ASA 5505 setup with DMZ (Exchange OWA)-outside(Netgea) - inside

Unanswered Question
Mar 18th, 2007

I'm trying to setup a ASA VPN/firewall and not having much luck!!

I'm new to CISCO firewalls, but have experience with Microsoft networks (MCSE NT 4).

Anyway, what I'm trying to do is configure my inside network to connect the DMZ (web /ftp / OWA frontend) and enable all the OWA required ports.

I also want to direct all internet traffic via a netgear firewall and allow for the VPN connection to my inside network.

The setup is as follows:

inside IP range: 192.168.20.0

outside IP range: 10.0.10.0 - connects to netgear 10.0.10.1

DMZ IP (web server): 192.168.2.1

Finally, the VPN pool 192.168.3.100-192.168.3.150

Here is what I have now...

!

interface Vlan1

nameif INTERNAL

security-level 90

ip address 192.168.20.250 255.255.255.0

!

interface Vlan2

nameif EXTERNAL

security-level 0

ip address 10.0.10.2 255.255.255.0

!

interface Vlan12

no forward interface Vlan2

nameif DMZ

security-level 90

ip address 192.168.2.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 12

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list External_access_in extended permit tcp any host 10.0.10.1 eq www

access-list External_access_in extended permit tcp any host 10.0.10.1 eq ftp

access-list dmz_in extended permit icmp any any

access-list dmz_in extended permit udp 192.168.2.0 255.255.255.0 host 192.168.20.10 eq domain

access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list dmz_in extended permit ip any any

access-list dmz_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list dmz_access_in extended permit tcp any any

access-list Internal_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0

access-list Internal_nat0_outbound extended permit ip any any

access-list INTERNAL_access_out extended permit tcp any any

pager lines 24

logging enable

logging asdm informational

mtu INTERNAL 1500

mtu EXTERNAL 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (INTERNAL) 2 interface

global (EXTERNAL) 1 interface

global (DMZ) 3 interface

nat (INTERNAL) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (DMZ,INTERNAL) 192.168.20.10 192.168.2.1 netmask 255.255.255.255

static (INTERNAL,DMZ) 192.168.2.2 192.168.20.250 netmask 255.255.255.255

----------------------------------------

Thank you for all help in anticipation...

George

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lolayo Tue, 03/20/2007 - 17:00

Hello George...

first thing I noticed is that you don't have a translation rule for you internal users to reach the DMZ.

maybe

static (INTERNAL,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

I don't see a reason why you would translate your inside interface ip to the DMZ interface ip so I'd get rid of

static (INTERNAL,DMZ) 192.168.2.2 192.168.20.250 netmask 255.255.255.255

With this you should at least be able to communicate from the inside to the dmz.

gcampanis Wed, 03/21/2007 - 04:52

Thanks I will go ahead and change that...and let you know if I'm able to ping the DMZ.

acomiskey Tue, 03/20/2007 - 18:36

Is it your intention to only allow "tcp" outbound? If you need udp, change this to "ip".

access-list INTERNAL_access_out extended permit ip any any

gcampanis Wed, 03/21/2007 - 04:57

I am first trying to ping all the networks and then I plan to setup the individual port access..but you are correct I should remove it. Having trouble pinging between 10.0.10.2(outside) and 192.168.20.250(inside), can you see any reason why this could be?

acomiskey Wed, 03/21/2007 - 05:35

You would need

access-list External_access_in extended permit icmp host 10.0.10.2 host 192.168.20.250

gcampanis Thu, 03/22/2007 - 12:22

Still having trouble pinging between INTERNAL and DMZ.

Here's my config:

interface Vlan1

nameif INTERNAL

security-level 90

ip address 192.168.20.250 255.255.255.0

!

interface Vlan2

nameif EXTERNAL

security-level 0

ip address 10.0.10.2 255.255.255.0

!

interface Vlan12

no forward interface Vlan2

nameif DMZ

security-level 90

ip address 192.168.2.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 12

!

