04-13-2007 05:42 AM - edited 03-11-2019 02:59 AM
Hi,
Pls see the attached network diagram.We have recently bought 2 ASA's model 5520. The first ASA is
connected to the internet by a 2800 series router. The first ASA has got 2 DMZ and each DMZ has 2 servers.The servers are our application servers and a database server and two Test
servers. We have got six usable Public IP adress for our use. We want authenticated users from outside to access the application and database servers using vpn.
The second ASA server is on the internal side of the network and is attached to the internal network using a 2800 router. The internal users will be restricted from accesing the servers
located in DMZ1 . We will use access lists based on MAC addresses to allow some users to access the DMZ1 from internal network. Can we use MAC address filtering?
How do I configure the scenario? Can somebody guide me or show me an example of a near similar configuration?
Thanks in advace
04-13-2007 06:16 AM
I supposed you want outside user using vpn to access your server in DMZ. yes you can do this either using ssl-vpn or ipsec-vpn. ssl-vpn only need outside user have a explorer and will automatically download a vpn-shell. ipsce-vpn need user install cisco vpn client.
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/vpn/index.htm
I think you can not set access-list based on source MAC. MAC ACL only works on layer2 environment, so source MAC address does not keep in the IP packet after routered by a router, the source MAC will replaced by router' MAC. IP will keep same through the whole process.
04-14-2007 09:45 PM
hi rico,
thnx 4 the response. Can you check my running config attachment and see whether users can access my servers located in DMZ ? I will have a web server and an oracle server in the DMZ. Do I need to give all these server's in the DMZ (4 server in total) static IP or can I use NAT to access these servers.
Also can you please tell me how should the router be configured to allow access to the ASA?
interface GigabitEthernet0/0
description Connected to Router
nameif Outside
security-level 0
ip address 217.x.x.186 255.255.255.248
!
interface GigabitEthernet0/1
description Connected to LAN
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
description Connected to DMZ1
nameif DMZ1
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
description Connected to DMZ2
nameif DMZ2
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list DMZ1_access_in remark HTTP Access to DMZ1 Server1
access-list DMZ1_access_in extended permit tcp any eq www host 192.168.10.2 eq www access-list DMZ2_access_in extended permit tcp any eq www host 192.168.100.2 eq www
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu management 1500
no failover
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
static (DMZ1,DMZ1) 217.17.247.187 192.168.10.2 netmask 255.255.255.255
access-group DMZ1_access_in in interface DMZ1
access-group DMZ2_access_in in interface DMZ2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:xxx
: end
thnx
04-18-2007 12:29 PM
honestly i dont think you need two FWs to do what you want to do. I have couple of questions:
1. How do you connect your inside 5520 to DMZ1 and DMZ2?
2. How do you connect the two FWs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide