schofillh
asked on
Configuring ASA 5510 for DMZ interface
I have an ASA 5510 that I want to set up a DMZ for a handful of servers. I am able to pass traffic through the inside/outside interfaces with NAT/ACLs but am stumped on how to configure the device to allow both outside and inside access to web servers off the DMZ interface. The config is pasted below. Please feel free to offer any other advise as needed.
asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ATL-ASA1
domain-name xxxs.local
enable password 0WMSPwTIxbwrtt1J encrypted
names
name 192.168.1.10 ATL-APP5 description Mail/File Server
name 192.168.1.12 ATL-UTL1 description Utility Server
name 192.168.1.4 Baraccuda description SMTP Gateway
name 192.168.1.175 OWA description Outlook Web Access
name 192.168.1.157 XXX
name 207.46.130.100 WindowsTime description External Time Server
name 192.168.2.10 GANDALF description XXX WebServer
!
interface Ethernet0/0
description WAN Interface
shutdown
nameif Outside1
security-level 0
ip address xxx.xxx.xxx.35 255.255.255.224
!
interface Ethernet0/1
nameif Inside1
security-level 99
ip address 192.168.1.7 255.255.255.0
!
interface Ethernet0/2
description DMZ Interface
nameif DMZ1
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.3.7 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxs.local
same-security-traffic permit inter-interface
object-group service RDP tcp
port-object range 3389 3389
object-group network CHI-LAN
description Chicago LAN IP Scope
network-object 10.2.2.0 255.255.255.0
object-group service Web tcp
description HTTP, HTTPS
port-object eq https
port-object eq www
object-group network XXXWebServers
description XXX Hosted Web Server IP Addresses
network-object host 192.168.2.55
network-object host 192.168.2.56
network-object host 192.168.2.57
network-object host 192.168.2.58
network-object host 192.168.2.59
network-object host 192.168.2.60
network-object host 192.168.2.61
network-object host 192.168.2.62
object-group service POP3S tcp
description Secure POP3
port-object range 995 995
access-list Atlanta_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap extended permit ip any 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Outside1_access_in remark Rule for inbound Web access to XXX Websites (has 070315)
access-list Outside1_access_in extended permit tcp any interface DMZ1 object-group Web
access-list Outside1_access_in remark Access rule for Secure POP3 to Treos
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.41 object-group POP3S
access-list Outside1_access_in remark Access rule for inbound SMTP (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq smtp
access-list Outside1_access_in remark Access rule for OWA Secure (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.40 eq https log
access-list Outside1_access_in remark Access rule for web access to SurePoint (has 070315)
access-list Outside1_access_in extended permit tcp any host SurePoint object-group Web inactive
access-list Outside1_access_in remark Access rule for secure webmin to Barracuda (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq https
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.50 object-group Web
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host 192.168.1.232 object-group Web
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host 192.168.1.233 object-group Web
access-list Outside1_access_in remark Access rule for secure webmin to ESX (has 070315)
access-list Outside1_access_in extended permit tcp any host ATL-UTL1 eq https inactive
access-list Outside1_access_in extended permit ip any host 192.168.1.98 log
access-list DMZ1_access_in extended permit tcp any object-group XXXWebServers object-group Web
pager lines 24
logging enable
logging asdm informational
logging from-address asa@xxxs.local
mtu Outside1 1500
mtu Inside1 1500
mtu DMZ1 1500
mtu management 1500
ip local pool ATL2 10.10.10.1-10.10.10.254 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside1) 101 interface
global (DMZ1) 1 xxx.xxx.xxx.39 netmask 255.0.0.0
nat (Inside1) 0 access-list Inside1_nat0_outbound
nat (Inside1) 101 0.0.0.0 0.0.0.0
static (Inside1,Outside1) xxx.xxx.xxx.36 Baraccuda netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.37 192.168.1.56 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.49 ATL-UTL1 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.40 OWA netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.41 ATL-APP5 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.50 192.168.1.231 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.53 192.168.1.232 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.54 192.168.1.233 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.57 192.168.2.147 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.55 192.168.2.145 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.45 192.168.1.98 netmask 255.255.255.255
access-group Outside1_access_in in interface Outside1
access-group DMZ1_access_in in interface DMZ1
route Outside1 0.0.0.0 0.0.0.0 xxx.xxx.xxx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Atlanta protocol radius
aaa-server Atlanta host 192.168.1.151
key xxxsradius
radius-common-pw xxxsradius
group-policy Atlanta internal
group-policy Atlanta attributes
wins-server value 192.168.1.151
dns-server value 192.168.1.151
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Atlanta_splitTunnelAcl_1
default-domain value xxx.local
username harrison password dAZ0LHbjhegdfG9K encrypted
http server enable
http 192.168.3.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside1_map 20 ipsec-isakmp dynamic Outside1_dyn_map
crypto map Outside1_map interface Outside1
crypto isakmp enable Outside1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
dhcp-server 192.168.1.151
tunnel-group Atlanta type ipsec-ra
tunnel-group Atlanta general-attributes
address-pool ATL2
authentication-server-grou
default-group-policy Atlanta
tunnel-group Atlanta ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5e720cb3dc0
: end
asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ATL-ASA1
domain-name xxxs.local
enable password 0WMSPwTIxbwrtt1J encrypted
names
name 192.168.1.10 ATL-APP5 description Mail/File Server
name 192.168.1.12 ATL-UTL1 description Utility Server
name 192.168.1.4 Baraccuda description SMTP Gateway
name 192.168.1.175 OWA description Outlook Web Access
name 192.168.1.157 XXX
name 207.46.130.100 WindowsTime description External Time Server
name 192.168.2.10 GANDALF description XXX WebServer
!
interface Ethernet0/0
description WAN Interface
shutdown
nameif Outside1
security-level 0
ip address xxx.xxx.xxx.35 255.255.255.224
!
interface Ethernet0/1
nameif Inside1
security-level 99
ip address 192.168.1.7 255.255.255.0
!
interface Ethernet0/2
description DMZ Interface
nameif DMZ1
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.3.7 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxs.local
same-security-traffic permit inter-interface
object-group service RDP tcp
port-object range 3389 3389
object-group network CHI-LAN
description Chicago LAN IP Scope
network-object 10.2.2.0 255.255.255.0
object-group service Web tcp
description HTTP, HTTPS
port-object eq https
port-object eq www
object-group network XXXWebServers
description XXX Hosted Web Server IP Addresses
network-object host 192.168.2.55
network-object host 192.168.2.56
network-object host 192.168.2.57
network-object host 192.168.2.58
network-object host 192.168.2.59
network-object host 192.168.2.60
network-object host 192.168.2.61
network-object host 192.168.2.62
object-group service POP3S tcp
description Secure POP3
port-object range 995 995
access-list Atlanta_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap extended permit ip any 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Outside1_access_in remark Rule for inbound Web access to XXX Websites (has 070315)
access-list Outside1_access_in extended permit tcp any interface DMZ1 object-group Web
access-list Outside1_access_in remark Access rule for Secure POP3 to Treos
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.41 object-group POP3S
access-list Outside1_access_in remark Access rule for inbound SMTP (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq smtp
access-list Outside1_access_in remark Access rule for OWA Secure (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.40 eq https log
access-list Outside1_access_in remark Access rule for web access to SurePoint (has 070315)
access-list Outside1_access_in extended permit tcp any host SurePoint object-group Web inactive
access-list Outside1_access_in remark Access rule for secure webmin to Barracuda (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq https
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.50 object-group Web
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host 192.168.1.232 object-group Web
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host 192.168.1.233 object-group Web
access-list Outside1_access_in remark Access rule for secure webmin to ESX (has 070315)
access-list Outside1_access_in extended permit tcp any host ATL-UTL1 eq https inactive
access-list Outside1_access_in extended permit ip any host 192.168.1.98 log
access-list DMZ1_access_in extended permit tcp any object-group XXXWebServers object-group Web
pager lines 24
logging enable
logging asdm informational
logging from-address asa@xxxs.local
mtu Outside1 1500
mtu Inside1 1500
mtu DMZ1 1500
mtu management 1500
ip local pool ATL2 10.10.10.1-10.10.10.254 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside1) 101 interface
global (DMZ1) 1 xxx.xxx.xxx.39 netmask 255.0.0.0
nat (Inside1) 0 access-list Inside1_nat0_outbound
nat (Inside1) 101 0.0.0.0 0.0.0.0
static (Inside1,Outside1) xxx.xxx.xxx.36 Baraccuda netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.37 192.168.1.56 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.49 ATL-UTL1 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.40 OWA netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.41 ATL-APP5 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.50 192.168.1.231 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.53 192.168.1.232 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.54 192.168.1.233 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.57 192.168.2.147 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.55 192.168.2.145 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.45 192.168.1.98 netmask 255.255.255.255
access-group Outside1_access_in in interface Outside1
access-group DMZ1_access_in in interface DMZ1
route Outside1 0.0.0.0 0.0.0.0 xxx.xxx.xxx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Atlanta protocol radius
aaa-server Atlanta host 192.168.1.151
key xxxsradius
radius-common-pw xxxsradius
group-policy Atlanta internal
group-policy Atlanta attributes
wins-server value 192.168.1.151
dns-server value 192.168.1.151
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Atlanta_splitTunnelAcl_1
default-domain value xxx.local
username harrison password dAZ0LHbjhegdfG9K encrypted
http server enable
http 192.168.3.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside1_map 20 ipsec-isakmp dynamic Outside1_dyn_map
crypto map Outside1_map interface Outside1
crypto isakmp enable Outside1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
dhcp-server 192.168.1.151
tunnel-group Atlanta type ipsec-ra
tunnel-group Atlanta general-attributes
address-pool ATL2
authentication-server-grou
default-group-policy Atlanta
tunnel-group Atlanta ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5e720cb3dc0
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok. I've got things going better. Now I'd like to finish it. Right now I have servers both behind our inside1 and DMZ interfaces that need to be access from the Internet through ACLs. They are working fine. I'd like to be able to access the servers in the DMZ from the inside LAN 192.168.1.0. I'd also like to be able to set up a VPN policy that only had access to the DMZ servers.
Right now I cannot get outside to anything from the DMZ servers but can get to them from the outside. Here is the config:
asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ATL-ASA1
domain-name xxx.local
enable password 0WMSPwTIxbwrtt1J encrypted
names
name 192.168.1.10 ATL-APP5 description Mail/File Server
name 192.168.1.12 ATL-UTL1 description Utility Server
name 192.168.1.4 Baraccuda description SMTP Gateway
name 192.168.1.175 OWA description Outlook Web Access
name 192.168.1.157 SurePoint
name 207.46.130.100 WindowsTime description External Time Server
name 192.168.2.10 GANDALF description xxx WebServer
!
interface Ethernet0/0
description WAN Interface
nameif Outside1
security-level 0
ip address xx.xx.xx.34 255.255.255.224
!
interface Ethernet0/1
nameif Inside1
security-level 99
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
description DMZ Interface
nameif DMZ1
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.3.7 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.local
same-security-traffic permit inter-interface
object-group service RDP tcp
port-object range 3389 3389
object-group network CHI-LAN
description Chicago LAN IP Scope
network-object 10.2.2.0 255.255.255.0
object-group service Web tcp
description HTTP, HTTPS
port-object eq https
port-object eq www
object-group network xxxWebServers
description xxx Hosted Web Server IP Addresses
network-object host 192.168.2.55
network-object host 192.168.2.56
network-object host 192.168.2.57
network-object host 192.168.2.58
network-object host 192.168.2.59
network-object host 192.168.2.60
network-object host 192.168.2.61
network-object host 192.168.2.62
object-group service POP3S tcp
description Secure POP3
port-object range 995 995
object-group network xxxWebOutsideIPs
network-object host xx.xx.xx.55
network-object host xx.xx.xx.56
network-object host xx.xx.xx.57
network-object host xx.xx.xx.58
network-object host xx.xx.xx.59
network-object host xx.xx.xx.60
network-object host xx.xx.xx.61
network-object host xx.xx.xx.62
access-list Atlanta_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap extended permit ip any 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list Outside1_access_in remark Rule for inbound Web access to xxx Websites (has 070315)
access-list Outside1_access_in extended permit tcp any object-group xxxWebOutsideIPs object-group Web
access-list Outside1_access_in remark Access rule for Secure POP3 to Treos
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.41 object-group POP3S
access-list Outside1_access_in remark Access rule for inbound SMTP (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.36 eq smtp
access-list Outside1_access_in remark Access rule for OWA Secure (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.40 eq https log
access-list Outside1_access_in remark Access rule for secure webmin to Barracuda (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.36 eq https
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.50 object-group Web
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.53 object-group Web
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.54 object-group Web
access-list Outside1_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap_1 extended permit ip any 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address asa@xxx.local
mtu Outside1 1500
mtu Inside1 1500
mtu DMZ1 1500
mtu management 1500
ip local pool ATL2 10.10.10.1-10.10.10.254 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside1) 101 interface
global (DMZ1) 1 interface
nat (Inside1) 0 access-list Inside1_nat0_outbound
nat (Inside1) 101 0.0.0.0 0.0.0.0
static (Inside1,Outside1) xx.xx.xx.36 Baraccuda netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.37 192.168.1.56 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.49 ATL-UTL1 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.40 OWA netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.41 ATL-APP5 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.50 192.168.1.231 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.53 192.168.1.232 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.54 192.168.1.233 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.45 192.168.1.98 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.55 192.168.2.145 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.57 192.168.2.147 netmask 255.255.255.255
static (Inside1,DMZ1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Outside1_access_in in interface Outside1
route Outside1 0.0.0.0 0.0.0.0 xx.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Atlanta protocol radius
aaa-server Atlanta host 192.168.1.151
key xxxradius
radius-common-pw xxxradius
group-policy Atlanta internal
group-policy Atlanta attributes
wins-server value 192.168.1.151
dns-server value 192.168.1.151
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Atlanta_splitTunnelAcl_2
default-domain value xxx.local
username harrison password dAZ0LHbjhegdfG9K encrypted
http server enable
http 192.168.3.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside1_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map Outside1_map 20 match address Outside1_20_cryptomap
crypto map Outside1_map 20 set pfs group5
crypto map Outside1_map 20 set peer 72.54.213.154
crypto map Outside1_map 20 set transform-set ESP-3DES-MD5
crypto map Outside1_map 40 ipsec-isakmp dynamic Outside1_dyn_map
crypto map Outside1_map interface Outside1
crypto isakmp enable Outside1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
dhcp-server 192.168.1.151
tunnel-group Atlanta type ipsec-ra
tunnel-group Atlanta general-attributes
address-pool ATL2
authentication-server-grou
default-group-policy Atlanta
dhcp-server 192.168.1.151
tunnel-group Atlanta ipsec-attributes
pre-shared-key *
tunnel-group 72.54.213.154 type ipsec-l2l
tunnel-group 72.54.213.154 ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8beca223f4a
: end
I haven't set up a DMZ on a PIX in a few years so I appreciate any help.
Right now I cannot get outside to anything from the DMZ servers but can get to them from the outside. Here is the config:
asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ATL-ASA1
domain-name xxx.local
enable password 0WMSPwTIxbwrtt1J encrypted
names
name 192.168.1.10 ATL-APP5 description Mail/File Server
name 192.168.1.12 ATL-UTL1 description Utility Server
name 192.168.1.4 Baraccuda description SMTP Gateway
name 192.168.1.175 OWA description Outlook Web Access
name 192.168.1.157 SurePoint
name 207.46.130.100 WindowsTime description External Time Server
name 192.168.2.10 GANDALF description xxx WebServer
!
interface Ethernet0/0
description WAN Interface
nameif Outside1
security-level 0
ip address xx.xx.xx.34 255.255.255.224
!
interface Ethernet0/1
nameif Inside1
security-level 99
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
description DMZ Interface
nameif DMZ1
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.3.7 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.local
same-security-traffic permit inter-interface
object-group service RDP tcp
port-object range 3389 3389
object-group network CHI-LAN
description Chicago LAN IP Scope
network-object 10.2.2.0 255.255.255.0
object-group service Web tcp
description HTTP, HTTPS
port-object eq https
port-object eq www
object-group network xxxWebServers
description xxx Hosted Web Server IP Addresses
network-object host 192.168.2.55
network-object host 192.168.2.56
network-object host 192.168.2.57
network-object host 192.168.2.58
network-object host 192.168.2.59
network-object host 192.168.2.60
network-object host 192.168.2.61
network-object host 192.168.2.62
object-group service POP3S tcp
description Secure POP3
port-object range 995 995
object-group network xxxWebOutsideIPs
network-object host xx.xx.xx.55
network-object host xx.xx.xx.56
network-object host xx.xx.xx.57
network-object host xx.xx.xx.58
network-object host xx.xx.xx.59
network-object host xx.xx.xx.60
network-object host xx.xx.xx.61
network-object host xx.xx.xx.62
access-list Atlanta_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap extended permit ip any 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list Outside1_access_in remark Rule for inbound Web access to xxx Websites (has 070315)
access-list Outside1_access_in extended permit tcp any object-group xxxWebOutsideIPs object-group Web
access-list Outside1_access_in remark Access rule for Secure POP3 to Treos
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.41 object-group POP3S
access-list Outside1_access_in remark Access rule for inbound SMTP (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.36 eq smtp
access-list Outside1_access_in remark Access rule for OWA Secure (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.40 eq https log
access-list Outside1_access_in remark Access rule for secure webmin to Barracuda (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.36 eq https
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.50 object-group Web
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.53 object-group Web
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.54 object-group Web
access-list Outside1_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap_1 extended permit ip any 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address asa@xxx.local
mtu Outside1 1500
mtu Inside1 1500
mtu DMZ1 1500
mtu management 1500
ip local pool ATL2 10.10.10.1-10.10.10.254 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside1) 101 interface
global (DMZ1) 1 interface
nat (Inside1) 0 access-list Inside1_nat0_outbound
nat (Inside1) 101 0.0.0.0 0.0.0.0
static (Inside1,Outside1) xx.xx.xx.36 Baraccuda netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.37 192.168.1.56 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.49 ATL-UTL1 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.40 OWA netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.41 ATL-APP5 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.50 192.168.1.231 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.53 192.168.1.232 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.54 192.168.1.233 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.45 192.168.1.98 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.55 192.168.2.145 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.57 192.168.2.147 netmask 255.255.255.255
static (Inside1,DMZ1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Outside1_access_in in interface Outside1
route Outside1 0.0.0.0 0.0.0.0 xx.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Atlanta protocol radius
aaa-server Atlanta host 192.168.1.151
key xxxradius
radius-common-pw xxxradius
group-policy Atlanta internal
group-policy Atlanta attributes
wins-server value 192.168.1.151
dns-server value 192.168.1.151
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Atlanta_splitTunnelAcl_2
default-domain value xxx.local
username harrison password dAZ0LHbjhegdfG9K encrypted
http server enable
http 192.168.3.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside1_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map Outside1_map 20 match address Outside1_20_cryptomap
crypto map Outside1_map 20 set pfs group5
crypto map Outside1_map 20 set peer 72.54.213.154
crypto map Outside1_map 20 set transform-set ESP-3DES-MD5
crypto map Outside1_map 40 ipsec-isakmp dynamic Outside1_dyn_map
crypto map Outside1_map interface Outside1
crypto isakmp enable Outside1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
dhcp-server 192.168.1.151
tunnel-group Atlanta type ipsec-ra
tunnel-group Atlanta general-attributes
address-pool ATL2
authentication-server-grou
default-group-policy Atlanta
dhcp-server 192.168.1.151
tunnel-group Atlanta ipsec-attributes
pre-shared-key *
tunnel-group 72.54.213.154 type ipsec-l2l
tunnel-group 72.54.213.154 ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8beca223f4a
: end
I haven't set up a DMZ on a PIX in a few years so I appreciate any help.
ASKER
Thanks!