ellegaarddk
asked on
Cisco ASA 5505 Using DMZ for costumer hotspot
I'm trying to set up a Cisco ASA 5505 in the office.
I've configured the inside net and it's working.
Now I want to use the DMZ for a wlan hotspot for waiting costumers. I need to keep them out of our own net, but allow them access to the Internet as well as a server with some small applications for demonstration use.
I can't realle read from the documentation if this can be done? I do have the possibility to make a DMZ, but can I do anything in there? Can I configure the ASA for this special use? - and how?
I'm a Cisco newbie, but I do have some experience with other firewalls
I've configured the inside net and it's working.
Now I want to use the DMZ for a wlan hotspot for waiting costumers. I need to keep them out of our own net, but allow them access to the Internet as well as a server with some small applications for demonstration use.
I can't realle read from the documentation if this can be done? I do have the possibility to make a DMZ, but can I do anything in there? Can I configure the ASA for this special use? - and how?
I'm a Cisco newbie, but I do have some experience with other firewalls
It certainly sounds like you should be able to configure the device for that situation. Is the server that you want to allow access to on the DMZ as well? Could you post a copy of the current config so that we have a better idea of what is already in place, and what is needed?
ASKER
I'm glad to hear that! Now I just to make it work.
@yashinchalad: I thought I had already done that, but maybe something is wrong.
@techzter: yes the server will be at the DMZ as well, so I'll have no problem with that. And there's no need for outside access to anything in the dmz, it's for internal use only.
This is what I got so far:
@yashinchalad: I thought I had already done that, but maybe something is wrong.
@techzter: yes the server will be at the DMZ as well, so I'll have no problem with that. And there's no need for outside access to anything in the dmz, it's for internal use only.
This is what I got so far:
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name xxxxxxx.xx
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 77.xxx.xxx.xxx 255.255.255.128
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.123.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
!
time-range hverdag-aften
periodic weekdays 17:00 to 22:59
!
time-range hverdag-skoletid
periodic weekdays 8:00 to 16:59
!
ftp mode passive
clock timezone emt 2
dns server-group DefaultDNS
domain-name xxxxxxxxx.xx
pager lines 24
logging enable
logging asdm notifications
logging mail emergencies
logging class auth mail emergencies
logging class config mail emergencies
logging class ha mail emergencies
logging class ids mail emergencies
logging class np mail emergencies
logging class rm mail emergencies
logging class sys mail emergencies
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (dmz,inside) 192.168.123.0 192.168.123.0 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 77.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd dns 77.xxx.xxx.xxx 77.xxx.xxx.170 interface inside
dhcpd auto_config outside interface inside
dhcpd update dns interface inside
dhcpd enable inside
!
dhcpd address 192.168.123.11-192.168.123.200 dmz
dhcpd dns 77.xxx.xxx.xxx 77.xxx.xxx.170 interface dmz
dhcpd enable dmz
!
ntp authenticate
ntp server 67.220.194.133
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:25256aa947b4d09995f5cab2786f4866
: end
asdm image disk0:/asdm-524.bin
asdm history enable
ASKER
Oh, I forgot.
I need to be able to get from inside to dmz as well.
I need to be able to get from inside to dmz as well.
ASKER
it's still not working, can't figure out what is wrong.
Sorry elle. I am not spotting it either. If you don't get any further responses perhaps try a second post and relate it back to this issue. Include the information of your config and what you have covered so far in the initial posting.
ASKER
I've request for attention instead, hopefully somebody will be able to figure out what is wrong with my configuration.
Please elaborate what exactly is not working (from x interface x ip to y interface on y ip).
Is internet ok?
Is internet ok?
ASKER
Working
any valid ip Inside to outside
Not working
any ip DMZ to outside
unknown
inside to dmz
(sorry, my focus has been on the above)
any valid ip Inside to outside
Not working
any ip DMZ to outside
unknown
inside to dmz
(sorry, my focus has been on the above)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, haven't been able to try it out yet, will be back as soon as possible.
place a switch as DMZ switch(or hub)
now do static Nat from inside interface to dmz (specific NAT with required ports and individual connections) eg: static (inside,dmz) ......
if you want to expose DMZ machine to outside world then do static (dmz,outside) ...... and permit necessary ports on accesslist that is applied on outside interface as access-group
note: inside is the nameif of inside interface, outside as outside interface.