troubleshooting Question

Cisco ASA 5510 DMZ Routing Questions

Avatar of myfootsmells
myfootsmells asked on
Software Firewalls
3 Comments1 Solution4736 ViewsLast Modified:
My ISP issued me a block of 16 IP address.  Currently 1 IP is being used for my inbound/outbound traffic.  I have a DMZ that also shares that IP address, but I'm looking to move that DMZ to its own IP address so I can start hosting WWW.

The next IP i want to use is 64.64.64.65

Here's my current configuration:

ASA Version 7.0(6)
!
hostname ciscoasa
domain-name acme.local
enable password p4LFSZBbEUfgFt4b encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 64.64.64.64 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.1.250 255.255.0.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.200.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd p4LFSZBbEUfgFt4b encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group service SecondLife udp
 port-object range 13000 13050
access-list outbound extended permit tcp any any eq https
access-list outbound extended permit tcp any any eq www
access-list outbound extended permit tcp any any eq imap4
access-list outbound extended permit tcp any any eq smtp
access-list outbound extended permit tcp any any eq pptp
access-list outbound extended permit tcp any any eq ssh
access-list outbound remark Allow incoming PPTP VPN from outside.
access-list outbound extended permit gre any any
access-list outbound remark DNS
access-list outbound extended permit udp any any eq domain
access-list outbound remark Block all outgoing traffic
access-list outbound extended deny ip any any
access-list dmz remark DNS
access-list dmz extended permit udp any any eq domain
access-list dmz remark HTTP
access-list dmz extended permit tcp any any eq www
access-list dmz extended permit icmp any any echo-reply
access-list dmz extended deny ip any any
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 587
access-list inbound extended permit tcp any interface outside eq 993
access-list inbound extended permit tcp any interface outside eq https
access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq 3389
access-list inbound extended permit tcp any interface outside eq pptp
access-list inbound extended permit icmp any any echo-reply
access-list inbound remark Remote Web Workplace
access-list inbound extended permit tcp any interface outside eq 4125
access-list inside_nat0_outbound extended permit ip any 10.10.3.0 255.255.255.192
access-list acmeremote_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list http-list2 extended permit ip any any
!
tcp-map mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging emblem
logging trap warnings
logging asdm warnings
logging host inside 10.10.2.79 format emblem
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool ippool 10.10.3.1-10.10.3.50 mask 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 10.10.0.0 255.255.0.0
nat (dmz) 10 192.168.200.0 255.255.255.0
static (inside,outside) tcp interface pptp 10.10.1.1 pptp netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.10.1.210 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.1.3 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.10.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface 587 10.10.1.3 587 netmask 255.255.255.255
static (inside,outside) tcp interface 993 10.10.1.3 993 netmask 255.255.255.255
static (inside,dmz) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
access-group inbound in interface outside
access-group outbound in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 64.64.64.63 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server acmeremote protocol radius
aaa-server acmeremote host 10.10.1.6
 timeout 5
 key 123456
group-policy acmeremote internal
group-policy acmeremote attributes
 wins-server value 10.10.1.1 10.10.1.6
 dns-server value 10.10.1.1 10.10.1.6
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acmeremote_splitTunnelAcl
 default-domain value acme.local
 webvpn
http server enable
http 10.10.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group acmeremote type ipsec-ra
tunnel-group acmeremote general-attributes
 address-pool ippool
 authentication-server-group acmeremote
 default-group-policy acmeremote
tunnel-group acmeremote ipsec-attributes
 pre-shared-key *
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 30
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
class-map http-map1
 match access-list http-list2
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 1100
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
policy-map http-map1
 class http-map1
  set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface outside
Cryptochecksum:3bc8e0af687b03244a844bcfdae91cd7
: end

Thanks.

Michael
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros