Solved: ASA 5505 CONFIGURATION WITH DMZ

STYLIANOS DEMETRIOU · ‎11-02-2013

HI Guys,

I was wondering if you could help me with my issue.

I have a providers router connected on the Asa 5505 (I didn't buy extra ips only the one that gives me access to the internet through the router).

Providers router ip:192.168.10.254

Asa outside ip: 192.168.10.3

I have a web server and an exchange server on the dmz zone (192.168.0.0/24) and i want those servers to be able to access the internet.

Also i want my internal hosts to be able to get an ip from the ASA and access the internet and also the web server and exchange server.

Because i don't have a public ip for my ASA i am confused in how to create the access-lists and natting ..

something like access-list outside_in extended permit tcp any host 192.168.10.3 eq 80 would be the correct statement or shall i change the 192.168.10.3 with the public ip adress of my providers router ?

If you have a complete example of my scenario i would be very grateful to you. (PRE 8.3 SINCE IT HAS 8.2 IOS)

I am attaching a diagram to give you an idea of my network structure.

jumora · ‎11-04-2013

Any news???

Value our effort and rate the assistance!

View solution in original post

jumora · ‎11-02-2013

There is just not one scenario for what you have because the options to change things at you ISP side are much more simple but I will give you a couple:

1) You will need to configure the NAT on your ISP router and add static routes on the ISP device for the servers that reside behind the ASA DMZ interface

Configure NAT mapping in most cases called port forwardings or service mappings depending on the brand of your router.

Routes are the most important things here, if the router does not know how to reach the server the maps won´t work at all.

2) Configure NAT statements on the ASA that map to the 192.168.10.X/24 network that your is given you, that way you don´t have to add routes on the ISP device give to you.

3) Make your ISP forward the public IP address to the ASA instead receiving a private network and having to do double NAtting on your network devices.

Based on your answer please let me know what you want to do and I can help you out.

Value our effort and rate the assistance!

STYLIANOS DEMETRIOU · ‎11-03-2013

Dear Jumora,

Thanks for explaining all possible scenarios, i would prefer giving me more details on the 2 option if it's possible.

Best Regards

Stelios

jumora · ‎11-03-2013

I am configuring this based on what you have given to me, please ask if you have any doubts.

I want my internal hosts to be able to get an IP from the ASA and access the internet and also the web server and exchange server.

Internet Service Provider router´s IP address is 192.168.10.254

ASA outside IP address: 192.168.10.3

I have a web server and an exchange server on the DMZ zone (192.168.0.0/24) and I want those servers to be able to access the internet.

So you need to configure static NAT entries on the ASA, do something like this:

ASA configuration:

Inside interface:

enable

config t

interface vlan 1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

Outside interface:

enable

config t

interface vlan 2

nameif outside

security-level 0

ip address 192.168.10.3 255.255.255.0

Vlan 2 by default is associated to interface e0/0 as an access port.

enable

config t

interface e0/0

switchpor access vlan 3

no shut

Configuring the static PAT and ACLs for the server´s that reside behind the ASA:

NAT configuration:

Enable

Config t

Static (dmz,outside) tcp interface 25 192.168.0.10 25

Static (dmz,outside) tcp interface 80 192.168.0.10 80

Access list configuration:

Access-list inbound permit tcp any interface outside eq 80

Access-list inbound permit tcp any interface outside eq 25

Access-group inbound in interface outside

enable

config t

interface vlan3

nameif DMZ

security-level 50

ip address 192.168.0.1 255.255.255.0

You need to associate the vlan to a physical port:

enable

config t

interface e0/7

switchpor access vlan 3

no shut

By default the ASA 5505 has a 192.168.1.0/24 network associated to the inside interface with a DHCP server enabled.

If by any chance this was removed I can re-configure the device over CLI for you but just to avoid misconfiguration we need to delete all DHCPD settings that are associated to DHCP on the ASA.

Enable

Config t

Clear config dhcpd

dhcpd address 192.168.1.2-192.168.1.100 inside

dhcpd dns 4.2.2.2

dhcpd enable inside

PAT configuration:

enable

config t

nat (inside) 1 0 0

nat (dmz) 1 0 0

global (outside) 1 interface

Routing that needs to be configuring:

enable

config t

route outside 0 0 192.168.10.254

On your ISP device you will need to configure static mapping, port forwarding or service mapping for TCP/80 and TCP/25 pointing to the 192.168.10.3 on the ASA.

FYI: Make sure that the ISP service that is provided to you supports incoming connections such as mail and http, if this is not a comercial line you might need to request these services to be allowed.

Value our effort and rate the assistance!

jumora · ‎11-03-2013

You can also do this with the quick startup guide:

http://www.cisco.com/en/US/docs/security/asa/quick_start/5505/5505-poster.html#wp59685

Value our effort and rate the assistance!

STYLIANOS DEMETRIOU · ‎11-03-2013

Dear Jamora,

Thanks for spending your time assisting me.

I will test the configuration and i will let you know.

Best Regards

Stelios

jumora · ‎11-04-2013

Any news???

Value our effort and rate the assistance!

STYLIANOS DEMETRIOU · ‎11-09-2013

Thanks Jamora your suggestion did the trick!