Solved

Configuring ASA 5510 for DMZ interface

Posted on 2007-03-26
3
570 Views
Last Modified: 2013-11-16
I have an ASA 5510 that I want to set up a DMZ for a handful of servers.   I am able to pass traffic through the inside/outside interfaces with NAT/ACLs but am stumped on how to configure the device to allow both outside and inside access to web servers off the DMZ interface.  The config is pasted below.  Please feel free to offer any other advise as needed.





asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ATL-ASA1
domain-name xxxs.local
enable password 0WMSPwTIxbwrtt1J encrypted
names
name 192.168.1.10 ATL-APP5 description Mail/File Server
name 192.168.1.12 ATL-UTL1 description Utility Server
name 192.168.1.4 Baraccuda description SMTP Gateway
name 192.168.1.175 OWA description Outlook Web Access
name 192.168.1.157 XXX
name 207.46.130.100 WindowsTime description External Time Server
name 192.168.2.10 GANDALF description XXX WebServer
!
interface Ethernet0/0
 description WAN Interface
 shutdown
 nameif Outside1
 security-level 0
 ip address xxx.xxx.xxx.35 255.255.255.224
!
interface Ethernet0/1
 nameif Inside1
 security-level 99
 ip address 192.168.1.7 255.255.255.0
!
interface Ethernet0/2
 description DMZ Interface
 nameif DMZ1
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.3.7 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxs.local
same-security-traffic permit inter-interface
object-group service RDP tcp
 port-object range 3389 3389
object-group network CHI-LAN
 description Chicago LAN IP Scope
 network-object 10.2.2.0 255.255.255.0
object-group service Web tcp
 description HTTP, HTTPS
 port-object eq https
 port-object eq www
object-group network XXXWebServers
 description XXX Hosted Web Server IP Addresses
 network-object host 192.168.2.55
 network-object host 192.168.2.56
 network-object host 192.168.2.57
 network-object host 192.168.2.58
 network-object host 192.168.2.59
 network-object host 192.168.2.60
 network-object host 192.168.2.61
 network-object host 192.168.2.62
object-group service POP3S tcp
 description Secure POP3
 port-object range 995 995
access-list Atlanta_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap extended permit ip any 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Outside1_access_in remark Rule for inbound Web access to XXX Websites (has 070315)
access-list Outside1_access_in extended permit tcp any interface DMZ1 object-group Web
access-list Outside1_access_in remark Access rule for Secure POP3 to Treos
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.41 object-group POP3S
access-list Outside1_access_in remark Access rule for inbound SMTP (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq smtp
access-list Outside1_access_in remark Access rule for OWA Secure (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.40 eq https log
access-list Outside1_access_in remark Access rule for web access to SurePoint (has 070315)
access-list Outside1_access_in extended permit tcp any host SurePoint object-group Web inactive
access-list Outside1_access_in remark Access rule for secure webmin to Barracuda (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq https
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.50 object-group Web
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host 192.168.1.232 object-group Web
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host 192.168.1.233 object-group Web
access-list Outside1_access_in remark Access rule for secure webmin to ESX (has 070315)
access-list Outside1_access_in extended permit tcp any host ATL-UTL1 eq https inactive
access-list Outside1_access_in extended permit ip any host 192.168.1.98 log
access-list DMZ1_access_in extended permit tcp any object-group XXXWebServers object-group Web
pager lines 24
logging enable
logging asdm informational
logging from-address asa@xxxs.local
mtu Outside1 1500
mtu Inside1 1500
mtu DMZ1 1500
mtu management 1500
ip local pool ATL2 10.10.10.1-10.10.10.254 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside1) 101 interface
global (DMZ1) 1 xxx.xxx.xxx.39 netmask 255.0.0.0
nat (Inside1) 0 access-list Inside1_nat0_outbound
nat (Inside1) 101 0.0.0.0 0.0.0.0
static (Inside1,Outside1) xxx.xxx.xxx.36 Baraccuda netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.37 192.168.1.56 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.49 ATL-UTL1 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.40 OWA netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.41 ATL-APP5 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.50 192.168.1.231 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.53 192.168.1.232 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.54 192.168.1.233 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.57 192.168.2.147 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.55 192.168.2.145 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.45 192.168.1.98 netmask 255.255.255.255
access-group Outside1_access_in in interface Outside1
access-group DMZ1_access_in in interface DMZ1
route Outside1 0.0.0.0 0.0.0.0 xxx.xxx.xxx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Atlanta protocol radius
aaa-server Atlanta host 192.168.1.151
 key xxxsradius
 radius-common-pw xxxsradius
group-policy Atlanta internal
group-policy Atlanta attributes
 wins-server value 192.168.1.151
 dns-server value 192.168.1.151
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Atlanta_splitTunnelAcl_1
 default-domain value xxx.local
username harrison password dAZ0LHbjhegdfG9K encrypted
http server enable
http 192.168.3.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside1_map 20 ipsec-isakmp dynamic Outside1_dyn_map
crypto map Outside1_map interface Outside1
crypto isakmp enable Outside1
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 dhcp-server 192.168.1.151
tunnel-group Atlanta type ipsec-ra
tunnel-group Atlanta general-attributes
 address-pool ATL2
 authentication-server-group Atlanta
 default-group-policy Atlanta
tunnel-group Atlanta ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5e720cb3dc0abae6c8f9ffc64fcc1010
: end

0
Comment
Question by:schofillh
  • 2
3 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18797876
A couple of things to change.

First, your static translations need to reference both the DMZ1 (originating) interface and the outside (destination) interface.  So instead of your static translations for your DMZ servers looking like this:

static (DMZ1,DMZ1) xxx.xxx.xxx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.57 192.168.2.147 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.55 192.168.2.145 netmask 255.255.255.255

they should really look like this:

static (DMZ1,Outside1) xxx.xxx.xxx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,Outside1) xxx.xxx.xxx.57 192.168.2.147 netmask 255.255.255.255
static (DMZ1,Outside1) xxx.xxx.xxx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,Outside1) xxx.xxx.xxx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,Outside1) xxx.xxx.xxx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,Outside1) xxx.xxx.xxx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,Outside1) xxx.xxx.xxx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,Outside1) xxx.xxx.xxx.55 192.168.2.145 netmask 255.255.255.255

Next, your access lists need to be modified to allow the traffic in to the DMZ network.  You have the following two statements configured:

access-group Outside1_access_in in interface Outside1
access-group DMZ1_access_in in interface DMZ1

If you translated these statements into English, the first statement reads:

"Apply the access list named Outside1_access_in to the interface named Outside1 and apply it in an inbound direction from the outside world"

and the second statement reads:

"Apply the access list named DMZ1_access_in to the interface named DMZ1 and apply it in an inbound direction from the DMZ network segment"

Whenever you allow traffic with an access list, you always specify the destination IP addressing for traffic to be allowed to by using the lower security level interface translation.  In other words, you should specify the public IP addresses as the destination addresses for your access list applied to the outside interface.  Some of the statements in your Outside1_access_in access list are correct while others are not.  The ones that are not correct are:

access-list Outside1_access_in extended permit tcp any interface DMZ1 object-group Web             <----incorrect because it specifies DMZ interface as destination
access-list Outside1_access_in extended permit tcp any host SurePoint object-group Web inactive    <----what is SurePoint, didn't see it defined in the config
access-list Outside1_access_in extended permit tcp any host 192.168.1.232 object-group Web         <----incorrect because specifies internal IP as destination
access-list Outside1_access_in extended permit tcp any host 192.168.1.233 object-group Web         <----incorrect because specifies internal IP as destination
access-list Outside1_access_in extended permit tcp any host ATL-UTL1 eq https inactive             <----incorrect because specifies internal IP as destination
access-list Outside1_access_in extended permit ip any host 192.168.1.98 log                        <----incorrect because specifies internal IP as destination

And these look correct as far as syntax goes:

access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.41 object-group POP3S
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq smtp
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.40 eq https log
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq https
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.50 object-group Web

For the ones above listed as incorrect and looking at your existing translations, it looks like they should be reconfigured as follows:

access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.53 object-group Web        <---specifies public translation for 192.168.1.232 as destination
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.54 object-group Web        <---specifies public translation for 192.168.1.233 as destination
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.49 eq https inactive       <---specifies public translation for ATL-UTL1 as destination
access-list Outside1_access_in extended permit ip any host xxx.xxx.xxx.45 log                      <---specifies public translation for 192.168.1.98 as destination

I didn't include a corrected statement for the SurePoint or DMZ1 because I don't have enough information to construct the correct statements for you.  I'm not sure what you're trying to do with the "interface DMZ1" statement and I don't see a translation for the "SurePoint" host.

Do you understand the logic here?  If not, please ask questions because it is more important that you understand how this works than me just giving you a workable configuration.

Now this should help with the "outside to DMZ" traffic flow.  For "inside to DMZ" traffic flow, you'll have to modify your NAT configuration.  You currently have these statements in the firewall:

global (Outside1) 101 interface
global (DMZ1) 1 xxx.xxx.xxx.39 netmask 255.0.0.0
nat (Inside1) 0 access-list Inside1_nat0_outbound
nat (Inside1) 101 0.0.0.0 0.0.0.0

The sequence numbers after the (interface) designations in the above statements are meant to pair up the nat and global statements to define NAT behavior between interfaces.  For example, the nat and global statements that have the 101 listed are matched up together to read "perform NAT on any source traffic entering the Inside1 interface and translate it into the IP address associated with the Outside1 interface when destined for a host on the Outside1 interface".

Now, you have a statement to define NAT for traffic destined for the DMZ1 interface, but you don't have a corresponding nat statement to match up with the "1" sequence number associated with the global (DMZ1) statement.  So, you need to add something like:

nat (Inside1) 1 0.0.0.0 0.0.0.0

or

nat (Inside1) 1 192.168.1.0 255.255.255.0

to cause the firewall to NAT traffic from the defined source in the above NAT statements when destined for a host on the DMZ1 interface.  So if you put in one of those above nat statements I just listed, you would wind up with this nat/global pair:

global (DMZ1) 1 xxx.xxx.xxx.39 netmask 255.0.0.0
nat (Inside1) 1 192.168.1.0 255.255.255.0

This reads "Translate any 192.168.1.x source address into xxx.xxx.xxx.39 when sending traffic to a host on the DMZ1 interface".  This is incorrect, since that .39 address is a publicly routable address and I don't think you really meant to do this.  You can either change the global such that the inside traffic is translated into the DMZ1 interface IP address itself (PAT configuration) or you can implement a "net static" where you configure it such that each internal 192.168.1.x address is translated back to itself when going to a host on the DMZ1 interface.  Here's how you would do that:

global (DMZ1) 1 interface                <----PAT configuration
               
static (Inside1,DMZ1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0             <----net static

If you choose to do the net static option, you should take out the "nat (Inside1) 1" and "global (DMZ1) 1" commands since you would have an overlapping NAT configuration otherwise.  Leave the nat/global pair referencing the "101" number since that is currently allowing your Internet access for you internal network.

You should probably break this project into segments since we've covered a lot of ground and the more you try to accomplish with this one post, the more room there is for error.  Please feel free to ask questions about the translations and ACL's.  There are a lot of specifics that I haven't covered in this post, such as the access list applied to the DMZ1 interface to allow traffic from the DMZ1 interface to the outside world or to the inside, if desired.  I just thought it would be a good stopping point for you to digest the information presented thus far.

Good luck!
0
 

Author Comment

by:schofillh
ID: 18800222
Great.  I understand all your comments and have made changes to reflect them.  I am going to try this config out tonight.  I've gotten lazy using the PDM so some of the command line stuff is rusty to me.  It's coming back though and I think I can get this going.  I'll post the results tonight.

Thanks!
0
 

Author Comment

by:schofillh
ID: 18805749
Ok.  I've got things going better.  Now I'd like to finish it.  Right now I have servers both behind our inside1 and DMZ interfaces that need to be access from the Internet through ACLs.  They are working fine.  I'd like to be able to access the servers in the DMZ from the inside LAN 192.168.1.0.  I'd also like to be able to set up a VPN policy that only had access to the DMZ servers.  

Right now I cannot get outside to anything from the DMZ servers but can get to them from the outside.  Here is the config:

asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ATL-ASA1
domain-name xxx.local
enable password 0WMSPwTIxbwrtt1J encrypted
names
name 192.168.1.10 ATL-APP5 description Mail/File Server
name 192.168.1.12 ATL-UTL1 description Utility Server
name 192.168.1.4 Baraccuda description SMTP Gateway
name 192.168.1.175 OWA description Outlook Web Access
name 192.168.1.157 SurePoint
name 207.46.130.100 WindowsTime description External Time Server
name 192.168.2.10 GANDALF description xxx WebServer
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside1
 security-level 0
 ip address xx.xx.xx.34 255.255.255.224
!
interface Ethernet0/1
 nameif Inside1
 security-level 99
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 description DMZ Interface
 nameif DMZ1
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.3.7 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx.local
same-security-traffic permit inter-interface
object-group service RDP tcp
 port-object range 3389 3389
object-group network CHI-LAN
 description Chicago LAN IP Scope
 network-object 10.2.2.0 255.255.255.0
object-group service Web tcp
 description HTTP, HTTPS
 port-object eq https
 port-object eq www
object-group network xxxWebServers
 description xxx Hosted Web Server IP Addresses
 network-object host 192.168.2.55
 network-object host 192.168.2.56
 network-object host 192.168.2.57
 network-object host 192.168.2.58
 network-object host 192.168.2.59
 network-object host 192.168.2.60
 network-object host 192.168.2.61
 network-object host 192.168.2.62
object-group service POP3S tcp
 description Secure POP3
 port-object range 995 995
object-group network xxxWebOutsideIPs
 network-object host xx.xx.xx.55
 network-object host xx.xx.xx.56
 network-object host xx.xx.xx.57
 network-object host xx.xx.xx.58
 network-object host xx.xx.xx.59
 network-object host xx.xx.xx.60
 network-object host xx.xx.xx.61
 network-object host xx.xx.xx.62
access-list Atlanta_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap extended permit ip any 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list Outside1_access_in remark Rule for inbound Web access to xxx Websites (has 070315)
access-list Outside1_access_in extended permit tcp any object-group xxxWebOutsideIPs object-group Web
access-list Outside1_access_in remark Access rule for Secure POP3 to Treos
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.41 object-group POP3S
access-list Outside1_access_in remark Access rule for inbound SMTP (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.36 eq smtp
access-list Outside1_access_in remark Access rule for OWA Secure (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.40 eq https log
access-list Outside1_access_in remark Access rule for secure webmin to Barracuda (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.36 eq https
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.50 object-group Web
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.53 object-group Web
access-list Outside1_access_in extended permit tcp any host xx.xx.xx.54 object-group Web
access-list Outside1_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap_1 extended permit ip any 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address asa@xxx.local
mtu Outside1 1500
mtu Inside1 1500
mtu DMZ1 1500
mtu management 1500
ip local pool ATL2 10.10.10.1-10.10.10.254 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside1) 101 interface
global (DMZ1) 1 interface
nat (Inside1) 0 access-list Inside1_nat0_outbound
nat (Inside1) 101 0.0.0.0 0.0.0.0
static (Inside1,Outside1) xx.xx.xx.36 Baraccuda netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.37 192.168.1.56 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.49 ATL-UTL1 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.40 OWA netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.41 ATL-APP5 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.50 192.168.1.231 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.53 192.168.1.232 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.54 192.168.1.233 netmask 255.255.255.255
static (Inside1,Outside1) xx.xx.xx.45 192.168.1.98 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.55 192.168.2.145 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,Outside1) xx.xx.xx.57 192.168.2.147 netmask 255.255.255.255
static (Inside1,DMZ1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Outside1_access_in in interface Outside1
route Outside1 0.0.0.0 0.0.0.0 xx.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Atlanta protocol radius
aaa-server Atlanta host 192.168.1.151
 key xxxradius
 radius-common-pw xxxradius
group-policy Atlanta internal
group-policy Atlanta attributes
 wins-server value 192.168.1.151
 dns-server value 192.168.1.151
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Atlanta_splitTunnelAcl_2
 default-domain value xxx.local
username harrison password dAZ0LHbjhegdfG9K encrypted
http server enable
http 192.168.3.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside1_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map Outside1_map 20 match address Outside1_20_cryptomap
crypto map Outside1_map 20 set pfs group5
crypto map Outside1_map 20 set peer 72.54.213.154
crypto map Outside1_map 20 set transform-set ESP-3DES-MD5
crypto map Outside1_map 40 ipsec-isakmp dynamic Outside1_dyn_map
crypto map Outside1_map interface Outside1
crypto isakmp enable Outside1
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 dhcp-server 192.168.1.151
tunnel-group Atlanta type ipsec-ra
tunnel-group Atlanta general-attributes
 address-pool ATL2
 authentication-server-group Atlanta
 default-group-policy Atlanta
 dhcp-server 192.168.1.151
tunnel-group Atlanta ipsec-attributes
 pre-shared-key *
tunnel-group 72.54.213.154 type ipsec-l2l
tunnel-group 72.54.213.154 ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8beca223f4ac959dea19fe90136495b9
: end

I haven't set up a DMZ on a PIX in a few years so I appreciate any help.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now