Solved

Cisco ASA-5505 DMZ to Inside Network access and Outside to DMZ access

Posted on 2007-11-18
6
9,790 Views
Last Modified: 2008-11-23
I have a Cisco ASA-5505 that I wish to create access from DMZ to Internal, and from External to DMZ.... I have tried unsuccessfully to use the steps listed at

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml


Everything else is working (failover, access to the outside world from either VLAN or using either external interface, VPN).


Network Layout
--------------------
Inside:  192.168.50.0
DMZ: 192.168.150.0
ADSL: dynamic IP via PPoE (Primary Interface)
Backup: DHCP from Cable Modem



Desired Additions
---------------------
(1)
Allow any host on the DMZ to access 192.168.50.240 on port 80, that maps to 192.168.150.240 in the DMZ
Allow any host on DMZ to ping 192.168.50.240, that maps to 192.168.150.240 in the DMZ

(2)
Allow http access from outside world to host 192.168.50.230 on the  DMZ

(3)
Allow full port access from any internal machine to host 192.168.150.230 in the DMZ.... This would be mapped to 192.168.50.230 on inside.



Thank you in advance,
 Andy



: Saved

:

ASA Version 8.0(3) 

!

hostname CASA

domain-name CLIENT.local

enable password CXXOOXOXi encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.50.1 255.255.255.0 

 ospf cost 10

!

interface Vlan2

 backup interface Vlan13

 nameif ADSL

 security-level 50

 pppoe client vpdn group myisp.net

 pppoe client route track 1

 ip address pppoe setroute 

 ospf cost 10

!

interface Vlan3

 nameif dmz   

 security-level 80

 ip address 192.168.150.1 255.255.255.0 

 ospf cost 10

!

interface Vlan13

 nameif Backup

 security-level 50

 dhcp client route distance 5

 dhcp client route track 2

 ip address dhcp setroute 

 ospf cost 10

 ospf priority 222

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 13

!

interface Ethernet0/2

!

interface Ethernet0/3

 switchport access vlan 3

!             

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd CCetPkc1IRraFqJi encrypted

banner login Authorized Access Only - Disconnect if you are not an authorized user

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup ADSL

dns domain-lookup dmz

dns domain-lookup Backup

dns server-group DefaultDNS

 name-server 4.2.2.1

 name-server 199.72.1.1

 name-server 205.152.144.23

 domain-name CLIENT.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0 

access-list Local_LAN_Access remark VPN Client Local LAN Access

access-list Local_LAN_Access2 extended permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0 

pager lines 24

logging enable

logging asdm errors

logging from-address MYASA@myisp.net

logging recipient-address bob.smith@myisp.com level errors

mtu inside 1500

mtu ADSL 1500

mtu dmz 1500

mtu Backup 1500

ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any ADSL

icmp permit any dmz

icmp permit any Backup

asdm image disk0:/asdm-603.bin

asdm history enable

arp timeout 14400

nat-control

global (ADSL) 1 interface

global (Backup) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.50.0 255.255.255.0

nat (dmz) 1 192.168.150.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

eou clientless password memyselfandi

http server enable

http 68.157.114.0 255.255.255.0 ADSL

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL

 num-packets 3

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map ADSL_dyn_map 20 set pfs 

crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA

crypto dynamic-map ADSL_dyn_map 40 set pfs 

crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5

crypto dynamic-map ADSL_dyn_map 60 set pfs 

crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5

crypto dynamic-map ADSL_dyn_map 80 set pfs 

crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5

crypto dynamic-map ADSL_dyn_map 100 set pfs 

crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map ADSL_dyn_map 120 set pfs 

crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map ADSL_dyn_map 140 set pfs 

crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map ADSL_dyn_map 160 set pfs 

crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set pfs 

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map

crypto map ADSL_map interface ADSL

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable ADSL

crypto isakmp enable Backup

crypto isakmp policy 10

 authentication crack

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication crack

 encryption des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 50

 authentication pre-share

 encryption des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 70

 authentication crack

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 90

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

!

track 1 rtr 123 reachability

!

