Solved

Need help with setting up DMZ

Posted on 2008-06-25
6
1,306 Views
Last Modified: 2012-08-13
I am trying to get a DMZ with a web server up and running.  I've gone through the instructions on ASDM from the cisco web site, but I still am unable to communicate with the Web Server.  Can you please let me know what I'm doing wrong.  Thanks.

ASA Version 8.0(3)
!
hostname ciscoasa
domain-name parmatube.com
enable password uwdQIX4kuXiD6gGn encrypted
names
name 192.168.5.0 PTCKZ description PTCKZ
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.178 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.6.3 255.255.255.0
!
interface Ethernet0/2
 nameif guest
 security-level 10
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.254.1 255.255.255.0
 management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parmatube.com
access-list outside_in extended permit icmp any any echo-reply
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit gre any host x.x.x.179
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit tcp any host x.x.x.180 eq https
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit 80 any host x.x.x.180
access-list outside_access_in extended permit tcp any host x.x.x.180 eq www
access-list outside_access_in extended permit tcp any eq www host x.x.x.178 eq www
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list DMZ_access_in extended permit tcp host 10.10.10.3 any eq www
access-list DMZ_access_in extended permit udp host 10.10.10.3 any eq domain
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list inside_dmz extended permit ip 192.168.6.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_dmz extended permit tcp any host 205.217.85.178 eq www
access-list inside_dmz extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
mtu DMZ 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.x.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 200 10.10.10.50-10.10.10.60 netmask 255.0.0.0
global (DMZ) 200 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp interface www 10.10.10.3 www netmask 255.255.255.255
static (inside,outside) x.x.x.179 192.168.1.119 netmask 255.255.255.255
static (inside,outside) x.x.x.180 192.168.1.4 netmask 255.255.255.255
static (DMZ,inside) 10.10.10.3 205.217.85.178 netmask 255.255.255.255
static (inside,DMZ) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.10
 kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.10
 nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.150.45.171
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 97.92.47.199
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31

  quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100.25 guest
dhcpd dns x.x.x.10 x.x.1x.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
 enable outside

group-policy ptcremotevpn internal
group-policy ptcremotevpn attributes
 dns-server value 192.168.1.10
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelall
 default-domain value parmatube.com
 webvpn
  url-list value PTC_Workstations
  port-forward enable Parmatube_LAN
username vpnuser password tAtXXvCxpjX0dUEC encrypted privilege 15
username vpnuser attributes
 vpn-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group ptc1208n
 default-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 customization PTCWebVPN
tunnel-group ptcremotevpn type remote-access
tunnel-group ptcremotevpn general-attributes
 address-pool VPNPool
 authentication-server-group ptc1208n
 authentication-server-group (inside) ptc1208n
 default-group-policy ptcremotevpn
tunnel-group ptcremotevpn ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.171 type ipsec-l2l
tunnel-group x.x.x.171 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.199 type ipsec-l2l
tunnel-group x.x.x.199 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:084be7d49cf59c613a5e5c3524d1b147
0
Comment
Question by:ptcis
  • 4
  • 2
6 Comments
 
LVL 37

Expert Comment

by:meverest
Comment Utility
Hello,

what is happening that is different to what you expect?

Cheers.
0
 

Author Comment

by:ptcis
Comment Utility
I cannot communicate with the web sever at all. Its like all channels of communication is being block, but I cannot figure out why.
0
 

Author Comment

by:ptcis
Comment Utility
Okay, Now I think I'm getting closer but I keep receiving this in my logs when I try to access the web Server from outside.

4      Jul 01 2008      07:40:08      106023      12.150.45.171      205.217.85.178       Deny tcp src outside:xx.xx.45.171/3269 dst guest:xx.xx.85.178/80 by access-group "outside_access_in" [0x0, 0x0]

And this is when I try to access from the inside.

3      Jul 01 2008      07:41:30      710003      192.168.1.69      205.217.85.178       TCP access denied by ACL from 192.168.1.69/4762 to inside:x.x.85.178/80

Here is my config:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name parmatube.com
enable password uwdQIX4kuXiD6gGn encrypted
names
name 192.168.5.0 PTCKZ description PTCKZ
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.85.178 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.6.3 255.255.255.0
!
interface Ethernet0/2
 nameif guest
 security-level 50
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.254.1 255.255.255.0
 management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parmatube.com
access-list outside_in extended permit icmp any any echo-reply
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit gre any host x.x.85.179
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit tcp any host x.x.85.180 eq https
access-list outside_access_in remark Enkoo
access-list outside_access_in extended permit 80 any host x.x.85.180
access-list outside_access_in extended permit tcp any host x.x.85.180 eq www
access-list outside_access_in extended permit tcp any eq www host x.x.85.178 eq www
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.85.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (guest,outside) tcp interface www 192.168.100.10 www netmask 255.255.255.255
static (inside,outside) x.x.85.179 192.168.1.119 netmask 255.255.255.255
static (inside,outside)x.x.85.180 192.168.1.4 netmask 255.255.255.255
static (inside,guest) 192.168.100.0 192.168.1.0 netmask 255.255.255.0
static (guest,inside) 192.168.100.10 x.x.85.178 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.85.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.10
 kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.10
 nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.45.171
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer x.x.47.199
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
x
  quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100.25 guest
dhcpd dns x.x.x.10 x.x.x.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!


Let me know if you can see anything I'm missing!  Thanks!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ptcis
Comment Utility
Okay I got the first part working.  But I am still having problems when accessing the site from inside.  Any one please help.  Thanks.
0
 

Accepted Solution

by:
ptcis earned 0 total points
Comment Utility
Anyone?  I cannot get to the DMZ from the Internal network and it is driving me insane.  Can someone please take a look at this?  Thanks!
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 500 total points
Comment Utility
Hi,

I probably shouldn't have commented on this one to begin with.  Now that there are so many comments in this thread, the chances of anyone else looking in is small.

I suggest that you delete this question then re-post in a cisco networking area.  Being primarily an IIS topic at the moment, you are not likely to get any cisco expert to chime in.

Cheers,  Mike.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now