DNS Querie issue

Answered Question
Apr 26th, 2010

Hi,

we have a ASA5505 on our network. The issue which we have is this.

1x internal server 10.1.4.13 / external IP - 62.253.196.178

1x dmz server 192.168.1.5 / external IP - 62.153.196.179

I can connect to both server from outside without any issue, however if I want to connect to these servers from internal network 10.1.0.0 / 16 the firewall prevents me to get back the internal network.

ping to 10.1.4.13 works ok

ping to 62.253.196.178 works ok

names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.186 email-outside-186
name 62.253.196.187 Logmein-outside-187
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group network DM_INLINE_NETWORK_2
network-object host unicorn-outside-182
network-object host email-outside-186
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any host blbsvr eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255
static (inside,outside) tcp email-outside-186 www exchsvr www netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

Can anybody help please

Patrick

Correct Answer by Jennifer Halim about 6 years 9 months ago

Yes, the configuration is correct. You have tested it and it works, right?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 04/26/2010 - 06:08

I assume that you can already access the servers internally by ip address.

If you would like to access the server by its dns name, and assuming that the internal hosts use an external dns server with the dns query passing through the ASA, you can add the "dns" keyword on your static statement as follows:

static (inside,outside) tcp webmail-outside-180 https exchsvr https  netmask 255.255.255.255 dns
static (inside,outside) tcp  email-outside-186 www exchsvr www netmask 255.255.255.255 dns

static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask  255.255.255.255 dns

That would allow the dns reply to translate the dns entry from public back to private ip address so the internal host can connect directly via its private ip address.

Also, off topic, you do not need the following static statement and it can safely be removed:

static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Because the following static statement works bidirectionally:
static  (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

Hope that helps.

patrifick Mon, 04/26/2010 - 06:26

Hi,

when I apply the commands I get reply

Result of the command: "static (inside,outside) tcp webmail-outside-180 https exchsvr https  netmask 255.255.255.255 dns"

ERROR: mapped-address conflict with existing static
  TCP inside:exchsvr/443 to outside:webmail-outside-180/443 netmask 255.255.255.255


Result of the command: "static (inside,outside) tcp  email-outside-186 www exchsvr www netmask 255.255.255.255 dns"

ERROR: mapped-address conflict with existing static
  TCP inside:exchsvr/80 to outside:email-outside-186/80 netmask 255.255.255.255


Result of the command: "static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask  255.255.255.255 dns"

ERROR: mapped-address conflict with existing static
  TCP dmz:ctxdmz/443 to outside:remote-outside-179/443 netmask 255.255.255.255

Am I doing anyhing wrong?

the server names are as follow

10.1.4.13 - exchsvr.riia.local - internal

62.253.196.180 - webmail.chathamhouse.org.uk

192.168.1.5 - ctxdmz

62.253.196.179 - remote.chathamhouse.org.uk

thanks

Patrick

BTW: thanks for the previous help with H323 it works very well

Jennifer Halim Mon, 04/26/2010 - 06:29

You would need to remove the existing statements first and add the new statements as follows:

no static (inside,outside) tcp webmail-outside-180 https exchsvr https   netmask 255.255.255.255
no static (inside,outside)  tcp  email-outside-186 www exchsvr www netmask 255.255.255.255

no static  (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask   255.255.255.255

static (inside,outside) tcp webmail-outside-180 https exchsvr https   netmask 255.255.255.255 dns
static (inside,outside)  tcp  email-outside-186 www exchsvr www netmask 255.255.255.255 dns

static  (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask   255.255.255.255 dns

Plus "clear xlate" after the above changes.

PS: thanks for the rating on the H323 post.

patrifick Mon, 04/26/2010 - 06:39

Hi,

thanks for the command lines I have just applied it and it still doesn't work

names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.186 email-outside-186
name 62.253.196.187 Logmein-outside-187
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group network DM_INLINE_NETWORK_2
network-object host unicorn-outside-182
network-object host email-outside-186
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any host blbsvr eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255  dns
static (inside,outside) tcp email-outside-186 www exchsvr www netmask 255.255.255.255  dns
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255  dns
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

Jennifer Halim Mon, 04/26/2010 - 06:52

1) Is your internal hosts using external dns server for dns resolution?

2) If yes, to above, does the dns query pass through the ASA?

If the answer to the above questions is Yes, then it should work. You should flush the dns entry on the internal host, so it invokes another dns query towards the external dns server for your server dns name.

patrifick Mon, 04/26/2010 - 07:04

Hi,

the internal network queries internal DNS servers which forward their requests to external DNS. I have flush DNS on my PC, both DNS servers and even restarted DNS on the servers

Patrick

Jennifer Halim Mon, 04/26/2010 - 07:10

So the internal dns server still gets the server public ip address i assume?

Can you try the following:

From the internal host, open a command prompt, then type the following:

nslookup

server

Does it resolve to private or public ip address?

patrifick Mon, 04/26/2010 - 07:13

nslookup resolves the ip as public webmail.chathamhouse.org.uk / 62.253.196.178

Patrick

Jennifer Halim Mon, 04/26/2010 - 07:26

Doesn't seem to work eventhough it should have worked as per the following sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Alternatively, since the above doesn't work somehow for you, you can configure the following:

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
static  (inside,inside) email-outside-186 exchsvr netmask  255.255.255.255

static  (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255

patrifick Mon, 04/26/2010 - 07:45

Hi,

that seem to work, however in NAT DMZ there are now 2 services for ctxdmz are they correct

names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.186 email-outside-186
name 62.253.196.187 Logmein-outside-187
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group network DM_INLINE_NETWORK_2
network-object host unicorn-outside-182
network-object host email-outside-186
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any host blbsvr eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255  dns
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255  dns
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

Correct Answer
Jennifer Halim Sat, 05/01/2010 - 05:05

Yes, the configuration is correct. You have tested it and it works, right?

Actions

This Discussion