track 2 rtr 321 reachability

telnet 192.168.50.0 255.255.255.0 inside

telnet 68.158.114.0 255.255.255.0 ADSL

telnet timeout 10

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 15

console timeout 0

vpdn group myisp.net request dialout pppoe

vpdn group myisp.net localname bobsmith@myisp.net

vpdn group myisp.net ppp authentication pap

vpdn username bobsmith@myisp.net password ********* store-local

dhcpd address 192.168.50.10-192.168.50.99 inside

dhcpd dns 4.2.2.1 199.72.1.1 interface inside

dhcpd lease 86400 interface inside

dhcpd domain BELL.local interface inside

dhcpd enable inside

!

dhcpd address 192.168.150.10-192.168.150.99 dmz

dhcpd dns 4.2.2.1 199.72.1.1 interface dmz

dhcpd lease 86400 interface dmz

dhcpd ping_timeout 80 interface dmz

dhcpd domain DMZ.local interface dmz

dhcpd enable dmz

!
 

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

ntp server 192.43.244.18

ntp server 17.254.0.31 source ADSL prefer

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 4.2.2.1 199.72.1.1

 vpn-tunnel-protocol l2tp-ipsec 

 default-domain value CLIENT.local

group-policy BellFamily internal

group-policy BellFamily attributes

 dns-server value 4.2.2.1 199.72.1.1

 vpn-tunnel-protocol IPSec 

 default-domain value BELL.local

group-policy CiscoVPNClient internal

group-policy CiscoVPNClient attributes

 dns-server value 4.2.2.1 199.72.1.1

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Local_LAN_Access2

 default-domain value BELL.local

group-policy CiscoVPN internal

group-policy CiscoVPN attributes

 dns-server value 4.2.2.1 199.72.1.1

 vpn-tunnel-protocol IPSec 

 password-storage enable

 default-domain value Client.local

username bobsmith password cOb0XOOXOXg encrypted privilege 15

username bobsmith attributes

 vpn-group-policy CiscoVPN

username apatron password hsXOXOXOXATK encrypted privilege 10

username snewman password i7x8XOOXOXOOXA== nt-encrypted privilege 0

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN_IP_Pool

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

tunnel-group OurFamily type remote-access

tunnel-group OurFamily general-attributes

 address-pool VPN_IP_Pool

 default-group-policy BellFamily

tunnel-group OurFamily ipsec-attributes

 pre-shared-key *

tunnel-group CiscoVPNClient type remote-access

tunnel-group CiscoVPNClient general-attributes

 address-pool VPN_IP_Pool

 default-group-policy CiscoVPNClient

tunnel-group CiscoVPNClient ipsec-attributes

 pre-shared-key *

!

class-map icmp-class

 match default-inspection-traffic

class-map class_sip_tcp

 match port tcp eq sip

class-map icmp-classs

 match default-inspection-traffic

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map icmp_policy

 class icmp-class

  inspect icmp 

policy-map global_policy

 class inspection_default

  inspect pptp 

  inspect sip  

  inspect mgcp 

  inspect h323 h225 

  inspect h323 ras 

  inspect skinny  

 class class_sip_tcp

  inspect sip  

!

service-policy global_policy global

service-policy icmp_policy interface ADSL

service-policy icmp_policy interface Backup

smtp-server 205.152.59.16 205.152.59.17

prompt hostname context 

Cryptochecksum:3403911a6e2ba96865cc3995bafdf8dc

: end

Open in new window

0
Comment
Question by:aalbert69
  • 4
  • 2
6 Comments
 

Author Comment

by:aalbert69
Comment Utility

Here is another posting of the configuration to reflect an unsucessful attempt to have exterior http requests from the ADSL interface route to a host in the DMZ network.


-------



: Saved
:
ASA Version 8.0(3)
!
hostname CASA
domain-name CLIENT.local
enable password CCXOXOXOXOXOJi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 backup interface Vlan13
 nameif ADSL
 security-level 50
 pppoe client vpdn group myisp.net
 pppoe client route track 1
 ip address pppoe setroute
 ospf cost 10
!
interface Vlan3
 nameif dmz  
 security-level 80
 ip address 192.168.150.1 255.255.255.0
 ospf cost 10
!
interface Vlan13
 nameif Backup
 security-level 50
 dhcp client route distance 5
 dhcp client route track 2
 ip address dhcp setroute
 ospf cost 10
 ospf priority 222
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!            
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd CCetPkc1IRraFqJi encrypted
banner login Authorized Access Only - Disconnect if you are not an authorized user
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup ADSL
dns domain-lookup dmz
dns domain-lookup Backup
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 199.72.1.1
 name-server 205.152.144.23
 domain-name CLIENT.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access2 extended permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list ADSL_access_in remark Allow HTTP
access-list ADSL_access_in extended permit object-group DM_INLINE_SERVICE_1 any 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
logging from-address CiscoASA@myisp.net
mtu inside 1500
mtu ADSL 1500
mtu dmz 1500
mtu Backup 1500
ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ADSL
icmp permit any dmz
icmp permit any Backup
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (ADSL) 1 interface
global (Backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (dmz) 1 192.168.150.0 255.255.255.0
static (dmz,ADSL) tcp interface www 192.168.150.245 www netmask 255.255.255.255
access-group ADSL_access_in in interface ADSL
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou clientless password XOXOXO123
http server enable
http 68.157.114.0 255.255.255.0 ADSL
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL
 num-packets 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ADSL_dyn_map 20 set pfs
crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 40 set pfs
crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 60 set pfs
crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 80 set pfs
crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map ADSL_dyn_map 100 set pfs
crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 120 set pfs
crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 140 set pfs
crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 160 set pfs
crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map
crypto map ADSL_map interface ADSL
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable ADSL
crypto isakmp enable Backup
crypto isakmp policy 10
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption des
 hash md5    
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
!            
track 2 rtr 321 reachability
telnet 192.168.50.0 255.255.255.0 inside
telnet 68.158.114.0 255.255.255.0 ADSL
telnet timeout 10
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
vpdn group myisp.net request dialout pppoe
vpdn group myisp.net localname bobsmith69@myisp.net
vpdn group myisp.net ppp authentication pap
vpdn username bobsmith@myisp.net password ********* store-local
dhcpd address 192.168.50.10-192.168.50.99 inside
dhcpd dns 4.2.2.1 199.72.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd domain JOHNSTON.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.150.10-192.168.150.99 dmz
dhcpd dns 4.2.2.1 199.72.1.1 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 80 interface dmz
dhcpd domain DMZ.local interface dmz
dhcpd enable dmz
!            

threat-detection basic-threat
threat-detection statistics
ntp server 192.43.244.18
ntp server 17.254.0.31 source ADSL prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value CLIENT.local
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access2
 default-domain value JOHNSTON.local
username bobsmith password cObXOXOXOOXg encrypted privilege 15
username bobsmith attributes
 vpn-group-policy CiscoVPNClient
username acuervo password hsYXOXOXOOXTK encrypted privilege 15
username sperez password i7x8AXOXOXOOXOXOXA== nt-encrypted privilege 10
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool VPN_IP_Pool
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 pre-shared-key *
!
class-map icmp-class
 match default-inspection-traffic
class-map class_sip_tcp
 match port tcp eq sip
class-map icmp-classs
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect sip  
  inspect mgcp
  inspect h323 h225
  inspect h323 ras
  inspect skinny  
 class class_sip_tcp
  inspect sip  
!
service-policy global_policy global
service-policy icmp_policy interface ADSL
service-policy icmp_policy interface Backup
smtp-server 205.152.59.16 205.152.59.17
prompt hostname context
Cryptochecksum:dfa416XXXXXXXOOOOOO4fae16
: end
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
As far as allowing http from the ADSL interface to the dmz, your static command is correct.  However, change the access-list from this:

access-list ADSL_access_in extended permit object-group DM_INLINE_SERVICE_1 any 192.168.150.0 255.255.255.0

to this:

access-list ADSL_access_in extended permit tcp any interface outside eq www

See if that works to get your inbound http requests to your dmz server.

Now, for your other "desires":

1) Add the following commands to allow any dmz host to get to 192.168.50.240 on the inside for http traffic and to also allow pings:

static (inside,dmz) 192.168.150.240 192.168.50.240 netmask 255.255.255.255
access-list dmz_access_in permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.240 eq www
access-list dmz_access_in permit icmp 192.168.150.0 255.255.255.0 host 192.168.150.240
access-group dmz_access_in in interface dmz

2) Cannot do this since you're already using TCP 80 to redirect http traffic inbound to the dmz server at 192.168.150.245.  You have two options as workarounds:

  a) Get a second public static IP address and forward traffic from that new public address to the server at 192.168.50.230
  b) Choose another inbound port and forward that port to TCP 80 on server 192.168.50.230.  In other words, you could forward TCP 8080 on the outside interface and have it be redirected to TCP 80 on server 192.168.50.230.
Let me know if you have questions about that one.

3) Add the following command:

static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

This would translate any 192.168.50.x host on the inside back to itself when communicating with any host on the dmz network segment.
0
 

Author Comment

by:aalbert69
Comment Utility
Thank you very much.

I used the primary question response, and achieved outside access to the DMZ....... Perfect.

Used the (1) response, and worked perfectly

Used (3) and no problems.


Thanks,

  Andy
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:aalbert69
Comment Utility
Well all has been well, but I have found that I can no longer access the internet from the DMZ. ... If I attempt to access any site via www or ping , i am not able to get out.....The only thing I am lacking in my "Happy" config, is this ability.


As always, your responses are appreciated.


Regards,


 Andy














: Saved
:
ASA Version 8.0(3)
!
hostname CASA
domain-name CLIENT.local
enable password CXOXOXOOXOXi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 backup interface Vlan13
 nameif ADSL
 security-level 50
 pppoe client vpdn group myisp.net
 pppoe client route track 1
 ip address pppoe setroute
 ospf cost 10
!
interface Vlan3
 nameif dmz  
 security-level 80
 ip address 192.168.150.1 255.255.255.0
 ospf cost 10
!
interface Vlan13
 nameif Backup
 security-level 50
 dhcp client route distance 5
 dhcp client route track 2
 ip address dhcp setroute
 ospf cost 10
 ospf priority 222
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!            
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd CCetPkc1IRraFqJi encrypted
banner login Authorized Access Only - Disconnect if you are not an authorized user
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup ADSL
dns domain-lookup dmz
dns domain-lookup Backup
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 199.72.1.1
 name-server 205.152.144.23
 domain-name CLIENT.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access2 extended permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list ADSL_access_in remark Allow HTTP
access-list ADSL_access_in extended permit tcp any interface ADSL eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.240 eq www
access-list dmz_access_in extended permit icmp 192.168.150.0 255.255.255.0 host 192.168.150.240
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41795
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41795
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41795
pager lines 24
logging enable
logging asdm warnings
logging from-address CiscoASA@myisp.net
mtu inside 1500
mtu ADSL 1500
mtu dmz 1500
mtu Backup 1500
ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ADSL
icmp permit any dmz
icmp permit any Backup
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (ADSL) 1 interface
global (Backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (dmz) 1 192.168.150.0 255.255.255.0
static (dmz,ADSL) tcp interface www 192.168.150.245 www netmask 255.255.255.255
static (inside,dmz) 192.168.150.240 192.168.50.240 netmask 255.255.255.255
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.150.190 192.168.50.190 netmask 255.255.255.255
static (inside,dmz) 192.168.150.191 192.168.50.191 netmask 255.255.255.255
static (inside,dmz) 192.168.150.192 192.168.50.192 netmask 255.255.255.255
static (inside,dmz) 192.168.150.193 192.168.50.193 netmask 255.255.255.255
static (inside,dmz) 192.168.150.194 192.168.50.194 netmask 255.255.255.255
static (inside,dmz) 192.168.150.195 192.168.50.195 netmask 255.255.255.255
static (inside,dmz) 192.168.150.200 192.168.50.200 netmask 255.255.255.255
static (inside,dmz) 192.168.150.201 192.168.50.201 netmask 255.255.255.255
static (inside,dmz) 192.168.150.202 192.168.50.202 netmask 255.255.255.255
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou clientless password mypass
http server enable
http 192.168.0.0 255.255.0.0 inside
http 68.157.114.0 255.255.255.0 ADSL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL
 num-packets 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ADSL_dyn_map 20 set pfs
crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 40 set pfs
crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 60 set pfs
crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 80 set pfs
crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map ADSL_dyn_map 100 set pfs
crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 120 set pfs
crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 140 set pfs
crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 160 set pfs
crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map
crypto map ADSL_map interface ADSL
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable ADSL
crypto isakmp enable Backup
crypto isakmp policy 10
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
!
track 2 rtr 321 reachability
telnet 192.168.50.0 255.255.255.0 inside
telnet 68.158.114.0 255.255.255.0 ADSL
telnet timeout 10
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
vpdn group myisp.net request dialout pppoe
vpdn group myisp.net localname bobsmith@myisp.net
vpdn group myisp.net ppp authentication pap
vpdn username bobsmith@myisp.net password ********* store-local
dhcpd address 192.168.50.10-192.168.50.99 inside
dhcpd dns 4.2.2.1 199.72.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd domain JOHNSTON.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.150.10-192.168.150.99 dmz
dhcpd dns 4.2.2.1 199.72.1.1 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 80 interface dmz
dhcpd domain DMZ.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics
ntp server 192.43.244.18
ntp server 17.254.0.31 source ADSL prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value CLIENT.local
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access2
 default-domain value JOHNSTON.local
username bobsmith password cXOXOXOOXOOXg encrypted privilege 15
username bobsmith attributes
 vpn-group-policy CiscoVPNClient
username apatron password hXOXOOXOOXK encrypted privilege 15
username apatron attributes
 vpn-group-policy CiscoVPNClient
username sperez password qXOOXOXOXOXOOXO encrypted privilege 10
username sperez attributes
 vpn-group-policy CiscoVPNClient
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool VPN_IP_Pool
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 pre-shared-key *
!
class-map icmp-class
 match default-inspection-traffic
class-map class_sip_tcp
 match port tcp eq sip
class-map icmp-classs
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect sip  
  inspect mgcp
  inspect h323 h225
  inspect h323 ras
  inspect skinny  
 class class_sip_tcp
  inspect sip  
!
service-policy global_policy global
service-policy icmp_policy interface ADSL
service-policy icmp_policy interface Backup
smtp-server 205.152.59.16 205.152.59.17
prompt hostname context
Cryptochecksum:a1463249d6c3baabd60164edca782e9b
: end
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
First, to surf the Internet you'll need access to DNS name resolution.  If your DNS server is on the inside network (192.168.50.x), then you'll need to allow TCP/UDP 53 open to that server from the DMZ.  If you use a public DNS server (like one provided by your ISP), then you won't need that explicit accesss.

