06-28-2010 10:33 AM - edited 03-11-2019 11:04 AM
I have a Cisco ASA 5505 as im trying to set up with the following scenario:
I need eth0/0 - Outside that get its IP from a DCHP withing my ISP’s net
Then I need eth0/3 - Inside that run DHCP 192.168.1.100 – 192.168.1.250 with normal Internet access and normal LAN access. This should use eth0/3 through eth0/8 since the last two Ethernet ports has PoE. This way I can use the last two ports for the Cisco WIFI radios with PoE within my LAN. Third I need a eth0/2 – DMZ on the 10.1.1.0/24 net where I can host two servers. One TS3 server with port forwarding : Default voice port (UDP): 9987, Default filetransfer port (TCP): 30033,
Default serverquery port (TCP): 10011. And a BHD server with port forwarding Default game port (UDP): 17479, Remote adminport (UDP): 31000.
I don’t have much experience with ASA but I know how to “paste” a config into the consol (Telnet) and I have checking around a bit in the ASDM (without luck in this scenario). Is there anyone that can help me out in this matter?
06-28-2010 04:09 PM
Hi,
You're talking about using three interfaces on the ASA 5505.
If the ASA has a base license you only have 2 real interfaces (inside and outside), you do have a DMZ but limited.
If the ASA has a security plus license, then you can fully use the 3 interfaces.
The ASA 5505 works with VLANs, so you group the physical ports into the appropiate VLAN, where the VLANs are the actual interfaces (outside, inside and DMZ).
Federico.
06-28-2010 04:15 PM
The ASA has a security plus license so this isnt the issue. The issue is that i really aint into the ASA quite yet. Im concentrating on swithes for now so i need help to set up the ASA. Dunno where else to turn...
06-28-2010 04:20 PM
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface vlan 1
nameif inside
security-level 100
ip address 192.168.1.x 255.255.255.0
interface vlan 3
nameif dmz
security-level 50
ip address 10.1.1.x 255.255.255.0
interface fas0
no shut
switchport vlan 2
interface fas1
no shut
switchport vlan 1
interface fas2
no shut
switchport vlan 3
To create access-lists and NAT and apply it to the correct interfaces as well.
The above is to get you started.
Federico.
06-29-2010 02:00 AM
Thank you very much Federico.
Just one more question, the interface fas1 command? this i am unfamiliar with, I thought it should be interface eth0/x.
Can u explain this command for me?
07-01-2010 02:04 AM
Okei, i used the interface eth0/x and i now have managed to get inside, outside and DMZ interfaces to work. I've got normal internet access from both inside and DMZ. Now i need to make the rules for the port forwarding on the DMZ interface. Should i use NAT, PAT or ACL for this?
07-01-2010 06:05 AM
For the rules to the DMZ...
For traffic coming from the outside to DMZ, you require a static NAT and ACL:
static (dmz,out) public_IP real_IP
access-list outside permit ....
access-group outside in interface outside
For outbound traffic from DMZ, is permitted by default, so there's no need for ACL.
However, if you need to send traffic from DMZ to inside, you require an ACL.
This is because trafic from a higher-security flows to a lower-security by default but the other way around requires an ACL.
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: