Link to home
Start Free TrialLog in
Avatar of ptcis
ptcis

asked on

Need help with setting up DMZ

I am trying to get a DMZ with a web server up and running.  I've gone through the instructions on ASDM from the cisco web site, but I still am unable to communicate with the Web Server.  Can you please let me know what I'm doing wrong.  Thanks.

ASA Version 8.0(3)
!
hostname ciscoasa
domain-name parmatube.com
enable password uwdQIX4kuXiD6gGn encrypted
names
name 192.168.5.0 PTCKZ description PTCKZ
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.178 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.6.3 255.255.255.0
!
interface Ethernet0/2
 nameif guest
 security-level 10
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.254.1 255.255.255.0
 management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parmatube.com
access-list outside_in extended permit icmp any any echo-reply
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit gre any host x.x.x.179
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit tcp any host x.x.x.180 eq https
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit 80 any host x.x.x.180
access-list outside_access_in extended permit tcp any host x.x.x.180 eq www
access-list outside_access_in extended permit tcp any eq www host x.x.x.178 eq www
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list DMZ_access_in extended permit tcp host 10.10.10.3 any eq www
access-list DMZ_access_in extended permit udp host 10.10.10.3 any eq domain
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list inside_dmz extended permit ip 192.168.6.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_dmz extended permit tcp any host 205.217.85.178 eq www
access-list inside_dmz extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
mtu DMZ 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.x.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 200 10.10.10.50-10.10.10.60 netmask 255.0.0.0
global (DMZ) 200 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp interface www 10.10.10.3 www netmask 255.255.255.255
static (inside,outside) x.x.x.179 192.168.1.119 netmask 255.255.255.255
static (inside,outside) x.x.x.180 192.168.1.4 netmask 255.255.255.255
static (DMZ,inside) 10.10.10.3 205.217.85.178 netmask 255.255.255.255
static (inside,DMZ) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.10
 kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.10
 nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.150.45.171
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 97.92.47.199
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31

  quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100.25 guest
dhcpd dns x.x.x.10 x.x.1x.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
 enable outside

group-policy ptcremotevpn internal
group-policy ptcremotevpn attributes
 dns-server value 192.168.1.10
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelall
 default-domain value parmatube.com
 webvpn
  url-list value PTC_Workstations
  port-forward enable Parmatube_LAN
username vpnuser password tAtXXvCxpjX0dUEC encrypted privilege 15
username vpnuser attributes
 vpn-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group ptc1208n
 default-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 customization PTCWebVPN
tunnel-group ptcremotevpn type remote-access
tunnel-group ptcremotevpn general-attributes
 address-pool VPNPool
 authentication-server-group ptc1208n
 authentication-server-group (inside) ptc1208n
 default-group-policy ptcremotevpn
tunnel-group ptcremotevpn ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.171 type ipsec-l2l
tunnel-group x.x.x.171 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.199 type ipsec-l2l
tunnel-group x.x.x.199 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:084be7d49cf59c613a5e5c3524d1b147
Avatar of meverest
meverest
Flag of Australia image

Hello,

what is happening that is different to what you expect?

Cheers.
Avatar of ptcis
ptcis

ASKER

I cannot communicate with the web sever at all. Its like all channels of communication is being block, but I cannot figure out why.
Avatar of ptcis

ASKER

Okay, Now I think I'm getting closer but I keep receiving this in my logs when I try to access the web Server from outside.

4      Jul 01 2008      07:40:08      106023      12.150.45.171      205.217.85.178       Deny tcp src outside:xx.xx.45.171/3269 dst guest:xx.xx.85.178/80 by access-group "outside_access_in" [0x0, 0x0]

And this is when I try to access from the inside.

3      Jul 01 2008      07:41:30      710003      192.168.1.69      205.217.85.178       TCP access denied by ACL from 192.168.1.69/4762 to inside:x.x.85.178/80

Here is my config:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name parmatube.com
enable password uwdQIX4kuXiD6gGn encrypted
names
name 192.168.5.0 PTCKZ description PTCKZ
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.85.178 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.6.3 255.255.255.0
!
interface Ethernet0/2
 nameif guest
 security-level 50
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.254.1 255.255.255.0
 management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parmatube.com
access-list outside_in extended permit icmp any any echo-reply
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit gre any host x.x.85.179
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit tcp any host x.x.85.180 eq https
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit 80 any host x.x.85.180
access-list outside_access_in extended permit tcp any host x.x.85.180 eq www
access-list outside_access_in extended permit tcp any eq www host x.x.85.178 eq www
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.85.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (guest,outside) tcp interface www 192.168.100.10 www netmask 255.255.255.255
static (inside,outside) x.x.85.179 192.168.1.119 netmask 255.255.255.255
static (inside,outside)x.x.85.180 192.168.1.4 netmask 255.255.255.255
static (inside,guest) 192.168.100.0 192.168.1.0 netmask 255.255.255.0
static (guest,inside) 192.168.100.10 x.x.85.178 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.85.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.10
 kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.10
 nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.45.171
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer x.x.47.199
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
x
  quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100.25 guest
dhcpd dns x.x.x.10 x.x.x.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!


Let me know if you can see anything I'm missing!  Thanks!
Avatar of ptcis

ASKER

Okay I got the first part working.  But I am still having problems when accessing the site from inside.  Any one please help.  Thanks.
ASKER CERTIFIED SOLUTION
Avatar of ptcis
ptcis

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial