Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA-5505 DMZ to Inside Network access and Outside to DMZ access

Posted on 2007-11-18
6
Medium Priority
?
10,020 Views
Last Modified: 2008-11-23
I have a Cisco ASA-5505 that I wish to create access from DMZ to Internal, and from External to DMZ.... I have tried unsuccessfully to use the steps listed at

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml


Everything else is working (failover, access to the outside world from either VLAN or using either external interface, VPN).


Network Layout
--------------------
Inside:  192.168.50.0
DMZ: 192.168.150.0
ADSL: dynamic IP via PPoE (Primary Interface)
Backup: DHCP from Cable Modem



Desired Additions
---------------------
(1)
Allow any host on the DMZ to access 192.168.50.240 on port 80, that maps to 192.168.150.240 in the DMZ
Allow any host on DMZ to ping 192.168.50.240, that maps to 192.168.150.240 in the DMZ

(2)
Allow http access from outside world to host 192.168.50.230 on the  DMZ

(3)
Allow full port access from any internal machine to host 192.168.150.230 in the DMZ.... This would be mapped to 192.168.50.230 on inside.



Thank you in advance,
 Andy



: Saved
:
ASA Version 8.0(3) 
!
hostname CASA
domain-name CLIENT.local
enable password CXXOOXOXi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 backup interface Vlan13
 nameif ADSL
 security-level 50
 pppoe client vpdn group myisp.net
 pppoe client route track 1
 ip address pppoe setroute 
 ospf cost 10
!
interface Vlan3
 nameif dmz   
 security-level 80
 ip address 192.168.150.1 255.255.255.0 
 ospf cost 10
!
interface Vlan13
 nameif Backup
 security-level 50
 dhcp client route distance 5
 dhcp client route track 2
 ip address dhcp setroute 
 ospf cost 10
 ospf priority 222
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!             
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd CCetPkc1IRraFqJi encrypted
banner login Authorized Access Only - Disconnect if you are not an authorized user
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup ADSL
dns domain-lookup dmz
dns domain-lookup Backup
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 199.72.1.1
 name-server 205.152.144.23
 domain-name CLIENT.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0 
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access2 extended permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0 
pager lines 24
logging enable
logging asdm errors
logging from-address MYASA@myisp.net
logging recipient-address bob.smith@myisp.com level errors
mtu inside 1500
mtu ADSL 1500
mtu dmz 1500
mtu Backup 1500
ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ADSL
icmp permit any dmz
icmp permit any Backup
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (ADSL) 1 interface
global (Backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (dmz) 1 192.168.150.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou clientless password memyselfandi
http server enable
http 68.157.114.0 255.255.255.0 ADSL
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL
 num-packets 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map ADSL_dyn_map 20 set pfs 
crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 40 set pfs 
crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 60 set pfs 
crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 80 set pfs 
crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map ADSL_dyn_map 100 set pfs 
crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 120 set pfs 
crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 140 set pfs 
crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 160 set pfs 
crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs 
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map
crypto map ADSL_map interface ADSL
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable ADSL
crypto isakmp enable Backup
crypto isakmp policy 10
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
!
track 2 rtr 321 reachability
telnet 192.168.50.0 255.255.255.0 inside
telnet 68.158.114.0 255.255.255.0 ADSL
telnet timeout 10
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
vpdn group myisp.net request dialout pppoe
vpdn group myisp.net localname bobsmith@myisp.net
vpdn group myisp.net ppp authentication pap
vpdn username bobsmith@myisp.net password ********* store-local
dhcpd address 192.168.50.10-192.168.50.99 inside
dhcpd dns 4.2.2.1 199.72.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd domain BELL.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.150.10-192.168.150.99 dmz
dhcpd dns 4.2.2.1 199.72.1.1 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 80 interface dmz
dhcpd domain DMZ.local interface dmz
dhcpd enable dmz
!
 
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
ntp server 192.43.244.18
ntp server 17.254.0.31 source ADSL prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol l2tp-ipsec 
 default-domain value CLIENT.local
group-policy BellFamily internal
group-policy BellFamily attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec 
 default-domain value BELL.local
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access2
 default-domain value BELL.local
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec 
 password-storage enable
 default-domain value Client.local
username bobsmith password cOb0XOOXOXg encrypted privilege 15
username bobsmith attributes
 vpn-group-policy CiscoVPN
username apatron password hsXOXOXOXATK encrypted privilege 10
username snewman password i7x8XOOXOXOOXA== nt-encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
tunnel-group OurFamily type remote-access
tunnel-group OurFamily general-attributes
 address-pool VPN_IP_Pool
 default-group-policy BellFamily
tunnel-group OurFamily ipsec-attributes
 pre-shared-key *
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool VPN_IP_Pool
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 pre-shared-key *
!
class-map icmp-class
 match default-inspection-traffic
class-map class_sip_tcp
 match port tcp eq sip
class-map icmp-classs
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map icmp_policy
 class icmp-class
  inspect icmp 
policy-map global_policy
 class inspection_default
  inspect pptp 
  inspect sip  
  inspect mgcp 
  inspect h323 h225 
  inspect h323 ras 
  inspect skinny  
 class class_sip_tcp
  inspect sip  
!
service-policy global_policy global
service-policy icmp_policy interface ADSL
service-policy icmp_policy interface Backup
smtp-server 205.152.59.16 205.152.59.17
prompt hostname context 
Cryptochecksum:3403911a6e2ba96865cc3995bafdf8dc
: end

Open in new window

0
Comment
Question by:aalbert69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 

Author Comment

by:aalbert69
ID: 20310297

Here is another posting of the configuration to reflect an unsucessful attempt to have exterior http requests from the ADSL interface route to a host in the DMZ network.


-------



: Saved
:
ASA Version 8.0(3)
!
hostname CASA
domain-name CLIENT.local
enable password CCXOXOXOXOXOJi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 backup interface Vlan13
 nameif ADSL
 security-level 50
 pppoe client vpdn group myisp.net
 pppoe client route track 1
 ip address pppoe setroute
 ospf cost 10
!
interface Vlan3
 nameif dmz  
 security-level 80
 ip address 192.168.150.1 255.255.255.0
 ospf cost 10
!
interface Vlan13
 nameif Backup
 security-level 50
 dhcp client route distance 5
 dhcp client route track 2
 ip address dhcp setroute
 ospf cost 10
 ospf priority 222
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!            
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd CCetPkc1IRraFqJi encrypted
banner login Authorized Access Only - Disconnect if you are not an authorized user
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup ADSL
dns domain-lookup dmz
dns domain-lookup Backup
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 199.72.1.1
 name-server 205.152.144.23
 domain-name CLIENT.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access2 extended permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list ADSL_access_in remark Allow HTTP
access-list ADSL_access_in extended permit object-group DM_INLINE_SERVICE_1 any 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
logging from-address CiscoASA@myisp.net
mtu inside 1500
mtu ADSL 1500
mtu dmz 1500
mtu Backup 1500
ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ADSL
icmp permit any dmz
icmp permit any Backup
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (ADSL) 1 interface
global (Backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (dmz) 1 192.168.150.0 255.255.255.0
static (dmz,ADSL) tcp interface www 192.168.150.245 www netmask 255.255.255.255
access-group ADSL_access_in in interface ADSL
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou clientless password XOXOXO123
http server enable
http 68.157.114.0 255.255.255.0 ADSL
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL
 num-packets 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ADSL_dyn_map 20 set pfs
crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 40 set pfs
crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 60 set pfs
crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 80 set pfs
crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map ADSL_dyn_map 100 set pfs
crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 120 set pfs
crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 140 set pfs
crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 160 set pfs
crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map
crypto map ADSL_map interface ADSL
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable ADSL
crypto isakmp enable Backup
crypto isakmp policy 10
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption des
 hash md5    
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
!            
track 2 rtr 321 reachability
telnet 192.168.50.0 255.255.255.0 inside
telnet 68.158.114.0 255.255.255.0 ADSL
telnet timeout 10
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
vpdn group myisp.net request dialout pppoe
vpdn group myisp.net localname bobsmith69@myisp.net
vpdn group myisp.net ppp authentication pap
vpdn username bobsmith@myisp.net password ********* store-local
dhcpd address 192.168.50.10-192.168.50.99 inside
dhcpd dns 4.2.2.1 199.72.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd domain JOHNSTON.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.150.10-192.168.150.99 dmz
dhcpd dns 4.2.2.1 199.72.1.1 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 80 interface dmz
dhcpd domain DMZ.local interface dmz
dhcpd enable dmz
!            

threat-detection basic-threat
threat-detection statistics
ntp server 192.43.244.18
ntp server 17.254.0.31 source ADSL prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value CLIENT.local
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access2
 default-domain value JOHNSTON.local
username bobsmith password cObXOXOXOOXg encrypted privilege 15
username bobsmith attributes
 vpn-group-policy CiscoVPNClient
username acuervo password hsYXOXOXOOXTK encrypted privilege 15
username sperez password i7x8AXOXOXOOXOXOXA== nt-encrypted privilege 10
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool VPN_IP_Pool
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 pre-shared-key *
!
class-map icmp-class
 match default-inspection-traffic
class-map class_sip_tcp
 match port tcp eq sip
class-map icmp-classs
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect sip  
  inspect mgcp
  inspect h323 h225
  inspect h323 ras
  inspect skinny  
 class class_sip_tcp
  inspect sip  
!
service-policy global_policy global
service-policy icmp_policy interface ADSL
service-policy icmp_policy interface Backup
smtp-server 205.152.59.16 205.152.59.17
prompt hostname context
Cryptochecksum:dfa416XXXXXXXOOOOOO4fae16
: end
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 20317082
As far as allowing http from the ADSL interface to the dmz, your static command is correct.  However, change the access-list from this:

