Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 DMZ Configuration

Hello, I am attempting to configure an ASA 5505 which is connected to 3 networks for access to an inside email server.  Don't pay attention to the names on this config as they are not intuitive.

The 3 vlans are:

vlan 1 which has an IP of 192.168.x.1 - Connected to inside (which is really the dmz)

nameif inside

e0/1 is assigned to this

vlan 2 which has an IP of 184.x.x.194 - Connected to outside (which is the public internet)

nameif outside

e0/0 is assigned to this

vlan 3 which has an IP of 10.x.7.2 - Connected to mpls (which is the mpls and a trusted network)

nameif mpls

e0/3 is assigned to this.

The desired flow is:

1.from the outside from any host on the public internet to type in an https url (which I already have forwarded by my hosting company) and get back a page from the dmz server at 192.168.x.26. 

2. The dmz email server connects to the data center email cluster via 1352

I can ping all resources and have had some luck with packet-tracer but I can't get this completed.  Please help, I think it's an easy nat or acl fix.  I just can't find it.  Here is the config:

User Access Verification

Password:

Type help or '?' for a list of available commands.

asa5505-DMZ> en

Password: ********

asa5505-DMZ# sho run nat

!

object network Traveler

nat (inside,outside) static interface service tcp https https

object network DMZ

nat (inside,mpls) dynamic interface

asa5505-DMZ# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static Traveler interface service tcp https https

    translate_hits = 0, untranslate_hits = 1

    Source - Origin: 192.168.x.26/32, Translated: 184.x.x.194/29     ****************** One thing to note is that these subnets are not correct!

    Service - Protocol: tcp Real: https Mapped: https

2 (inside) to (mpls) source dynamic DMZ interface

    translate_hits = 3, untranslate_hits = 0

    Source - Origin: 192.168.x.0/24, Translated: 10.x.7.2/28

asa5505-DMZ# sho run

: Saved

:

ASA Version 8.4(1)

!

hostname asa5505-DMZ

enable password wrblOSAyPeeKhvhL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 50

ip address 192.168.x.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 184.x.x.194 255.255.x.x

!

interface Vlan20

nameif mpls

security-level 100

ip address 10.x.7.2 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 20

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Traveler

host 192.168.x.26

object network DMZ

subnet 192.168.x.0 255.255.255.0

object network mpls

subnet 10.0.0.0 255.0.0.0

object network outside

subnet 184.x.x.192 255.255.x.x

access-list https_in extended permit tcp any interface outside eq https

access-list https_in extended permit tcp any host 192.168.x.26 eq https

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.131 eq lotusnotes

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.45 eq lotusnotes

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.220 eq lotusnotes

access-list ping_test extended permit icmp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu mpls 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

!

object network Traveler

nat (inside,outside) static interface service tcp https https

object network DMZ

nat (inside,mpls) dynamic interface

access-group inside_mpls in interface inside

access-group https_in in interface outside

route outside 0.0.0.0 0.0.0.0 184.x.x.193 1

route mpls 10.0.0.0 255.0.0.0 10.x.7.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 1440

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ae1d0f0b2ec7f71633b132c4f261280d

: end

asa5505-DMZ#

Any Idea what I'm missing? The email server is not pingable via public internet and is not reachable via the https url.

Help!?!?

Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 5505 DMZ Configuration

Hello again Mscha,

You need to be able to access a dmz server via https from the outside, Here is the config you have:

object network Traveler

nat (inside,outside) static interface service tcp https https

access-list https_in extended permit tcp any interface outside eq https

access-list https_in extended permit tcp any host 192.168.x.26 eq https

Everything is properly configured as long as the traverler server is 192.168.x.26

You can delete this line as you do not need it:

access-list https_in extended permit tcp any interface outside eq https

Regarding second task:

The dmz email server connects to the data center email cluster via 1352

I undestand the DMZ server needs to be able to communicate out the mpls interface to some data center email cluster.

Here is the config you have for that:

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.131 eq lotusnotes

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.45 eq lotusnotes

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.220 eq lotusnotes

nat (inside,mpls) dynamic interface

Everything is fine as long as you only one lotusnotes traffic!

To allow ICMP to traverse the ASA please add the following comand:

-fixup protocol icmp

Rate if this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5 REPLIES

ASA 5505 DMZ Configuration

Hello again Mscha,

You need to be able to access a dmz server via https from the outside, Here is the config you have:

object network Traveler

nat (inside,outside) static interface service tcp https https

access-list https_in extended permit tcp any interface outside eq https

access-list https_in extended permit tcp any host 192.168.x.26 eq https

Everything is properly configured as long as the traverler server is 192.168.x.26

You can delete this line as you do not need it:

access-list https_in extended permit tcp any interface outside eq https

Regarding second task:

The dmz email server connects to the data center email cluster via 1352

I undestand the DMZ server needs to be able to communicate out the mpls interface to some data center email cluster.

Here is the config you have for that:

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.131 eq lotusnotes

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.45 eq lotusnotes

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.220 eq lotusnotes

nat (inside,mpls) dynamic interface

Everything is fine as long as you only one lotusnotes traffic!

To allow ICMP to traverse the ASA please add the following comand:

-fixup protocol icmp

Rate if this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA 5505 DMZ Configuration

Julio,

I think we're old friends by now! Thank you for so much help.

I thought I had it configured correctly as well. That is why I'm confused

as to why the server is unreachable via the proper URL. It is correct

there is only one lotus port needed.

If this was working properly I would type in "https://traveler.company.com"

and I would get a page on the dmz email server. Internal traffic (from dmz

to mpls) works fine.

If I do a packet-tracer input outside tcp 209.85.147.147 https 192.168.x.26

https it drops at phase 5 blaming Nat rule - Nat (inside,outside) static

interface service tcp https http...

Any ideas?

On Jan 11, 2012 1:27 AM, "jcarvaja" <

Re: ASA 5505 DMZ Configuration

Hello,

On the packet tracer you should point it to the outside ip address of the server:

packet-tracer input outside tcp 209.85.147.147 1025 interface_ipadd 443

That should do it with the packet tracer!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA 5505 DMZ Configuration

Ok but if the config is good then the server should be accessible even if I screwed up the packet-tracer. All other variables outside the firewall space are configured properly as the server works when I bypass the firewall. Seems 8.4.1 is seriously buggy. You think its worth trying an upgrade?

Sent from my Verizon Wireless BlackBerry

Re: ASA 5505 DMZ Configuration

Hello Mscha2000,

Well we will need to be 100 % sure if it an asa problem, for that lets do a capture:

Lets say you are comming from 4.2.2.2

access-list capin permit tcp host 4.2.2.2  host 192.168.x.26 eq 443

access-list capin permit tcp   host 192.168.x.26 eq 443 host 4.2.2.2

access-list capout permit tcp host outside_ip eq 443 host 4.2.2.2

access-list capout permit tcp  host 4.2.2.2  host outside_ip eq 443

capture asp type asp-drop all

capture capin access-list capin interface inside

capture capout access-list capout interface outside

Please provide:

sh capture capin

sh capture capout

sh capture asp | include 192.168.x.26

sh capture asp | include 4.2.2.2

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3527
Views
0
Helpful
5
Replies
CreatePlease login to create content