10-20-2014 06:39 AM - edited 03-05-2019 12:00 AM
Hello,
This is my first time posting on here and I am very new to Cisco and still very much a networking newbie. My company has 2 Cisco ASA 5510 and one located at each site. I am trying to setup DMZ so that our badge system located at Site A can talk to the node at Site B. I have setup Site to Site VPN. The badge company that we hired states that we will need to setup DMZ for them to talk to each other. Do I need to setup DMZ on both sites or just one. I will paste what I have so far. I am not sure what to do. The badge system is on the inside network. Their devices broadcast multicast traffic and uses port 7262 to talk to each other
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 1.2.3.4 255.255.255.240
!
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 100
ip address 192.168.201.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.1.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-amzn
subnet 10.200.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.201.0_24
subnet 192.168.201.0 255.255.255.0
object network Site-Plano-Internal
subnet 192.168.223.0 255.255.255.0
object network Plano-External
host 1.2.3.6
object network Site-Austin-Internal
subnet 192.168.201.0 255.255.255.0
object network DMZ-subnet
subnet 172.16.1.0 255.255.255.0
object network DMZ-Host-EXT
host 1.2.3.5
object network DMZ-Host-INT
host 172.16.1.1
object-group network obj-SrcNet
network-object 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp time-exceeded
service-object icmp traceroute
service-object icmp unreachable
service-object tcp-udp destination eq echo
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp time-exceeded
service-object icmp traceroute
service-object icmp unreachable
service-object tcp destination eq echo
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service s2node tcp-udp
description s2node
port-object eq 7262
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp time-exceeded
access-list 100 extended permit icmp any4 any4 echo-reply
access-list 100 extended permit icmp any4 any4 source-quench
access-list 100 extended permit icmp any4 any4 unreachable
access-list 100 extended permit icmp any4 any4 time-exceeded
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit ip host 2.1.2.1 host 1.2.3.4
access-list 100 extended permit ip host 2.1.2.0 host 1.2.3.4
access-list acl-amzn extended permit ip any4 10.200.0.0 255.255.0.0
access-list amzn-filter extended permit ip 10.200.0.0 255.255.0.0 192.168.201.0 255.255.255.0
access-list amzn-filter extended deny ip any4 any4
access-list outside_access_in remark ICMP type 11 for Windows Traceroute
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in remark ICMP type 3 for Cisco and Linux
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_acl extended permit icmp any any
access-list Outside_cryptomap extended permit ip object Site-Austin-Internal object Site-Plano-Internal
access-list Outside_cryptomap extended permit icmp any any
access-list Outside_cryptomap extended permit icmp object Site-Austin-Internal object Site-Plano-Internal
access-list Outside_cryptomap extended permit icmp object Site-Plano-Internal object Site-Austin-Internal
access-list Outside_cryptomap extended permit icmp any4 any4 echo-reply
access-list Outside_cryptomap extended permit icmp any4 any4 source-quench
access-list Outside_cryptomap extended permit icmp any4 any4 unreachable
access-list Outside_cryptomap extended permit icmp any4 any4 time-exceeded
access-list Outside_cryptomap extended permit icmp any any echo-reply
access-list Outside_cryptomap extended permit icmp any any source-quench
access-list Outside_cryptomap extended permit icmp any any unreachable
access-list Outside_cryptomap extended permit icmp any any time-exceeded
access-list Outside_cryptomap extended permit icmp any4 any4
access-list Outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 any4 object Site-Austin-Internal
access-list Outside_cryptomap extended permit object-group DM_INLINE_SERVICE_2 object Site-Austin-Internal any4
access-list Outside_cryptomap extended permit object-group TCPUDP any any object-group s2node
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit object-group TCPUDP any any object-group s2node
access-list global_access extended permit object-group TCPUDP any any object-group s2node
access-list global_access extended permit object-group DM_INLINE_SERVICE_3 any any
pager lines 24
logging enable
logging asdm-buffer-size 200
logging trap emergencies
logging asdm notifications
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
nat (Inside,Outside) source static Site-Austin-Internal Site-Austin-Internal destination static Site-Plano-Internal Site-Plano-Internal no-proxy-arp route-lookup
!
object network obj_any
nat (Inside,Outside) dynamic interface
object network DMZ-subnet
nat (DMZ,Outside) dynamic interface
access-group outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 1.2.3.4 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.201.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 587
sla monitor 1
type echo protocol ipIcmpEcho 10.200.0.1 interface Outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df Outside
crypto map journeyed_austin 1 match address acl-amzn
crypto map journeyed_austin 1 set pfs
crypto map journeyed_austin 1 set peer 2.1.2.0 2.1.2.1
crypto map journeyed_austin 1 set ikev1 transform-set transform-amzn
crypto map journeyed_austin interface Outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
10-23-2014 12:18 PM
Issue with the badge system was not the network but misconfigured equipment on their end.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: