in in interface DMZ

You can also get rid of

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

and if you want your vpn clients to bypass interface access-lists add

sysopt connection permit-vpn

that should get you started please rate if it helped.

Would you also recommend I turn Spoofing On for the External interface?

I made all the changes but I'm having an issue getting Internet access from my DMZ. Any ideas what I missed? Thanks.

Well, what are you using as a dns server for your servers on the dmz?

Did you create an acl in interface dmz? Is dns/http allowed etc.?

Please rate these if they helped.

I started off using the ASDM so I must have made a change that put the External_access_out statement in there and then I missed it when I switched to configuring it from a command prompt. I'll remove it and make the changes you listed and I'll let you know what happens. Thanks for the help.

Looking through my response, noticed your name for inside is Internal...so you would need to make the change from what I originally posted.

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

should be...

static (Internal,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

I assumed that's what you mean't so when I made the change I used Internal. I'm using a DNS server that sits on my Internal network with an IP of 192.168.0.15. Do I need something added so my servers in the DMZ can access that DNS server on my Internal network? I've only made the changes you recommended so do I need to add anything else? Thanks again for all your help.

you need to allow udp 53 from dmz to inside dns server. Please post output of show run access-list

What would the correct syntax be for the udp 53 command line?

Here's the access-list:

access-list External_access_in extended permit tcp any host 209.254.66.65 eq www

access-list External_access_in extended permit tcp any host 209.254.66.66 eq ftp

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any

access-list Test_splitTunnelAcl standard permit any

access-list dmz_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list dmz_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list winter_splitTunnelAcl standard permit any

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

asa5510#

do you have this "access-group dmz_in in interface DMZ" ?

If so, then you need to do this, you are already allowing dmz to inside with what you have in your dmz_in acl. But remember, there is an explicit deny at the end of the acl. So it is allowing communication to inside but is denying everything else (internet).

The purpose of a dmz is to segment from your inside network. If you allow all traffic to the inside, you are kind of defeating the purpose of a dmz at all. It should be like this..

access-list dmz_in extended permit udp 192.168.2.0 255.255.255.0 host 192.168.0.15 eq domain

access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list dmz_in extended permit ip any any

access-group dmz_in in interface DMZ

If you need to allow more than just dns, you would do so before the "access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0" line.

Yes I have this access-group dmz_in in interface DMZ in the config. I need to add the other statements. I also have an Exchange 2003 front-end OWA server that will be in the DMZ and need to communicate with the back-end Exchange 2003 server on the Internal network. What will need to be added for those 2 servers to communicate? Thanks.

Have a look here...

http://download.microsoft.com/download/d/e/1/de1578d8-d082-49e8-964a-fbe4505158f8/E2k3FrontBack.doc

This will probably involve opening rpc ports. You could also just allow all traffic between the servers.

access-list dmz_in extended permit ip host host

Please rate these if they have helped.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: