Creating additional DMZ on ASA 5505

Answered Question
Sep 15th, 2010

Hi,

Would anybody help me to setup additional port on our firewall.

IP: 172.16.1.x/24

VlanID:5

Port: 4

name: Wifi

The port should have unrestricted access to go out or in from

thanks

Patrick

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ch-asa
names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.187 Logmein-outside-187
name 10.3.3.10 VPN0
name 10.3.3.11 VPN1
name 10.3.3.12 VPN2
name 10.3.3.13 VPN3
name 10.3.3.14 VPN4
name 10.3.3.15 VPN5
name 90.208.247.40 keats-rdp
name 10.1.4.2 docsvr
name 62.253.196.186 keats-outside-186
name 192.206.158.10 sirsi-3
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup outside
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
same-security-traffic permit intra-interface
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
network-object host sirsi-3
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group network DM_INLINE_NETWORK_2
network-object host unicorn-outside-182
network-object host keats-outside-186
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
object-group network VPN-IP
network-object host VPN0
network-object host VPN1
network-object host VPN2
network-object host VPN3
network-object host VPN4
network-object host VPN5
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any host blbsvr eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433 inactive
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 object-group VPN-IP
access-list split-acl standard permit 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip local pool CH-VPN-IP VPN0-10.3.3.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255  dns
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255  dns
static (inside,outside) tcp keats-outside-186 3389 docsvr 3389 netmask 255.255.255.255
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
svc enable
group-policy CH-VPN internal
group-policy CH-VPN attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
group-policy CH-VPN-IP internal
group-policy CH-VPN-IP attributes
dns-server value 10.1.4.9 10.1.4.5
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
default-domain value riia.local
username sdt.support password cdUOkKYGfsyZgwTx encrypted privilege 0
username sdt.support attributes
vpn-group-policy CH-VPN
username leet password 1fJc82CICO2zAFcfTW47KQ== nt-encrypted privilege 0
username leet attributes
vpn-group-policy CH-VPN
tunnel-group CH-VPN type remote-access
tunnel-group CH-VPN general-attributes
address-pool CH-VPN-IP
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy CH-VPN
tunnel-group CH-VPN-IP type remote-access
tunnel-group CH-VPN-IP general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN-IP
tunnel-group CH-VPN-IP ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 2 months ago

Hello,

Yes, when you enter those configuration lines, the firewall puts interface ethernet 0/4 in VLAN 5.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Wed, 09/15/2010 - 08:05

Hello,

Please try the following:

interface vlan 5
nameif wifi
security-level 49
ip address 172.16.1.1 255.255.255.0
exit

interface ethernet 0/4
switchport access vlan 5
exit

nat (wifi) 1 172.16.1.0 255.255.255.0

This will enable basic internet connectivity to the wifi subnet. If you would like the wifi subnet to access your inside/dmz servers using their public IP, then you can do the following:

static (inside,wifi) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,wifi) tcp "outside interface ip" smtp barracuda smtp netmask 255.255.255.255
static (inside,wifi) tcp "outside interface ip" ssh barracuda ssh netmask 255.255.255.255
static (inside,wifi) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,wifi) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,wifi) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,wifi) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,wifi) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,wifi) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,wifi) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255

static (dmz,wifi) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255
static (inside,wifi) tcp keats-outside-186 3389 docsvr 3389 netmask 255.255.255.255

access-list wifi_access_out permit ip any any

access-group wifi_access_out in interface wifi

This will ensure that all hosts on wifi interface can talk to internet as well as any device that has a NAT translation to wifi interface.

Hope this helps.

Regards,

NT

patrifick Wed, 09/15/2010 - 08:11

Thanks for quicl response.

Will this also automaticaly remove the interface 4 from the current LAN. I have tried that via ASDM and it was failing.

Patrick

Correct Answer
Nagaraja Thanthry Wed, 09/15/2010 - 08:32

Hello,

Yes, when you enter those configuration lines, the firewall puts interface ethernet 0/4 in VLAN 5.

Regards,

NT

Actions

This Discussion