interface Ethernet0/1

switchport access vlan 2

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.int

same-security-traffic permit inter-interface

access-list External_access_in extended permit tcp any host 10.0.10.1 eq www

access-list External_access_in extended permit tcp any host 10.0.10.1 eq ftp

access-list External_access_in extended permit icmp host 10.0.10.2 host 192.168.20.250

access-list dmz_in extended permit icmp any any

access-list dmz_in extended permit udp 192.168.2.0 255.255.255.0 host 192.168.20.10 eq domain

access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list dmz_in extended permit ip any any

access-list dmz_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list dmz_access_in extended permit tcp any any

access-list Internal_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0

access-list Internal_nat0_outbound extended permit ip any any

access-list INTERNAL_access_out extended permit tcp any any

access-list INTERNAL_access_in extended permit icmp any any

global (INTERNAL) 2 interface

global (EXTERNAL) 1 interface

global (DMZ) 3 interface

nat (INTERNAL) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (INTERNAL,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

access-group INTERNAL_access_in in interface INTERNAL

access-group INTERNAL_access_out out interface INTERNAL

access-group External_access_in in interface EXTERNAL per-user-override

access-group dmz_in in interface DMZ per-user-override

route INTERNAL 0.0.0.0 0.0.0.0 192.168.20.250 1

route DMZ 0.0.0.0 0.0.0.0 192.168.2.2 2

-------------------------------------------

I did make the suggested changes to the config to no avail:(

ASA is proving somewhat of a pain in the b&*!

George

acomiskey Thu, 03/22/2007 - 12:56

So can you ping from 10.0.10.2(outside) to 192.168.20.250(inside)?

When pinging from inside to dmz, what is the asa logging?

What is this for?

access-list INTERNAL_access_out extended permit tcp any any

access-group INTERNAL_access_out out interface INTERNAL

gcampanis Thu, 03/22/2007 - 15:28

Nope, not able to ping from 10.0.10.2(outside) to 192.168.20.250(inside)....I will remove both:

access-list INTERNAL_access_out extended permit tcp any any

access-group INTERNAL_access_out out interface INTERNAL

George

acomiskey Thu, 03/22/2007 - 16:21

Sorry, I steered you in the wrong direction before. My mistake, should have read more closely.

I guess you're doing NAT/PAT on the netgear firewall? That 10. network is not routable on the internet so I suppose you are nat to public address on netgera? What do you want the outside address of your web/mail server to be? In your current acl you have it written as 10.0.10.1, which you say is your inside address of netgear fw? And you have no corresponding static for the web/mail servers. Lets start here and get you hitting dmz from inside.

no route DMZ 0.0.0.0 0.0.0.0 192.168.2.2 2

no route INTERNAL 0.0.0.0 0.0.0.0 192.168.20.250

route EXTERNAL 0.0.0.0 0.0.0.0 10.0.10.1

no global (DMZ) 3 interface

no nat (DMZ) 1 0.0.0.0 0.0.0.0

static (INTERNAL,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

clear xlate

gcampanis Thu, 03/22/2007 - 17:52

Yes, I am nat/pat through netgear to web/ftp i.e.

Internet|- Netgear -|- web/ftp -|- Internal

public IP | 10.0.10.1(netgear) | 10.0.10.2 and 192.168.2.1 (dmz) | 192.168.2.2 and 192.168.20.250(internal) and 10.0.10.2(external)

This may be alittle complicated-maybe there is a better way but I like having the netgear as added protection....

Let me know if this isn't clear, and I will try to clarify. My big concern right now is the inability to ping between the INTERNAL net and the DMZ net. Somehow the 192.168.20.250 ip can't ping the 192.168.2.2 ip. I guess somehow packets aren't being routed. I enter your changes and let you know how things are going...

Kind regards,

George.

acomiskey Thu, 03/22/2007 - 18:20

Honestly, I don't know how many people would say that adding a SOHO firewall in front of an enterprise firewall makes sense as far as extra protection. It most likely won't make the network any more reliable. This is only my opinion of course, if you want it that way, we'll make it work. But it will complicate the process.

acomiskey Thu, 03/22/2007 - 16:26

Next, lets deal with the web/ftp server. For arguments sake, lets say outside address of web/ftp server is 10.0.10.10 and inside dmz address is 192.168.2.10. You would need

static (INTERNAL,EXTERNAL) 10.0.10.10 192.168.2.10 netmask 255.255.255.255

access-list External_access_in extended permit tcp any host 10.0.10.10 eq ftp

access-list External_access_in extended permit tcp any host 10.0.10.10 eq www

access-group External_access_in in interface External

Actions

This Discussion