Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
10
Helpful
3
Replies

DMZ config! How to do? Easy question for experts! (ASA 5510

MARIO PAIVA
Level 1
Level 1

‎11-30-2008 11:43 AM - edited ‎02-21-2020 03:08 AM

Dear All

I would like to add a DMZ and VPN to inside network to my ASA5510 configuration, but I'm not sure about the correct way to achieve my goal (I'm a newbie).

I'll rate your post and promise to send to the best answer a traditional Christmas gift from my country, I'm sure that you will be pleased with it!:)

Goal:

1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.

2- VPN access to inside network.

1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:

Access to EDGESRV from Internet (SMTP)

 Access from EDGESRV to internet (SMTP)

 Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)

ROUTER :

Interface Serial IP: 195.22.12.46/30

IP route 0.0.0.0 0.0.0.0 195.22.12.45

Interface Ethernet f0/0: IP 195.22.26.17/29 (connect to router)

ASA NETWORK

Interface External e0/0 :IP 195.22.26.18/29 (connect to router)

Interface internal: e0/1: IP 10.10.100.1 mask 255.255.252.0

Interface DMZ: e0/2 : IP 10.10.150.1 mask 255.255.255.0 (not implemented yet)

ASA Configuration (actual)

ASA Version 8.0(2)

!

interface Ethernet0/0

nameif Interface_to_cisco_router

security-level 0

ip address 195.22.26.18 255.255.255.248

!

interface Ethernet0/1

nameif Int_Internal_domain

security-level 100

ip address 10.10.100.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxx encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone WEST 0

clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Interface_to_cisco_router

dns domain-lookup Int_Internal_domain.com

dns server-group DefaultDNS

name-server 195.22.0.136

name-server 195.22.0.33

domain-name domain.com

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Interface_to_router_Cisco_access_in extended permit object-group TCPUDP any any eq domain

access-list Interface_to_router_Cisco_access_in extended permit tcp any any eq www

pager lines 24

logging list Registo_eventos_william level emergencies

logging list Registo_eventos_william level emergencies class vpn

logging asdm informational

logging recipient-address william@domain.com level critical

mtu management 1500

mtu Interface_to_router_Cisco 1500

mtu Int_Internal_domain 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (Interface_to_router_Cisco) 101 interface

nat (Int_Internal) 101 10.10.100.0 255.255.255.0

nat (Int_Internal) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

access-group Interface_to_router_Cisco_access_in in interface Interface_to_router_Cisco

route Interface_to_router_Cisco 0.0.0.0 0.0.0.0 195.22.26.17 1

access-list Int_Internal_access_in extended permit tcp any any

access-list Int_Internal_access_in extended permit udp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.100.0 255.255.255.0 Int_Internal_domain

http 10.10.10.0 255.255.255.0 management

http 195.22.26.16 255.255.255.248 Interface_to_router_Cisco

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

....

Kind Regards

MP

0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎11-30-2008 02:53 PM

Mario,

I think you have much more to go but this is a start, I don't think I have cover everything .. others in netpro may add to this.

1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.

Use this example, Configuring Mail server on DMZ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

2- VPN access to inside network.

You can configure RA VPN server using/creating in ASA5510 Local user database

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

or configure RA VPN server using IAS RADIUS-Windows AD for authentication

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:

Access to EDGESRV from Internet (SMTP)

 Access from EDGESRV to internet (SMTP)

 Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)

-Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create

inbound access rules to allow access on SMPT from outside internet.

If you do not have spare public IPs for a one-to-one nat on this server you can use ASA outside interface static PAT.

Example : static (dmz,outside) tcp interface smtp netmask 255.255.255.255

-Access from EDGESRV to internet (SMTP)

You need to PAT DMZ network, if EDGESRV does not have one-to-one static NAT

typical scenario

global (outside ) 101 interface

nat (dmz ) 101 0 0

or

nat (dmz) 101 <255.255.255.255>

also for the MAIL Server, if you are using DNS server from your inside network you need acl to allow traffic from MAILserver DMZ to DNS in inside network.

-Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)

from low sec level 0 to high sec level access is permited by default, you do however need to create static nat to allow comm between inside and dmz

in your scenario if you have 192.168.1.0/24 for inside interface network you would then create something like this.

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Observation -

I see you have interface Ethernet0/2 free, I assume you will probably be using this interface for your DMZ, I would advice to use subinterfaces and use dot1q in order to scale your DMZs in the future.

Look this link for reference on working with subinterfaces

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

Rgds

Jorge

Jorge Rodriguez

MARIO PAIVA
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-01-2008 07:37 AM

Hi Jorge

Thanks for your detailed answer.

So here are my issues:

Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create

inbound access rules to allow access on SMPT from outside internet.

Yes I do have spare public IP, so which is the correct config for this scenario:

Spare IP Address: 195.22.26.19 mask - 255.255.255.248.

So the Interface DMZ: e0/2 will be : xxx.xxx.xxx.xxx ?

And the IP address for the Server?

Thanks in advance for your cooperation.

Kind Regards

MP

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to MARIO PAIVA

‎12-01-2008 09:46 AM

You need to creatre dot1q trunking between asa ethernet0/2 and your DMZ switch in order to create subinterfaces in ASA and respective VLANs in switch

for example: say you call DMZ network DMZ1 and give it VLAN 100 in switch

1 - In dmz switch create vlan for DMZ1

first allocate a port on DMZ switch to connect to ASA E0/2 interface, say you have 3550 switch and picked port 48 for trunk port.

switch#vlan database

switch#vlan 100 name DMZ1_10.10.150.0/24

switch(config)#interface fe0/48

switch(config-if)#Description Connection to ASAFe0/2

switch(config-if)#Switchport trunk encapsulation dot1q

switch(config-if)#switch port mode trunk

switch(config-if)#switchport trunk allowed vlan 100,200,300 etc...

switch(config-if)#speed 100

switch(config-if)#duplex full

switch(config)#exit

then allocate a port on the switch for your MAIL server and put it in VLAN 100

etc..

on asa

asa(config)#interface ethernet0/2

asa(config-if)#no shutdown

asa(config-if)#speed 100

asa(config-if)#duplex full

asa(config-if)#no shutdown

asa(config-if)#exit

asa(config)# interface ethernet0/2.100

asa(config-subif)# vlan 100

asa(config-subif)#Description DMZ1_NETwork

asa(config-subif)#nameif DMZ1

asa(config-subif)#security-level 50

asa(config-subif)#ip address 10.10.150.1 255.255.255.0

if in future you need to create another DMZ network simply iterate the above process

for for different vlan# and allow new vlan in switch trunk port.

Yes I do have spare public IP, so which is the correct config for this scenario:

Spare IP Address: 195.22.26.19 mask - 255.255.255.248.

So the Interface DMZ: e0/2 will be : xxx.xxx.xxx.xxx ?

And the IP address for the Server?

for your Mail server your static will look as: assuming 10.10.150.100/24 is your mail server IP.

static (DMZ1,outside) 195.22.26.19 10.10.150.100 netmask 255.255.255.255

then create inbound access rules with appropriate tcp ports .

HTH

Jorge

PLS rate any helpful post

Jorge Rodriguez
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card