Advertisement

08.21.2007 at 12:17PM PDT, ID: 22777733
[x]
Attachment Details

Cisco ASA 5510 DMZ Routing Questions

Asked by myfootsmells in Enterprise Firewalls

Tags: , , ,

My ISP issued me a block of 16 IP address.  Currently 1 IP is being used for my inbound/outbound traffic.  I have a DMZ that also shares that IP address, but I'm looking to move that DMZ to its own IP address so I can start hosting WWW.

The next IP i want to use is 64.64.64.65

Here's my current configuration:

ASA Version 7.0(6)
!
hostname ciscoasa
domain-name acme.local
enable password p4LFSZBbEUfgFt4b encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 64.64.64.64 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.1.250 255.255.0.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.200.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd p4LFSZBbEUfgFt4b encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group service SecondLife udp
 port-object range 13000 13050
access-list outbound extended permit tcp any any eq https
access-list outbound extended permit tcp any any eq www
access-list outbound extended permit tcp any any eq imap4
access-list outbound extended permit tcp any any eq smtp
access-list outbound extended permit tcp any any eq pptp
access-list outbound extended permit tcp any any eq ssh
access-list outbound remark Allow incoming PPTP VPN from outside.
access-list outbound extended permit gre any any
access-list outbound remark DNS
access-list outbound extended permit udp any any eq domain
access-list outbound remark Block all outgoing traffic
access-list outbound extended deny ip any any
access-list dmz remark DNS
access-list dmz extended permit udp any any eq domain
access-list dmz remark HTTP
access-list dmz extended permit tcp any any eq www
access-list dmz extended permit icmp any any echo-reply
access-list dmz extended deny ip any any
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 587
access-list inbound extended permit tcp any interface outside eq 993
access-list inbound extended permit tcp any interface outside eq https
access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq 3389
access-list inbound extended permit tcp any interface outside eq pptp
access-list inbound extended permit icmp any any echo-reply
access-list inbound remark Remote Web Workplace
access-list inbound extended permit tcp any interface outside eq 4125
access-list inside_nat0_outbound extended permit ip any 10.10.3.0 255.255.255.192
access-list acmeremote_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list http-list2 extended permit ip any any
!
tcp-map mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging emblem
logging trap warnings
logging asdm warnings
logging host inside 10.10.2.79 format emblem
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool ippool 10.10.3.1-10.10.3.50 mask 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 10.10.0.0 255.255.0.0
nat (dmz) 10 192.168.200.0 255.255.255.0
static (inside,outside) tcp interface pptp 10.10.1.1 pptp netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.10.1.210 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.1.3 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.10.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface 587 10.10.1.3 587 netmask 255.255.255.255
static (inside,outside) tcp interface 993 10.10.1.3 993 netmask 255.255.255.255
static (inside,dmz) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
access-group inbound in interface outside
access-group outbound in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 64.64.64.63 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server acmeremote protocol radius
aaa-server acmeremote host 10.10.1.6
 timeout 5
 key 123456
group-policy acmeremote internal
group-policy acmeremote attributes
 wins-server value 10.10.1.1 10.10.1.6
 dns-server value 10.10.1.1 10.10.1.6
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acmeremote_splitTunnelAcl
 default-domain value acme.local
 webvpn
http server enable
http 10.10.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group acmeremote type ipsec-ra
tunnel-group acmeremote general-attributes
 address-pool ippool
 authentication-server-group acmeremote
 default-group-policy acmeremote
tunnel-group acmeremote ipsec-attributes
 pre-shared-key *
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 30
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
class-map http-map1
 match access-list http-list2
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 1100
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
policy-map http-map1
 class http-map1
  set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface outside
Cryptochecksum:3bc8e0af687b03244a844bcfdae91cd7
: end

Thanks.

MichaelStart Free Trial
[+][-]08.21.2007 at 03:51PM PDT, ID: 19742378

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Enterprise Firewalls
Tags: asa, cisco, 5510, dmz
Sign Up Now!
Solution Provided By: llyquid
Participating Experts: 2
Solution Grade: A
 
 
[+][-]08.21.2007 at 03:53PM PDT, ID: 19742395

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11.11.2007 at 10:18AM PST, ID: 20259932

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628