11-30-2008 11:43 AM - edited 02-21-2020 03:08 AM
Dear All
I would like to add a DMZ and VPN to inside network to my ASA5510 configuration, but I'm not sure about the correct way to achieve my goal (I'm a newbie).
I'll rate your post and promise to send to the best answer a traditional Christmas gift from my country, I'm sure that you will be pleased with it!:)
Goal:
1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.
2- VPN access to inside network.
1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:
ï Access to EDGESRV from Internet (SMTP)
ï¨ Access from EDGESRV to internet (SMTP)
ï¨ Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
ROUTER :
Interface Serial IP: 195.22.12.46/30
IP route 0.0.0.0 0.0.0.0 195.22.12.45
Interface Ethernet f0/0: IP 195.22.26.17/29 (connect to router)
ASA NETWORK
Interface External e0/0 :IP 195.22.26.18/29 (connect to router)
Interface internal: e0/1: IP 10.10.100.1 mask 255.255.252.0
Interface DMZ: e0/2 : IP 10.10.150.1 mask 255.255.255.0 (not implemented yet)
ASA Configuration (actual)
ASA Version 8.0(2)
!
interface Ethernet0/0
nameif Interface_to_cisco_router
security-level 0
ip address 195.22.26.18 255.255.255.248
!
interface Ethernet0/1
nameif Int_Internal_domain
security-level 100
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxxxxxxxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone WEST 0
clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Interface_to_cisco_router
dns domain-lookup Int_Internal_domain.com
dns server-group DefaultDNS
name-server 195.22.0.136
name-server 195.22.0.33
domain-name domain.com
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Interface_to_router_Cisco_access_in extended permit object-group TCPUDP any any eq domain
access-list Interface_to_router_Cisco_access_in extended permit tcp any any eq www
pager lines 24
logging list Registo_eventos_william level emergencies
logging list Registo_eventos_william level emergencies class vpn
logging asdm informational
logging recipient-address william@domain.com level critical
mtu management 1500
mtu Interface_to_router_Cisco 1500
mtu Int_Internal_domain 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Interface_to_router_Cisco) 101 interface
nat (Int_Internal) 101 10.10.100.0 255.255.255.0
nat (Int_Internal) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
access-group Interface_to_router_Cisco_access_in in interface Interface_to_router_Cisco
route Interface_to_router_Cisco 0.0.0.0 0.0.0.0 195.22.26.17 1
access-list Int_Internal_access_in extended permit tcp any any
access-list Int_Internal_access_in extended permit udp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.100.0 255.255.255.0 Int_Internal_domain
http 10.10.10.0 255.255.255.0 management
http 195.22.26.16 255.255.255.248 Interface_to_router_Cisco
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
....
Kind Regards
MP
11-30-2008 02:53 PM
Mario,
I think you have much more to go but this is a start, I don't think I have cover everything .. others in netpro may add to this.
1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.
Use this example, Configuring Mail server on DMZ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
2- VPN access to inside network.
You can configure RA VPN server using/creating in ASA5510 Local user database
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
or configure RA VPN server using IAS RADIUS-Windows AD for authentication
1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:
ï Access to EDGESRV from Internet (SMTP)
ï¨ Access from EDGESRV to internet (SMTP)
ï¨ Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
-Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create
inbound access rules to allow access on SMPT from outside internet.
If you do not have spare public IPs for a one-to-one nat on this server you can use ASA outside interface static PAT.
Example : static (dmz,outside) tcp interface smtp
-Access from EDGESRV to internet (SMTP)
You need to PAT DMZ network, if EDGESRV does not have one-to-one static NAT
typical scenario
global (outside ) 101 interface
nat (dmz ) 101 0 0
or
nat (dmz) 101
also for the MAIL Server, if you are using DNS server from your inside network you need acl to allow traffic from MAILserver DMZ to DNS in inside network.
-Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
from low sec level 0 to high sec level access is permited by default, you do however need to create static nat to allow comm between inside and dmz
in your scenario if you have 192.168.1.0/24 for inside interface network you would then create something like this.
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Observation -
I see you have interface Ethernet0/2 free, I assume you will probably be using this interface for your DMZ, I would advice to use subinterfaces and use dot1q in order to scale your DMZs in the future.
Look this link for reference on working with subinterfaces
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html
Rgds
Jorge
12-01-2008 07:37 AM
Hi Jorge
Thanks for your detailed answer.
So here are my issues:
Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create
inbound access rules to allow access on SMPT from outside internet.
Yes I do have spare public IP, so which is the correct config for this scenario:
Spare IP Address: 195.22.26.19 mask - 255.255.255.248.
So the Interface DMZ: e0/2 will be : xxx.xxx.xxx.xxx ?
And the IP address for the Server?
Thanks in advance for your cooperation.
Kind Regards
MP
12-01-2008 09:46 AM
You need to creatre dot1q trunking between asa ethernet0/2 and your DMZ switch in order to create subinterfaces in ASA and respective VLANs in switch
for example: say you call DMZ network DMZ1 and give it VLAN 100 in switch
1 - In dmz switch create vlan for DMZ1
first allocate a port on DMZ switch to connect to ASA E0/2 interface, say you have 3550 switch and picked port 48 for trunk port.
switch#vlan database
switch
switch(config)#interface fe0/48
switch(config-if)#Description Connection to ASAFe0/2
switch(config-if)#Switchport trunk encapsulation dot1q
switch(config-if)#switch port mode trunk
switch(config-if)#switchport trunk allowed vlan 100,200,300 etc...
switch(config-if)#speed 100
switch(config-if)#duplex full
switch(config)#exit
then allocate a port on the switch for your MAIL server and put it in VLAN 100
etc..
on asa
asa(config)#interface ethernet0/2
asa(config-if)#no shutdown
asa(config-if)#speed 100
asa(config-if)#duplex full
asa(config-if)#no shutdown
asa(config-if)#exit
asa(config)# interface ethernet0/2.100
asa(config-subif)# vlan 100
asa(config-subif)#Description DMZ1_NETwork
asa(config-subif)#nameif DMZ1
asa(config-subif)#security-level 50
asa(config-subif)#ip address 10.10.150.1 255.255.255.0
if in future you need to create another DMZ network simply iterate the above process
for for different vlan# and allow new vlan in switch trunk port.
Yes I do have spare public IP, so which is the correct config for this scenario:
Spare IP Address: 195.22.26.19 mask - 255.255.255.248.
So the Interface DMZ: e0/2 will be : xxx.xxx.xxx.xxx ?
And the IP address for the Server?
for your Mail server your static will look as: assuming 10.10.150.100/24 is your mail server IP.
static (DMZ1,outside) 195.22.26.19 10.10.150.100 netmask 255.255.255.255
then create inbound access rules with appropriate tcp ports .
HTH
Jorge
PLS rate any helpful post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide