Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Configuring ASA 5510 for DMZ interface

Avatar of schofillh
schofillh asked on
SecuritySoftware Firewalls
3 Comments1 Solution663 ViewsLast Modified:
I have an ASA 5510 that I want to set up a DMZ for a handful of servers.   I am able to pass traffic through the inside/outside interfaces with NAT/ACLs but am stumped on how to configure the device to allow both outside and inside access to web servers off the DMZ interface.  The config is pasted below.  Please feel free to offer any other advise as needed.





asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ATL-ASA1
domain-name xxxs.local
enable password 0WMSPwTIxbwrtt1J encrypted
names
name 192.168.1.10 ATL-APP5 description Mail/File Server
name 192.168.1.12 ATL-UTL1 description Utility Server
name 192.168.1.4 Baraccuda description SMTP Gateway
name 192.168.1.175 OWA description Outlook Web Access
name 192.168.1.157 XXX
name 207.46.130.100 WindowsTime description External Time Server
name 192.168.2.10 GANDALF description XXX WebServer
!
interface Ethernet0/0
 description WAN Interface
 shutdown
 nameif Outside1
 security-level 0
 ip address xxx.xxx.xxx.35 255.255.255.224
!
interface Ethernet0/1
 nameif Inside1
 security-level 99
 ip address 192.168.1.7 255.255.255.0
!
interface Ethernet0/2
 description DMZ Interface
 nameif DMZ1
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.3.7 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxs.local
same-security-traffic permit inter-interface
object-group service RDP tcp
 port-object range 3389 3389
object-group network CHI-LAN
 description Chicago LAN IP Scope
 network-object 10.2.2.0 255.255.255.0
object-group service Web tcp
 description HTTP, HTTPS
 port-object eq https
 port-object eq www
object-group network XXXWebServers
 description XXX Hosted Web Server IP Addresses
 network-object host 192.168.2.55
 network-object host 192.168.2.56
 network-object host 192.168.2.57
 network-object host 192.168.2.58
 network-object host 192.168.2.59
 network-object host 192.168.2.60
 network-object host 192.168.2.61
 network-object host 192.168.2.62
object-group service POP3S tcp
 description Secure POP3
 port-object range 995 995
access-list Atlanta_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Atlanta_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list Outside1_cryptomap extended permit ip any 10.10.10.0 255.255.255.0
access-list Inside1_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Outside1_access_in remark Rule for inbound Web access to XXX Websites (has 070315)
access-list Outside1_access_in extended permit tcp any interface DMZ1 object-group Web
access-list Outside1_access_in remark Access rule for Secure POP3 to Treos
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.41 object-group POP3S
access-list Outside1_access_in remark Access rule for inbound SMTP (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq smtp
access-list Outside1_access_in remark Access rule for OWA Secure (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.40 eq https log
access-list Outside1_access_in remark Access rule for web access to SurePoint (has 070315)
access-list Outside1_access_in extended permit tcp any host SurePoint object-group Web inactive
access-list Outside1_access_in remark Access rule for secure webmin to Barracuda (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.36 eq https
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host xxx.xxx.xxx.50 object-group Web
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host 192.168.1.232 object-group Web
access-list Outside1_access_in remark Access rule for web to SharePoint sites (has 070315)
access-list Outside1_access_in extended permit tcp any host 192.168.1.233 object-group Web
access-list Outside1_access_in remark Access rule for secure webmin to ESX (has 070315)
access-list Outside1_access_in extended permit tcp any host ATL-UTL1 eq https inactive
access-list Outside1_access_in extended permit ip any host 192.168.1.98 log
access-list DMZ1_access_in extended permit tcp any object-group XXXWebServers object-group Web
pager lines 24
logging enable
logging asdm informational
logging from-address asa@xxxs.local
mtu Outside1 1500
mtu Inside1 1500
mtu DMZ1 1500
mtu management 1500
ip local pool ATL2 10.10.10.1-10.10.10.254 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside1) 101 interface
global (DMZ1) 1 xxx.xxx.xxx.39 netmask 255.0.0.0
nat (Inside1) 0 access-list Inside1_nat0_outbound
nat (Inside1) 101 0.0.0.0 0.0.0.0
static (Inside1,Outside1) xxx.xxx.xxx.36 Baraccuda netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.37 192.168.1.56 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.49 ATL-UTL1 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.40 OWA netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.41 ATL-APP5 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.50 192.168.1.231 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.53 192.168.1.232 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.54 192.168.1.233 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.56 192.168.2.146 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.57 192.168.2.147 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.58 192.168.2.148 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.59 192.168.2.149 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.60 192.168.2.160 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.61 192.168.2.161 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.62 192.168.2.162 netmask 255.255.255.255
static (DMZ1,DMZ1) xxx.xxx.xxx.55 192.168.2.145 netmask 255.255.255.255
static (Inside1,Outside1) xxx.xxx.xxx.45 192.168.1.98 netmask 255.255.255.255
access-group Outside1_access_in in interface Outside1
access-group DMZ1_access_in in interface DMZ1
route Outside1 0.0.0.0 0.0.0.0 xxx.xxx.xxx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Atlanta protocol radius
aaa-server Atlanta host 192.168.1.151
 key xxxsradius
 radius-common-pw xxxsradius
group-policy Atlanta internal
group-policy Atlanta attributes
 wins-server value 192.168.1.151
 dns-server value 192.168.1.151
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Atlanta_splitTunnelAcl_1
 default-domain value xxx.local
username harrison password dAZ0LHbjhegdfG9K encrypted
http server enable
http 192.168.3.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside1_map 20 ipsec-isakmp dynamic Outside1_dyn_map
crypto map Outside1_map interface Outside1
crypto isakmp enable Outside1
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 dhcp-server 192.168.1.151
tunnel-group Atlanta type ipsec-ra
tunnel-group Atlanta general-attributes
 address-pool ATL2
 authentication-server-group Atlanta
 default-group-policy Atlanta
tunnel-group Atlanta ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5e720cb3dc0abae6c8f9ffc64fcc1010
: end

ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boyFlag of United States of America image

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answers