cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1060
Views
0
Helpful
7
Replies

Need Help setting up ASA 5505 with dmz

magnetpeat
Level 1
Level 1

I am new to this, so please bear with me. I am attempting to set up an ASA 5505 witht he following configuration:

inside network on 192.168.0.0

outside network xxx.xxx.xxx.xxx

dmz 192.168.1.0 with database accesable from inside and outside.

After a few days of trying to get this running, I am understanding somethings, but still can't get it to work. So far inside can access internet, inside can access DMZ, sort of. I can access another computer on the DMZ @192.168.1.20, but not the database at 192.168.1.10.

Outside cannot access database on DMZ.

Currently outside is DHCP, but will be moved to a static address later.

Any help would be greatly appreciated

Thanks

Peter

Here is the config:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname sausage
domain-name umn.edu
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd xxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name umn.edu
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3306
access-list outside_access_in_1 extended permit tcp any eq 3306 host xxx.xxx.xxx.xxx
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface 3306 192.168.1.10 3306 netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.200-192.168.0.250 inside
dhcpd dns 134.84.84.84 128.101.101.101 interface inside
dhcpd domain umn.edu interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2345f04be6a8c8cfbacc9d511d61abbb
: end

1 Accepted Solution

Accepted Solutions

What is the reason for this static?

static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255

There is no need for this. By default we do not translate the hosts on the lower security interface. DMZ is sec 50 and Inside is 100.

Anyway the acl should look like this.

pls. remove these two lines

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3306
access-list outside_access_in_1 extended permit tcp any eq 3306 host xxx.xxx.xxx.xxx

and add just this one:

access-list outside_access_in extended permit tcp any interface outside eq 3306

This is the only acl that you need.  This will receive the traffic on the outside interace for port 3306 and based on the static pat line it will send it to the dmz host 192.168.1.10

-KS

View solution in original post

7 Replies 7

Panos Kampanakis
Cisco Employee
Cisco Employee

You outside ACL only allows port 3306 to host xxxx.

And also you static for the dmz is

static (dmz,outside) tcp interface 3306 192.168.1.10 3306 netmask 255.255.255.255

So you should only be able to reach xxxx on port 3306 coming from the outside give that xx is the outside interface ip address and that the internal host 192.168.1.10 is listening on 3306.

If you want to allow more communications please change you ACL and statics for out to dmz.

I hope it helps.

PK

Hi PK,

Thanks for the response.

--So you should only be able to reach xxxx on port 3306 coming from the outside give that xx is the outside interface ip address and that the internal host --192.168.1.10 is listening on 3306.

This is actually what I am trying to do, however it is not working. I cannot access 192.168.10 on port 3306 coming from the outside. I am guessing something is wrong with the SNAT's that I have set up, but I have tried many different variations and nothing seems to work.

Thanks

What is the reason for this static?

static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255

There is no need for this. By default we do not translate the hosts on the lower security interface. DMZ is sec 50 and Inside is 100.

Anyway the acl should look like this.

pls. remove these two lines

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 3306
access-list outside_access_in_1 extended permit tcp any eq 3306 host xxx.xxx.xxx.xxx

and add just this one:

access-list outside_access_in extended permit tcp any interface outside eq 3306

This is the only acl that you need.  This will receive the traffic on the outside interace for port 3306 and based on the static pat line it will send it to the dmz host 192.168.1.10

-KS

If xxx is the outside interface then your config is fine.

Pleado do "logg enable", "logg buffer-size 1000000", "logg buffered debug" and try a connection and do "sh logg" to get the logs, those could tell more..

PK

kusankar,

Thanks for the solution, it is now working.

you ask:

What is the reason for this static?

static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255

I was followiing, or atempting to follow, the Config for DMZ from the ASA 5505 getting started book and that is one of the statics they have you put in. I am slowly learning this stuff,

Thanks for the help

MP

Thanks also to pkampana for the help.

The static is in charge of mapping an external (or other

address) to an internal address based on which interfaces you specify between the parenthesis.

Like this:

static (inside, outside) ext_addr internal_addr netmask 255.255.255.255

I am very glad to hear that you are reading books and trying to configure. Way to Go !!

This static

static (dmz,inside) 192.168.1.10 xxx.xxx.xxx.xxx netmask 255.255.255.255

Let us say DMZ is 50 level and inside is 100 level.  That static above is called a D-NAT or destination NAT.

You only need to use this when you want to change the DESTINATION IP address that the inside hosts try to reach.

Like I said by default you only need to provide translation from high to low and only for the SOURCE IP. That static will look like this.

static (inside,dmz) fake_ip real_ip

Happy learning.

Thanks for rating.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: