asked on

Cisco ASA 5505 Using DMZ for costumer hotspot

I'm trying to set up a Cisco ASA 5505 in the office.
I've configured the inside net and it's working.

Now I want to use the DMZ for a wlan hotspot for waiting costumers. I need to keep them out of our own net, but allow them access to the Internet as well as a server with some small applications for demonstration use.

I can't realle read from the documentation if this can be done? I do have the possibility to make a DMZ, but can I do anything in there? Can I configure the ASA for this special use? - and how?

I'm a Cisco newbie, but I do have some experience with other firewalls

yashinchalad

create a new interface and nameif as dmz, security as 50~60.
place a switch as DMZ switch(or hub)
now do static Nat from inside interface to dmz (specific NAT with required ports and individual connections) eg: static (inside,dmz) ......
if you want to expose DMZ machine to outside world then do static (dmz,outside) ...... and permit necessary ports on accesslist that is applied on outside interface as access-group
note: inside is the nameif of inside interface, outside as outside interface.

techzter

It certainly sounds like you should be able to configure the device for that situation. Is the server that you want to allow access to on the DMZ as well? Could you post a copy of the current config so that we have a better idea of what is already in place, and what is needed?

ellegaarddk

ASKER

I'm glad to hear that! Now I just to make it work.

@yashinchalad: I thought I had already done that, but maybe something is wrong.

@techzter: yes the server will be at the DMZ as well, so I'll have no problem with that. And there's no need for outside access to anything in the dmz, it's for internal use only.

This is what I got so far:

: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name xxxxxxx.xx
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 77.xxx.xxx.xxx 255.255.255.128 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.123.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
!
time-range hverdag-aften
 periodic weekdays 17:00 to 22:59
!
time-range hverdag-skoletid
 periodic weekdays 8:00 to 16:59
!
ftp mode passive
clock timezone emt 2
dns server-group DefaultDNS
 domain-name xxxxxxxxx.xx
pager lines 24
logging enable
logging asdm notifications
logging mail emergencies
logging class auth mail emergencies 
logging class config mail emergencies 
logging class ha mail emergencies 
logging class ids mail emergencies 
logging class np mail emergencies 
logging class rm mail emergencies 
logging class sys mail emergencies 
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 
static (dmz,inside) 192.168.123.0 192.168.123.0 netmask 255.255.255.0 
route outside 0.0.0.0 0.0.0.0 77.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd dns 77.xxx.xxx.xxx 77.xxx.xxx.170 interface inside
dhcpd auto_config outside interface inside
dhcpd update dns interface inside
dhcpd enable inside
!
dhcpd address 192.168.123.11-192.168.123.200 dmz
dhcpd dns 77.xxx.xxx.xxx 77.xxx.xxx.170 interface dmz
dhcpd enable dmz
!
 
ntp authenticate
ntp server 67.220.194.133
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:25256aa947b4d09995f5cab2786f4866
: end
asdm image disk0:/asdm-524.bin
asdm history enable

Open in new window

ellegaarddk

ASKER

Oh, I forgot.

I need to be able to get from inside to dmz as well.

ellegaarddk

ASKER

it's still not working, can't figure out what is wrong.

techzter

Sorry elle. I am not spotting it either. If you don't get any further responses perhaps try a second post and relate it back to this issue. Include the information of your config and what you have covered so far in the initial posting.

ellegaarddk

ASKER

I've request for attention instead, hopefully somebody will be able to figure out what is wrong with my configuration.