cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1652
Views
0
Helpful
29
Replies

ASA5505 Setup Questions

vbdotnetman
Level 1
Level 1

I've come to the conclusion that Cisco should rename their “Cisco ASA 5505 Getting Started Guide” to “Cisco ASA 550 A Guide To Spending A Lot Of Money And Receive Utter Frustration In Return”. Nothing in this manual is consistent. On one page they use one set of IP addresses and on another they use something totally different. I'm not sure what IP addresses to place where anymore… I'm beginning to wonder about Cisco's ability to provide quality documentation. Anyway, I didn't mean to vent here but I am totally frustrated…..

On with the problem at hand……

I have 3 pc's. Two are on the inside network and one in the dmz which acts as a Web/E-Mail server. I use an ISP which provides a public internet address of let's say 216.130.17.10 via DHCP. I also have a base license for the ASA 5505 so I realize the dmz cannot initiate any contact with the inside vlan but the inside vlan can talk to the dmz vlan. Oh, also I'm using the ASDM interface.

Question 1: Does the dmz have to have a separate public ip address provided by the ISP?

Question 2: How do you do port forwarding on this thing? I'd like to forward the web and mail server ports to the dmz.

Any help with this would be greatly appreciated…..

Best Regards

1 Accepted Solution

Accepted Solutions

Well at least we are making some progress :-)

You have this statement -

static (dmz,inside) 192.168.8.2 xx.yyy.121.101 netmask 255.255.255.255

When you try to access from inside - what IP address are you using as the destination IP address ?

Jon

View solution in original post

29 Replies 29

jkgraham40
Level 1
Level 1

The ASA is a very flexible device. As you know the license you have is limiting. I am sorry to tell you that for what you want you will need good knowledge of address translation(NAT) and access control lists (ACL). These are topics in the configuration manual. If you continue to use ASDM before understanding these chapters you will only get more frustrated.

Question 1: Does the dmz have to have a separate public ip address provided by the ISP?

Answer: The ASA can answer for multiple IP addresses through the use of address translation. You can use one public address or many.

Question 2: How do you do port forwarding on this thing? I'd like to forward the web and mail server ports to the dmz.

Answer: Very basic answer... You must first create a NAT then an ACL to identify the proper traffic.

Hope this helps get you started.

I was hoping to get some simple explinations here, not to be sent back to the very manuals that caused the frustration? I understand what net work translation and access list are. What I'm asking is this:

Given the configuration I've explained above,

Question 1: Does the dmz have to have a separate public ip address provided by the ISP? Or do I just make up an address?

Question 2: How does port forwarding work on the ASA-5505?

Best Regards

Josh answered your questions quite well actually and if you did understand translations and access list I think you would be fine at the moment.

Please follow the link below and it should help clear up some things for you.

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/dmz.html

Well, where do I start.

Thank you for your reference to the manual I've already read it and followed to the letter.

It still does not work...

Instead of telling me what I don't and sending me back to the manual I just used a simple answer to the two questions would surfice?

Best Regards

I don't think there is anything wrong with the documentation when I first started out that was what I used but anyway..... how far have you reached with configuring the device? Can you post your config?

You do not need to make up any IP addresses because otherwise what you are doing would not work. You do not need to assign any public addresses to your dmz hosts or dmz interface. The translations that are done will make the hosts appear as if it has a public IP when in fact it does not.

Also based on the fact that your outside address is assigned via dhcp any translations (assuming you have some dynamic dns setup so that mail can come in regardless of the public IP) you do will have to contain the interface keyword and not an IP address for it to work, I think.

All you need is the translations from outside to dmz and an access-list permitting that traffic inbound on the outside interface. So what will happen is anyone that attempts to send mail to your public IP on port 25, the ASA will forward that traffic to the host on the dmz.

Hope this helps.

***Also I don't think what you want is gonna work with the base license, but then again I have never worked with one with a base license. I always ensure that it comes with a security plus license.***

Hi kwillacey,

Thank you so much for your time and response.

Right now I have 1 PC connected to the dmz via port switch 0/7 and if I do a IPCONFIG /ALL on that PC it shows a bogus ip address of 169.254.58.220(this is not on my network or lan).

As I understand it the 169.254.58.220 address is a bogus address generated by windows when it does not have access to the network/router.

I know this is not a proper address to use to properly configure my dmz, so what address do I use?

Thankful for your response

Best Regards

Confused

Jose

Use any private address space you like. I don't know what addresses your internal LAN is using but as an example lets assign 192.168.5.0/24 to the DMZ.

On the ASA you will need to assign the DMZ interface an address from this range so lets say 192.168.5.1

then you need to give your PC in the DMZ an address from that range ie.

PC address - 192.168.5.2

PC subnet mask - 255.255.255.0

PC Default gateway - 192.168.5.1

then to give access to this PC from the outside

static (DMZ,outside) tcp interface 25 192.168.5.2 25 netmask 255.255.255.255

static (DMZ,outside) tcp interface 80 192.168.5.2 80 netmask 255.255.255.255

then you need an access-list to allow this traffic from outside.

Jon

Hi Jon,

I now have internet access to the dmz but I'm having a little trouble with the access list.

I'm using ASDM and create a rule that says:

Interface: outside

Source: any

Destination: 192.168.5.2

Service: tcp/smtp

It generates:

access-list outside_access_in extended permit tcp any host 192.168.5.2 eq smtp

But I cannot access my email server on the dmz?

Best Regards

You can't use the private address as the destination because it is presented as the outside interface IP address of your ASA to the Internet. Try

access-list outside_access_in permit tcp any host eq smtp

Jon

I wonder if you can get around that because his outside IP address might change from time to time because it's via DHCP, I mean besides having your ISP reserve that address for you or getting a static one form them.

Maybe something like

access-list outside_access_in permit tcp any host dhcp-assigned-outside eq smtp

LOL I'm just messing around but it would be cool if that was possible though.

***Glad to see you got the dmz up***

I think you can and i was just about to update my previous post

access-list outside_access_in permit tcp any interface outside eq smtp

Jon

jon,

I placed it into configuration as instructed , also did one for pop3, but still cannot retrieve my email from inside vlan pc?

Best Regards

You live and you learn, I never had a need to so I would have no clue.

Can you post your current config

Hi,

Below is a copy of the current configuration:

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name my.domain.com

enable password ***** Taken out by me ***** encrypted

passwd ***** Taken out by me ***** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.8.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name my.domain.com

access-list outside_access_in extended permit tcp any host 98.122.121.101 eq smt

p

access-list outside_access_in extended permit tcp any host 98.122.121.101 eq pop

3

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,dmz) tcp 192.168.8.10 www 98.122.121.101 www netmask 255.255.255

.255

static (outside,dmz) tcp 192.168.8.10 smtp 98.122.121.101 smtp netmask 255.255.2

55.255

static (outside,dmz) tcp 192.168.8.10 pop3 98.122.121.101 pop3 netmask 255.255.2

55.255

static (dmz,inside) interface 192.168.1.0 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 98.122.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum: ***** Taken out by me *****

: end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: