ASA configuration with 2 DMZ

Unanswered Question
Apr 13th, 2007

Hi,

Pls see the attached network diagram.We have recently bought 2 ASA's model 5520. The first ASA is

connected to the internet by a 2800 series router. The first ASA has got 2 DMZ and each DMZ has 2 servers.The servers are our application servers and a database server and two Test

servers. We have got six usable Public IP adress for our use. We want authenticated users from outside to access the application and database servers using vpn.

The second ASA server is on the internal side of the network and is attached to the internal network using a 2800 router. The internal users will be restricted from accesing the servers

located in DMZ1 . We will use access lists based on MAC addresses to allow some users to access the DMZ1 from internal network. Can we use MAC address filtering?

How do I configure the scenario? Can somebody guide me or show me an example of a near similar configuration?

Thanks in advace

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rico_hao40 Fri, 04/13/2007 - 06:16

I supposed you want outside user using vpn to access your server in DMZ. yes you can do this either using ssl-vpn or ipsec-vpn. ssl-vpn only need outside user have a explorer and will automatically download a vpn-shell. ipsce-vpn need user install cisco vpn client.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/vpn/index.htm

I think you can not set access-list based on source MAC. MAC ACL only works on layer2 environment, so source MAC address does not keep in the IP packet after routered by a router, the source MAC will replaced by router' MAC. IP will keep same through the whole process.

sunjiiv74 Sat, 04/14/2007 - 21:45

hi rico,

thnx 4 the response. Can you check my running config attachment and see whether users can access my servers located in DMZ ? I will have a web server and an oracle server in the DMZ. Do I need to give all these server's in the DMZ (4 server in total) static IP or can I use NAT to access these servers.

Also can you please tell me how should the router be configured to allow access to the ASA?

interface GigabitEthernet0/0

description Connected to Router

nameif Outside

security-level 0

ip address 217.x.x.186 255.255.255.248

!

interface GigabitEthernet0/1

description Connected to LAN

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

description Connected to DMZ1

nameif DMZ1

security-level 50

ip address 192.168.10.1 255.255.255.0

!

interface GigabitEthernet0/3

description Connected to DMZ2

nameif DMZ2

security-level 50

ip address 192.168.100.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list DMZ1_access_in remark HTTP Access to DMZ1 Server1

access-list DMZ1_access_in extended permit tcp any eq www host 192.168.10.2 eq www access-list DMZ2_access_in extended permit tcp any eq www host 192.168.100.2 eq www

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu DMZ1 1500

mtu DMZ2 1500

mtu management 1500

no failover

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

static (DMZ1,DMZ1) 217.17.247.187 192.168.10.2 netmask 255.255.255.255

access-group DMZ1_access_in in interface DMZ1

access-group DMZ2_access_in in interface DMZ2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

!

prompt hostname context

Cryptochecksum:xxx

: end

thnx

bahoosh Wed, 04/18/2007 - 12:29

honestly i dont think you need two FWs to do what you want to do. I have couple of questions:

1. How do you connect your inside 5520 to DMZ1 and DMZ2?

2. How do you connect the two FWs?

Actions

This Discussion