CISCO ASA 5520 configuration problems

mark.stclaire · ‎08-23-2009

Guys I'm stuck and need as much help as possible please. I'm from Guyana, South America. I have my ISP connected to one cisco 2800 series Router connected to a Cisco ASA 5520 firewall then to a dell power connect switch then 9 small networks on Cisco 881 Routers. Also from the ASA 5520 I have my servers connected as DMZ. Now What I want to accomplish is for my DMZ to have outbound and inbound access to the internet and my small networks to reach the DMZ and also the internet. Also VPN from remote networks to access the DMZ. below is my current running-config on the ASA 5520.

ASA Version 7.2(4)

!

hostname POLICEWALL

domain-name GPF.LOCAL

enable password

encrypted

passwd encrypted

names

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address 100.100.100.1 255.255.255.252

interface GigabitEthernet0/1

nameif INSIDE

security-level 100

ip address 10.10.10.1 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 172.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name GPF.LOCAL

same-security-traffic permit intra-interface

object-group protocol ip-allow

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

access-list OUTSIDE_access_in extended permit object-group ip-allow any 192.168.1.0 255.255.255.0

access-list OUTSIDE_access_in extended permit tcp any 192.168.1.0 255.255.255.0

access-list INSIDE_access_out extended permit ip any any

access-list DMZ_access_out extended permit ip any any

access-list OUTSIDE_1_cryptomap extended permit ip 100.100.100.0 255.255.255.252 192.168.1.0 255.255.255.0

access-list INSIDE_nat0_outbound extended permit ip 100.100.100.0 255.255.255.252 192.168.1.0 255.255.255.0

access-list allow_outside_connections extended permit icmp any any echo-reply

access-list allow_outside_connections extended permit icmp any any source-quench

access-list allow_outside_connections extended permit icmp any any unreachable

access-list allow_outside_connections extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu DMZ 1500

mtu management 1500

no failover

monitor-interface OUTSIDE

monitor-interface INSIDE

monitor-interface DMZ

monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 101 100.100.100.3-100.100.100.4 netmask 255.255.255.252

global (OUTSIDE) 200 interface

global (INSIDE) 1 10.10.10.2 netmask 255.0.0.0

global (DMZ) 1 192.168.1.2 netmask 255.255.255.0

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 1 10.10.10.0 255.255.255.0

nat (INSIDE) 101 0.0.0.0 0.0.0.0

nat (DMZ) 1 192.168.1.0 255.255.255.0 outside

access-group OUTSIDE_access_in in interface OUTSIDE

access-group INSIDE_access_out out interface INSIDE

access-group DMZ_access_out out interface DMZ

route OUTSIDE 100.100.100.3 255.255.255.255 100.100.100.1 1

route INSIDE 10.10.10.2 255.255.255.255 192.168.1.0 1

route DMZ 192.168.1.32 255.255.255.255 100.100.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 172.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

NOTE; MISSING THE REST OF THE CONFIG

Joshua Walton · ‎08-23-2009

Hello Mark,

I will be glad to help you.

Please message me via MSN Messenger: joshwalton@msn.com.

I will also post the solution (config) to your questions here for everyone to see.

mark.stclaire · ‎08-24-2009

hey Josh! thanks so far, I'm off to a running start. However I still have some issues.

mark.stclaire · ‎08-25-2009

no fix as it......... I'm lost.

daniel.diaz · ‎08-27-2009

I might be able to help you with part of your problem. I had a similar situation on my network the other day.

If you check your logs after one of your small networks tries to access the DMZ you might see an error about not having a translation group. I am not sure if this is the correct way of doing it but it worked for me.

You need a STATIC statement for the ASA to pass traffic from the LAN > DMZ and vice versa, without it trying to NAT. So your statement would look something like this:

STATIC (inside,DMZ) xxx.xxx.xxx.0 xxx.xxx.xxx.0 netmask 255.255.255.0

if your ACLs are correct then this should work. Like I said before though, I am not sure if this is the correct and secure way of doing it, but I know this worked for me.

mark.stclaire · ‎08-28-2009

I'll try that and get back to you.