access-list ADSL_access_in extended permit object-group DM_INLINE_SERVICE_1 any 192.168.150.0 255.255.255.0

to this:

access-list ADSL_access_in extended permit tcp any interface outside eq www

See if that works to get your inbound http requests to your dmz server.

Now, for your other "desires":

1) Add the following commands to allow any dmz host to get to 192.168.50.240 on the inside for http traffic and to also allow pings:

static (inside,dmz) 192.168.150.240 192.168.50.240 netmask 255.255.255.255
access-list dmz_access_in permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.240 eq www
access-list dmz_access_in permit icmp 192.168.150.0 255.255.255.0 host 192.168.150.240
access-group dmz_access_in in interface dmz

2) Cannot do this since you're already using TCP 80 to redirect http traffic inbound to the dmz server at 192.168.150.245.  You have two options as workarounds:

  a) Get a second public static IP address and forward traffic from that new public address to the server at 192.168.50.230
  b) Choose another inbound port and forward that port to TCP 80 on server 192.168.50.230.  In other words, you could forward TCP 8080 on the outside interface and have it be redirected to TCP 80 on server 192.168.50.230.
Let me know if you have questions about that one.

3) Add the following command:

static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

This would translate any 192.168.50.x host on the inside back to itself when communicating with any host on the dmz network segment.
0
 

Author Comment

by:aalbert69
ID: 20317365
Thank you very much.

I used the primary question response, and achieved outside access to the DMZ....... Perfect.

Used the (1) response, and worked perfectly

Used (3) and no problems.


Thanks,

  Andy
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 

Author Comment

by:aalbert69
ID: 20317814
Well all has been well, but I have found that I can no longer access the internet from the DMZ. ... If I attempt to access any site via www or ping , i am not able to get out.....The only thing I am lacking in my "Happy" config, is this ability.


As always, your responses are appreciated.


Regards,


 Andy














: Saved
:
ASA Version 8.0(3)
!
hostname CASA
domain-name CLIENT.local
enable password CXOXOXOOXOXi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 backup interface Vlan13
 nameif ADSL
 security-level 50
 pppoe client vpdn group myisp.net
 pppoe client route track 1
 ip address pppoe setroute
 ospf cost 10
!
interface Vlan3
 nameif dmz  
 security-level 80
 ip address 192.168.150.1 255.255.255.0
 ospf cost 10
!
interface Vlan13
 nameif Backup
 security-level 50
 dhcp client route distance 5
 dhcp client route track 2
 ip address dhcp setroute
 ospf cost 10
 ospf priority 222
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!            
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd CCetPkc1IRraFqJi encrypted
banner login Authorized Access Only - Disconnect if you are not an authorized user
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup ADSL
dns domain-lookup dmz
dns domain-lookup Backup
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 199.72.1.1
 name-server 205.152.144.23
 domain-name CLIENT.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access2 extended permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list ADSL_access_in remark Allow HTTP
access-list ADSL_access_in extended permit tcp any interface ADSL eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.240 eq www
access-list dmz_access_in extended permit icmp 192.168.150.0 255.255.255.0 host 192.168.150.240
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41795
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41795
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41795
pager lines 24
logging enable
logging asdm warnings
logging from-address CiscoASA@myisp.net
mtu inside 1500
mtu ADSL 1500
mtu dmz 1500
mtu Backup 1500
ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ADSL
icmp permit any dmz
icmp permit any Backup
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (ADSL) 1 interface
global (Backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (dmz) 1 192.168.150.0 255.255.255.0
static (dmz,ADSL) tcp interface www 192.168.150.245 www netmask 255.255.255.255
static (inside,dmz) 192.168.150.240 192.168.50.240 netmask 255.255.255.255
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.150.190 192.168.50.190 netmask 255.255.255.255
static (inside,dmz) 192.168.150.191 192.168.50.191 netmask 255.255.255.255
static (inside,dmz) 192.168.150.192 192.168.50.192 netmask 255.255.255.255
static (inside,dmz) 192.168.150.193 192.168.50.193 netmask 255.255.255.255
static (inside,dmz) 192.168.150.194 192.168.50.194 netmask 255.255.255.255
static (inside,dmz) 192.168.150.195 192.168.50.195 netmask 255.255.255.255
static (inside,dmz) 192.168.150.200 192.168.50.200 netmask 255.255.255.255
static (inside,dmz) 192.168.150.201 192.168.50.201 netmask 255.255.255.255
static (inside,dmz) 192.168.150.202 192.168.50.202 netmask 255.255.255.255
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou clientless password mypass
http server enable
http 192.168.0.0 255.255.0.0 inside
http 68.157.114.0 255.255.255.0 ADSL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL
 num-packets 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ADSL_dyn_map 20 set pfs
crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 40 set pfs
crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 60 set pfs
crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 80 set pfs
crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map ADSL_dyn_map 100 set pfs
crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 120 set pfs
crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 140 set pfs
crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 160 set pfs
crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map
crypto map ADSL_map interface ADSL
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable ADSL
crypto isakmp enable Backup
crypto isakmp policy 10
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
!
track 2 rtr 321 reachability
telnet 192.168.50.0 255.255.255.0 inside
telnet 68.158.114.0 255.255.255.0 ADSL
telnet timeout 10
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
vpdn group myisp.net request dialout pppoe
vpdn group myisp.net localname bobsmith@myisp.net
vpdn group myisp.net ppp authentication pap
vpdn username bobsmith@myisp.net password ********* store-local
dhcpd address 192.168.50.10-192.168.50.99 inside
dhcpd dns 4.2.2.1 199.72.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd domain JOHNSTON.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.150.10-192.168.150.99 dmz
dhcpd dns 4.2.2.1 199.72.1.1 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 80 interface dmz
dhcpd domain DMZ.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics
ntp server 192.43.244.18
ntp server 17.254.0.31 source ADSL prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value CLIENT.local
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access2
 default-domain value JOHNSTON.local
username bobsmith password cXOXOXOOXOOXg encrypted privilege 15
username bobsmith attributes
 vpn-group-policy CiscoVPNClient
username apatron password hXOXOOXOOXK encrypted privilege 15
username apatron attributes
 vpn-group-policy CiscoVPNClient
username sperez password qXOOXOXOXOXOOXO encrypted privilege 10
username sperez attributes
 vpn-group-policy CiscoVPNClient
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool VPN_IP_Pool
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 pre-shared-key *
!
class-map icmp-class
 match default-inspection-traffic
class-map class_sip_tcp
 match port tcp eq sip
class-map icmp-classs
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect sip  
  inspect mgcp
  inspect h323 h225
  inspect h323 ras
  inspect skinny  
 class class_sip_tcp
  inspect sip  
!
service-policy global_policy global
service-policy icmp_policy interface ADSL
service-policy icmp_policy interface Backup
smtp-server 205.152.59.16 205.152.59.17
prompt hostname context
Cryptochecksum:a1463249d6c3baabd60164edca782e9b
: end
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20319382
First, to surf the Internet you'll need access to DNS name resolution.  If your DNS server is on the inside network (192.168.50.x), then you'll need to allow TCP/UDP 53 open to that server from the DMZ.  If you use a public DNS server (like one provided by your ISP), then you won't need that explicit accesss.

So, let's assume you use an internal DNS server, say at 192.168.50.100.  Then, here are the lines to add to allow surfing using that DNS server.

---------BEGIN COMMANDS---------
access-list dmz_access_in permit tcp 192.168.150.0 255.255.255.0 host 192.168.50.100 eq 53
access-list dmz_access_in permit udp 192.168.150.0 255.255.255.0 host 192.168.50.100 eq 53
access-list dmz_access_in deny ip 192.168.150.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz_access_in permit ip any any
access-list ADSL_access_in extended permit icmp any any echo-reply
---------END COMMANDS--------

That last command will allow you to ping an Internet host and receive the echo replies back from the ping (echo request).
The explicit deny in those commands is because you stated that you only wanted the DMZ to access specific things on the inside but you also wanted to allow web surfing where you don't always know the destination.  Therefore, you explicitly allow the inbound DNS first for name resolution of web hosts, then you explicitly deny any other inbound traffic to the internal network and then finally you allow everything else for surfing the Internet.  It's done this way since the ACL's are parsed in the order in which they appear in the config, so the order of those commands does indeed matter!

Good luck!
0
 

Author Comment

by:aalbert69
ID: 20325107
Thank you....

I implemented

access-list dmz_access_in deny ip 192.168.150.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz_access_in permit ip any any
access-list ADSL_access_in extended permit icmp any any echo-reply

and now I can get out of the DMZ to the real world, but still have the other benefits of the internal/DMZ segregation.


Will post a final config after testing and tweaking over Thanksgiving.

Thanks again for bearing with me ......  Getting my mind into the swing of ASA statements is starting to take hold.

 Andy
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question