Link to home
Start Free TrialLog in
Avatar of cjrcomputers
cjrcomputers

asked on

Setting up DMZ on ASA 5505

I have an ASA 5505 with the security plus package and would like to setup a DMZ for an ISA server and a web server.  Right now I have been able to setup a vlan for the dmz, was able to setup an external ip address for one of the dmz servers, and able to get out to the internet on both dmz servers.  The problem I'm having is pinging either dmz servers from the inside network and pinging the inside from the dmz network.  Of course I am also not able to connect to any of the websites on the web server from the inside.  Your help would be greatly appreciated.
Avatar of batry_boy
batry_boy
Flag of United States of America image

Have you set up a NAT for inside traffic going to the DMZ?  Have you setup an ACL applied to the DMZ interface to allow ICMP inbound so you can ping from the DMZ to inside?

If you post your config, I can give exact commands to make it work (sanitized, please)
Avatar of cjrcomputers
cjrcomputers

ASKER

x=outside ip address.  Thanks.


ASA Version 7.2(3)
!
hostname brookpix
domain-name cjrcomputers.domain
enable password xxxxxx
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxx 255.255.255.248
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 10.10.200.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd xxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name cjrcomputers.domain
object-group network CJR_BROOKHILL_LAN
 description network at 9B Brook HIll Lane
 network-object 192.168.1.0 255.255.255.0
object-group network CJR_BROOKHILL_DMZ
 description dmz network at brookhill
 network-object 10.10.200.0 255.255.255.0
object-group network CJR_LEHIGH_LAN
 description network at 1700 lehigh
 network-object 192.168.2.0 255.255.255.0
object-group network LYNN_LAN
 description network at lynns apartment
 network-object 192.168.5.0 255.255.255.0
object-group network CJR_DMZ_ISA
 network-object host 10.10.200.3
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 26
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit udp any interface outside eq 1494
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface inside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_access_in extended permit ip any any
access-list acl_mdc_outside_access extended permit tcp any host xxxxx eq smtp
access-list acl_mdc_outside_access extended permit esp any any
access-list acl_mdc_outside_access extended permit udp any any eq 4500
access-list acl_mdc_outside_access extended permit udp any any eq isakmp
access-list inside_nat0_outbound extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list outside_cryptomap_1 extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.180 255.255.255.252
access-list CJR_VPN_NEW_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list acl_mdc_inside_nat0 extended permit ip any 192.168.1.180 255.255.255.252
access-list acl_mdc_DMZ_access extended permit esp any any
access-list acl_mdc_DMZ_access extended permit udp any any eq 4500
access-list acl_mdc_DMZ_access extended permit udp any any eq isakmp
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq https
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1645
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1646
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1812
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1813
access-list acl_mdc_DMZ_access extended permit ip any any
access-list acl_mdc_DMZ_access extended permit icmp any any
access-list outside_cryptomap_65535.20 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.180 255.255.255.252
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.180 255.255.255.252
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 192.168.1.180-192.168.1.182
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-523.bin
asdm location 192.168.1.22 255.255.255.255 inside
asdm group CJR_BROOKHILL_LAN inside
asdm group CJR_LEHIGH_LAN outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 26 192.168.1.250 26 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.244 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.201 8080 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 192.168.1.201 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.1.201 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.250 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.21 ftp netmask 255.255.255.255
static (inside,outside) xxxxxxxxx 192.168.1.22 netmask 255.255.255.255
static (inside,dmz) 10.10.200.0 10.10.200.0 netmask 255.255.255.0
static (dmz,inside) 10.10.200.3 xxxxxxxx netmask 255.255.255.255
static (dmz,outside) xxxxxxxxx 10.10.200.3 netmask 255.255.255.255
static (dmz,inside) xxxxxxxxxx 10.10.200.3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group acl_mdc_DMZ_access in interface dmz
route outside 0.0.0.0 0.0.0.0 208.125.131.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.244
 timeout 5
 key cjr123
aaa-server SERVER protocol radius
aaa-server SERVER host 192.168.1.244
 timeout 5
 key cjr123
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cryptod_mdc_outside 30 set pfs
crypto dynamic-map cryptod_mdc_outside 30 set transform-set ESP-3DES-SHA
crypto dynamic-map cryptod_mdc_outside 30 set security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer xxxxxxxxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_mdc_outside 65535 ipsec-isakmp dynamic cryptod_mdc_outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 21
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.45-192.168.1.47 inside
dhcpd dns 192.168.1.244 interface inside
dhcpd domain cjrcomputers.domain interface inside
dhcpd enable inside
!

!
!
group-policy CJR_VPN_NEW internal
group-policy CJR_VPN_NEW attributes
 dns-server value 192.168.1.244
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CJR_VPN_NEW_splitTunnelAcl
 default-domain value cjrcomputers.domain
group-policy cjrvpn internal
group-policy cjrvpn attributes
 vpn-tunnel-protocol IPSec
 default-domain value cjrcomputers.domain
username crice password P78ljucnWDQdEvgV encrypted privilege 15
username crice attributes
 vpn-group-policy CJR_VPN_NEW
 group-lock value CJR_VPN_NEW
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 5
tunnel-group xxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
 pre-shared-key 7402501
 isakmp keepalive threshold 10 retry 5
tunnel-group CJR_VPN_NEW type ipsec-ra
tunnel-group CJR_VPN_NEW general-attributes
 address-pool remote
 default-group-policy CJR_VPN_NEW
tunnel-group CJR_VPN_NEW ipsec-attributes
 pre-shared-key cjr123
tunnel-group cjrvpn type ipsec-ra
tunnel-group cjrvpn general-attributes
 address-pool remote
 default-group-policy cjrvpn
tunnel-group cjrvpn ipsec-attributes
 pre-shared-key cjr1234
prompt hostname context
Cryptochecksum:aac8ea7b4cfbc201189a1fa00c9606b0
: end
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Didn't work...
Please specify what exactly didn't work and what the source and destionation IP's are in your connectivity test.  Also, post your current running configuration...
I just found out that I now am able to ping the inside from the dmz but cannot ping the dmz from the inside.  Here is the current configuration:

: Saved
: Written by enable_15 at 19:57:16.989 UTC Sat Feb 9 2008
!
ASA Version 7.2(3)
!
hostname brookpix
domain-name cjrcomputers.domain
enable password 3jrnPxArBAohuBx9 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxx 255.255.255.248
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 10.10.200.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 3jrnPxArBAohuBx9 encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name cjrcomputers.domain
object-group network CJR_BROOKHILL_LAN
 description network at 9B Brook HIll Lane
 network-object 192.168.1.0 255.255.255.0
object-group network CJR_BROOKHILL_DMZ
 description dmz network at brookhill
 network-object 10.10.200.0 255.255.255.0
object-group network CJR_LEHIGH_LAN
 description network at 1700 lehigh
 network-object 192.168.2.0 255.255.255.0
object-group network LYNN_LAN
 description network at lynns apartment
 network-object 192.168.5.0 255.255.255.0
object-group network CJR_DMZ_ISA
 network-object host 10.10.200.3
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 26
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit udp any interface outside eq 1494
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface inside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_access_in extended permit ip any any
access-list acl_mdc_outside_access extended permit tcp any host xxxx eq smtp
access-list acl_mdc_outside_access extended permit esp any any
access-list acl_mdc_outside_access extended permit udp any any eq 4500
access-list acl_mdc_outside_access extended permit udp any any eq isakmp
access-list inside_nat0_outbound extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list outside_cryptomap_1 extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip object-group CJR_BROOKHILL_LAN object-group CJR_LEHIGH_LAN
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.180 255.255.255.252
access-list CJR_VPN_NEW_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list acl_mdc_inside_nat0 extended permit ip any 192.168.1.180 255.255.255.252
access-list acl_mdc_DMZ_access extended permit esp any any
access-list acl_mdc_DMZ_access extended permit udp any any eq 4500
access-list acl_mdc_DMZ_access extended permit udp any any eq isakmp
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq https
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1645
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1646
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1812
access-list acl_mdc_DMZ_access extended permit tcp object-group CJR_DMZ_ISA any eq 1813
access-list acl_mdc_DMZ_access extended permit ip any any
access-list acl_mdc_DMZ_access extended permit icmp any any
access-list acl_mdc_DMZ_access extended permit icmp any any echo-reply
access-list outside_cryptomap_65535.20 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.180 255.255.255.252
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.180 255.255.255.252
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 192.168.1.180-192.168.1.182
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-523.bin
asdm location 192.168.1.22 255.255.255.255 inside
asdm group CJR_BROOKHILL_LAN inside
asdm group CJR_LEHIGH_LAN outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 26 192.168.1.250 26 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.244 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.201 8080 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.1.250 domain netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 192.168.1.201 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.1.201 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.250 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.21 ftp netmask 255.255.255.255
static (inside,outside) xxx 192.168.1.22 netmask 255.255.255.255
static (dmz,outside) xxx 10.10.200.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group acl_mdc_DMZ_access in interface dmz
route outside 0.0.0.0 0.0.0.0 208.125.131.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.244
 timeout 5
 key cjr123
aaa-server SERVER protocol radius
aaa-server SERVER host 192.168.1.244
 timeout 5
 key cjr123
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cryptod_mdc_outside 30 set pfs
crypto dynamic-map cryptod_mdc_outside 30 set transform-set ESP-3DES-SHA
crypto dynamic-map cryptod_mdc_outside 30 set security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_mdc_outside 65535 ipsec-isakmp dynamic cryptod_mdc_outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 21
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.45-192.168.1.47 inside
dhcpd dns 192.168.1.244 interface inside
dhcpd domain cjrcomputers.domain interface inside
dhcpd enable inside
!

!
!
group-policy CJR_VPN_NEW internal
group-policy CJR_VPN_NEW attributes
 dns-server value 192.168.1.244
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CJR_VPN_NEW_splitTunnelAcl
 default-domain value cjrcomputers.domain
group-policy cjrvpn internal
group-policy cjrvpn attributes
 vpn-tunnel-protocol IPSec
 default-domain value cjrcomputers.domain
username crice password P78ljucnWDQdEvgV encrypted privilege 15
username crice attributes
 vpn-group-policy CJR_VPN_NEW
 group-lock value CJR_VPN_NEW
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 5
tunnel-group xx type ipsec-l2l
tunnel-group xxx ipsec-attributes
 pre-shared-key 7402501
 isakmp keepalive threshold 10 retry 5
tunnel-group CJR_VPN_NEW type ipsec-ra
tunnel-group CJR_VPN_NEW general-attributes
 address-pool remote
 default-group-policy CJR_VPN_NEW
tunnel-group CJR_VPN_NEW ipsec-attributes
 pre-shared-key cjr123
tunnel-group cjrvpn type ipsec-ra
tunnel-group cjrvpn general-attributes
 address-pool remote
 default-group-policy cjrvpn
tunnel-group cjrvpn ipsec-attributes
 pre-shared-key cjr1234
prompt hostname context
Cryptochecksum:29df6e3eb0925492d37cdfbd7ed28d83
: end
For the dmz host you can't ping from the inside, can you ping that same dmz host from the firewall CLI?  What are the source and destination IP addresses that you are using for this ping test?
I was pinging from 10.10.200.3(Soon to be an ISA server) to one of the servers at 192.168.1.250.  
I am not able to ping 10.10.200.3 from 192.168.1.250.

I am not able to ping 10.10.200.3 from the firewall CLI.
If you can't ping 10.10.200.3 from the firewall, you surely won't be able to ping it from any inside hosts.

If you can't ping 10.10.200.3 from 10.10.200.1 (the firewall's dmz interface), then I would be looking at that dmz host to see if will respond to pings from other dmz hosts.  Can you get it to respond to pings from another host on the 10.10.200.0/24 network segment (the dmz)?
Geeze I figured out the problem.  The windows firewall was turned on at 10.10.200.3.  I am now able to ping between two dmz hosts and able to ping from the inside as well.  Thank you very much for your help.
Glad to help!