DMZ config! How to do? Easy question for experts! (ASA 5510

Unanswered Question
Nov 30th, 2008
User Badges:

Dear All

I would like to add a DMZ and VPN to inside network to my ASA5510 configuration, but I'm not sure about the correct way to achieve my goal (I'm a newbie).

I'll rate your post and promise to send to the best answer a traditional Christmas gift from my country, I'm sure that you will be pleased with it!:)

Goal:

1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.

2- VPN access to inside network.

1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:

Access to EDGESRV from Internet (SMTP)

 Access from EDGESRV to internet (SMTP)

 Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)

ROUTER :

Interface Serial IP: 195.22.12.46/30

IP route 0.0.0.0 0.0.0.0 195.22.12.45

Interface Ethernet f0/0: IP 195.22.26.17/29 (connect to router)

ASA NETWORK

Interface External e0/0 :IP 195.22.26.18/29 (connect to router)

Interface internal: e0/1: IP 10.10.100.1 mask 255.255.252.0

Interface DMZ: e0/2 : IP 10.10.150.1 mask 255.255.255.0 (not implemented yet)


ASA Configuration (actual)

ASA Version 8.0(2)

!

interface Ethernet0/0

nameif Interface_to_cisco_router

security-level 0

ip address 195.22.26.18 255.255.255.248

!

interface Ethernet0/1

nameif Int_Internal_domain

security-level 100

ip address 10.10.100.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxx encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone WEST 0

clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Interface_to_cisco_router

dns domain-lookup Int_Internal_domain.com

dns server-group DefaultDNS

name-server 195.22.0.136

name-server 195.22.0.33

domain-name domain.com

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Interface_to_router_Cisco_access_in extended permit object-group TCPUDP any any eq domain

access-list Interface_to_router_Cisco_access_in extended permit tcp any any eq www

pager lines 24

logging list Registo_eventos_william level emergencies

logging list Registo_eventos_william level emergencies class vpn

logging asdm informational

logging recipient-address [email protected] level critical

mtu management 1500

mtu Interface_to_router_Cisco 1500

mtu Int_Internal_domain 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (Interface_to_router_Cisco) 101 interface

nat (Int_Internal) 101 10.10.100.0 255.255.255.0

nat (Int_Internal) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

access-group Interface_to_router_Cisco_access_in in interface Interface_to_router_Cisco

route Interface_to_router_Cisco 0.0.0.0 0.0.0.0 195.22.26.17 1

access-list Int_Internal_access_in extended permit tcp any any

access-list Int_Internal_access_in extended permit udp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.100.0 255.255.255.0 Int_Internal_domain

http 10.10.10.0 255.255.255.0 management

http 195.22.26.16 255.255.255.248 Interface_to_router_Cisco

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

....


Kind Regards

MP


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JORGE RODRIGUEZ Sun, 11/30/2008 - 14:53
User Badges:
  • Green, 3000 points or more

Mario,


I think you have much more to go but this is a start, I don't think I have cover everything .. others in netpro may add to this.


1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.


Use this example, Configuring Mail server on DMZ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml



2- VPN access to inside network.


You can configure RA VPN server using/creating in ASA5510 Local user database


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

or configure RA VPN server using IAS RADIUS-Windows AD for authentication

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml


1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:

Access to EDGESRV from Internet (SMTP)

 Access from EDGESRV to internet (SMTP)

 Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)



-Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create

inbound access rules to allow access on SMPT from outside internet.

If you do not have spare public IPs for a one-to-one nat on this server you can use ASA outside interface static PAT.


Example : static (dmz,outside) tcp interface smtp netmask 255.255.255.255



-Access from EDGESRV to internet (SMTP)


You need to PAT DMZ network, if EDGESRV does not have one-to-one static NAT


typical scenario


global (outside ) 101 interface

nat (dmz ) 101 0 0


or

nat (dmz) 101 <255.255.255.255>


also for the MAIL Server, if you are using DNS server from your inside network you need acl to allow traffic from MAILserver DMZ to DNS in inside network.


-Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)


from low sec level 0 to high sec level access is permited by default, you do however need to create static nat to allow comm between inside and dmz


in your scenario if you have 192.168.1.0/24 for inside interface network you would then create something like this.


static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0



Observation -


I see you have interface Ethernet0/2 free, I assume you will probably be using this interface for your DMZ, I would advice to use subinterfaces and use dot1q in order to scale your DMZs in the future.


Look this link for reference on working with subinterfaces

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html


Rgds

Jorge


MARIO PAIVA Mon, 12/01/2008 - 07:37
User Badges:

Hi Jorge


Thanks for your detailed answer.

So here are my issues:

Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create

inbound access rules to allow access on SMPT from outside internet.

Yes I do have spare public IP, so which is the correct config for this scenario:

Spare IP Address: 195.22.26.19 mask - 255.255.255.248.

So the Interface DMZ: e0/2 will be : xxx.xxx.xxx.xxx ?

And the IP address for the Server?


Thanks in advance for your cooperation.


Kind Regards

MP


JORGE RODRIGUEZ Mon, 12/01/2008 - 09:46
User Badges:
  • Green, 3000 points or more

You need to creatre dot1q trunking between asa ethernet0/2 and your DMZ switch in order to create subinterfaces in ASA and respective VLANs in switch


for example: say you call DMZ network DMZ1 and give it VLAN 100 in switch


1 - In dmz switch create vlan for DMZ1


first allocate a port on DMZ switch to connect to ASA E0/2 interface, say you have 3550 switch and picked port 48 for trunk port.


switch#vlan database

switch#vlan 100 name DMZ1_10.10.150.0/24


switch(config)#interface fe0/48

switch(config-if)#Description Connection to ASAFe0/2

switch(config-if)#Switchport trunk encapsulation dot1q

switch(config-if)#switch port mode trunk

switch(config-if)#switchport trunk allowed vlan 100,200,300 etc...

switch(config-if)#speed 100

switch(config-if)#duplex full

switch(config)#exit


then allocate a port on the switch for your MAIL server and put it in VLAN 100


etc..


on asa


asa(config)#interface ethernet0/2

asa(config-if)#no shutdown

asa(config-if)#speed 100

asa(config-if)#duplex full

asa(config-if)#no shutdown

asa(config-if)#exit


asa(config)# interface ethernet0/2.100

asa(config-subif)# vlan 100

asa(config-subif)#Description DMZ1_NETwork

asa(config-subif)#nameif DMZ1

asa(config-subif)#security-level 50

asa(config-subif)#ip address 10.10.150.1 255.255.255.0



if in future you need to create another DMZ network simply iterate the above process

for for different vlan# and allow new vlan in switch trunk port.


Yes I do have spare public IP, so which is the correct config for this scenario:

Spare IP Address: 195.22.26.19 mask - 255.255.255.248.

So the Interface DMZ: e0/2 will be : xxx.xxx.xxx.xxx ?

And the IP address for the Server?


for your Mail server your static will look as: assuming 10.10.150.100/24 is your mail server IP.


static (DMZ1,outside) 195.22.26.19 10.10.150.100 netmask 255.255.255.255


then create inbound access rules with appropriate tcp ports .




HTH

Jorge

PLS rate any helpful post


Actions

This Discussion