capcap
asked on
Allow access from inside interface to new (P) DMZ interface on Cisco ASA 5505
Hi all,
Bit of background on what I'm trying to do. I have a Cisco ASA 5505 firewall with a 20, DMZ unrestricted license (Security Plus, unlimited inside hosts).
I've created an interface called PDMZ for what I will be using as a Production DMZ. The idea is that I will have reverse proxy sitting in here routing requests to the inside network.
I've created the interface, but can not get it to allow certain traffic (like port 80) or icmp back into the inside interface.
I've attached my ASA config below.
Any help will be gratefully received - Mike
Bit of background on what I'm trying to do. I have a Cisco ASA 5505 firewall with a 20, DMZ unrestricted license (Security Plus, unlimited inside hosts).
I've created an interface called PDMZ for what I will be using as a Production DMZ. The idea is that I will have reverse proxy sitting in here routing requests to the inside network.
I've created the interface, but can not get it to allow certain traffic (like port 80) or icmp back into the inside interface.
I've attached my ASA config below.
Any help will be gratefully received - Mike
: Saved
:
ASA Version 7.2(3)
!
hostname blah
domain-name ####
enable password #### encrypted
names
name 172.18.231.0 IPVPN
name 172.18.241.5 CONDIR
name 172.19.0.3 DMZ-SMTP
name 172.19.0.4 DMZ-SFTP
name 172.19.0.5 DMZ-FTP
name 172.18.200.2 RIGEL
name 172.18.200.4 CAPELLA
name 172.19.0.7 GSTAR
name 172.18.200.14 CRM
name 172.18.200.13 Sharepoint
!
interface Vlan1
nameif inside
security-level 100
ip address 172.18.0.2 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 123.456.789.111 255.255.255.240
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.19.0.2 255.255.255.0
!
interface Vlan13
nameif pdmz
security-level 100
ip address 172.10.0.2 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 13
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd #### encrypted
ftp mode passive
dns domain-lookup dmz
dns server-group DefaultDNS
domain-name #####
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service StndInternet tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
access-list outside_access_in
access-list outside_access_in extended deny ip host #### any
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq smtp
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https
access-list outside_access_in
access-list outside_access_in extended permit tcp any host Sharepoint eq https
access-list outside_access_in
access-list outside_access_in
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 8001
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp-data
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 2773
access-list outside_access_in extended permit tcp host 123.456.789.111 host 172.18.230.97 range 6000 60063 inactive
access-list outside_access_in
access-list outside_access_in extended deny ip host ##### any
access-list outside_access_in
access-list outside_access_in
access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip any IPVPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip host CONDIR host ####
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list VPNNET_splitTunnelAcl standard permit host 123.456.789.111
access-list VPN_splitTunnelAcl standard permit any
access-list inside_outbound_nat_acl extended permit ip any IPVPN 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any IPVPN 255.255.255.0
access-list outside_1_cryptomap extended permit ip host CONDIR host ####
access-list outside_2_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any
access-list pdmz_access_out extended permit tcp any host RIGEL
access-list acl_pdmz_to_inside extended permit ip any any
access-list pdmz_in extended permit ip any any
access-list pdmz_access_out_1 extended permit ip any interface inside inactive
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply inactive
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded inactive
access-list OUTSIDE_IN_ACL extended permit icmp any any echo inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu pdmz 1500
ip local pool IPVPN 172.18.231.1-172.18.231.254
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface pdmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.18.0.0 255.255.0.0
nat (dmz) 1 172.19.0.0 255.255.0.0
nat (pdmz) 1 172.10.0.0 255.255.0.0
static (dmz,outside) 123.456.789.111 DMZ-SFTP netmask 255.255.255.255
static (dmz,outside) 123.456.789.111 DMZ-FTP netmask 255.255.255.255
static (inside,outside) 123.456.789.111 RIGEL netmask 255.255.255.255
static (inside,outside) 123.456.789.111 CAPELLA netmask 255.255.255.255
static (inside,dmz) 123.456.789.111 172.18.0.0 netmask 255.255.0.0
static (inside,dmz) 123.456.789.111 DMZ-SMTP netmask 255.255.255.255
static (dmz,outside) 123.456.789.111 GSTAR netmask 255.255.255.255
static (inside,outside) 123.456.789.111 CRM netmask 255.255.255.255
static (inside,outside) 123.456.789.111 Sharepoint netmask 255.255.255.255
static (dmz,outside) 123.456.789.111 172.19.0.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
access-group pdmz_in in interface pdmz
access-group pdmz_access_out out interface pdmz
route outside 0.0.0.0 0.0.0.0 123.456.789.111 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
filter java 81 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 813 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer ####
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer ####
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.18.0.3-172.18.1.2 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect h323 ras
inspect pptp
!
service-policy global_policy global
group-policy NETWORK internal
group-policy NETWORK attributes
wins-server value 172.18.200.1
dns-server value 172.18.200.1
vpn-tunnel-protocol IPSec
vpn-group-policy NETWORK
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group NETWORK type ipsec-ra
tunnel-group NETWORK general-attributes
address-pool IPVPN
default-group-policy NETWORK
tunnel-group NETWORK ipsec-attributes
pre-shared-key *
tunnel-group 123.456.789.111 type ipsec-l2l
tunnel-group 123.456.789.111 ipsec-attributes
pre-shared-key *
tunnel-group 123.456.789.111 type ipsec-l2l
tunnel-group 123.456.789.111 ipsec-attributes
pre-shared-key *
smtp-server 172.18.200.2
prompt hostname context
Cryptochecksum:585c0c1b2348587143153660a223357a
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.