So, let's assume you use an internal DNS server, say at 192.168.50.100.  Then, here are the lines to add to allow surfing using that DNS server.

---------BEGIN COMMANDS---------
access-list dmz_access_in permit tcp 192.168.150.0 255.255.255.0 host 192.168.50.100 eq 53
access-list dmz_access_in permit udp 192.168.150.0 255.255.255.0 host 192.168.50.100 eq 53
access-list dmz_access_in deny ip 192.168.150.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz_access_in permit ip any any
access-list ADSL_access_in extended permit icmp any any echo-reply
---------END COMMANDS--------

That last command will allow you to ping an Internet host and receive the echo replies back from the ping (echo request).
The explicit deny in those commands is because you stated that you only wanted the DMZ to access specific things on the inside but you also wanted to allow web surfing where you don't always know the destination.  Therefore, you explicitly allow the inbound DNS first for name resolution of web hosts, then you explicitly deny any other inbound traffic to the internal network and then finally you allow everything else for surfing the Internet.  It's done this way since the ACL's are parsed in the order in which they appear in the config, so the order of those commands does indeed matter!

Good luck!
0
 

Author Comment

by:aalbert69
Comment Utility
Thank you....

I implemented

access-list dmz_access_in deny ip 192.168.150.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz_access_in permit ip any any
access-list ADSL_access_in extended permit icmp any any echo-reply

and now I can get out of the DMZ to the real world, but still have the other benefits of the internal/DMZ segregation.


Will post a final config after testing and tweaking over Thanksgiving.

Thanks again for bearing with me ......  Getting my mind into the swing of ASA statements is starting to take hold.

 Andy
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now