• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1228
  • Last Modified:

CISCO ASA 5505, Creating a DMZ

I need to set up a DMZ on my ASA 5505.
I have found sketchy tutorials however would like to know from a command line step by step.
Does the DMZ issue an IP address to devices that cannot be issued a static IP?

Cheers
0
FlyingFortress
Asked:
FlyingFortress
  • 10
  • 6
  • 5
2 Solutions
 
Istvan KalmarHead of IT Security Division Commented:
Hi,


First of all you need Security plus license, did you upgraded it?
0
 
FlyingFortressAuthor Commented:
HI,
I have not upgarded but Is there any way to check on the firewall?
Will i have to go through a reseller or can i purchase and download?
0
 
FlyingFortressAuthor Commented:
All purchased, just waiting on the code to come through. Will post once installed. Cheers
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
Istvan KalmarHead of IT Security Division Commented:
Pleased show the config and what the topology that you want and I make it....
0
 
FlyingFortressAuthor Commented:
Hi,
Security plus License installed. A couple of questions
I.      Does the DMZ issue IP as a dhcp server?
II.      Will the DMZ use a Public or private or both? (I have 7 spare Public IP’s)

The device I need to connect cannot be assigned a static ip.
Thanks
0
 
vreinaldoCommented:
Hello,

For the base license you can create up to tree interfaces, but some restrictions apply.

1) Configure the VLANS

hostname(config)# interface vlan 100

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address 20.20.20.2 255.255.255.0

hostname(config-if)# no shutdown


hostname(config-if)# interface vlan 200

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown


hostname(config-if)# interface vlan 300

hostname(config-if)# no forward interface vlan 200

hostname(config-if)# nameif dmz

hostname(config-if)# security-level 50

hostname(config-if)# ip address 10.2.1.1 255.255.255.0

hostname(config-if)# no shutdown



======>> Assign the physical ports to the created Vlans.


hostname(config)# interface ethernet 0/0

hostname(config-if)# switchport access vlan 100

hostname(config-if)# no shutdown


hostname(config-if)# interface ethernet 0/1

hostname(config-if)# switchport access vlan 200

hostname(config-if)# no shutdown


hostname(config-if)# interface ethernet 0/2

hostname(config-if)# switchport access vlan 300

hostname(config-if)# no shutdown


====>>

You just have to create the rules:
route outside 0 0 20.20.20.1 <ip of default gateway, let's assume is: 20.20.20.1)
nat (inside) 1 0 0
nat (dmz) 1 0 0
global (outside) 1 interface

Whis this simples lines, you have communicated the inside and the dmz to the internet.
0
 
FlyingFortressAuthor Commented:
Hi, Excellent thanks!
I had to adopt to my current setup as my Vlan1 = Inside, Vlan2 = Outside
Here is a sanitised version of running-config for your review. I assigned switch port 0/7 to the dmz
I am working remotely so not sure if it works yet.


: Saved
:
ASA Version 8.2(1)
!
hostname FORTRESS
enable password L3jXBIU9.f/KXdjK encrypted
passwd oShcltzbRXPPo.hu encrypted
names
name 192.168.51.50 VOIP_server
name 192.168.30.0 SITE-A
name 192.168.40.0 SITE-B
name 192.168.20.0 SITE-C
name 192.168.1.0  SITE-D description SANDI
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group WESTBURY
 ip address pppoe setroute
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server ---.---.--.---
 name-server ---.---.--.---
object-group service VODAFONE_Ports
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-A 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-B 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-C 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-D 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-A 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-B 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-C 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-D 255.255.255.0
access-list ICMPACL extended permit icmp any any
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) ---.--.-.--- 192.168.10.104 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 ---.---.--.- 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http ---.---.--.- 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 82.--.--.--
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 82.--.--.--
crypto map outside_map 2 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 82.--.--.--
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 82.--.--.--
crypto map outside_map 4 set transform-set ESP-3DES-MD5
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 82.--.--.--
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.255 inside
ssh 192.168.51.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.255 outside
ssh ---.---.--.- 255.255.255.255 outside
ssh 192.168.51.0 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
vpdn group WESTBURY request dialout pppoe
vpdn group WESTBURY localname ***
vpdn group WESTBURY ppp authentication chap
vpdn username *** password *********
dhcpd dns ---.--.-.--- ---.--.-.---
dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10.150 inside
dhcpd dns ---.--.-.--- ---.--.-.--- interface inside
dhcpd ping_timeout 750 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password H1kZZCYIzbxYpUC2 encrypted privilege 15
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
 pre-shared-key *
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
 pre-shared-key *
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:48021baf602541eca5db4787f472157d
: end
asdm location VOIP_server 255.255.255.255 inside
asdm location SITE-A 255.255.255.0 inside
asdm location SITE-B 255.255.255.0 inside
asdm location SITE-C 255.255.255.0 inside
asdm location SITE-D 255.255.255.0 inside
no asdm history enable
0
 
vreinaldoCommented:
Looks good to me!

Good Luck
0
 
FlyingFortressAuthor Commented:
Hi,
The device i have plugged in is a Vodafone Sure Signal. It connects to Vodafones servers through ports 500 and 4500.
Setting up the DMZ is a result of the connection not establishing after opening the ports and many posts & support here.

I was hoping that by sitting this on the DMZ I would be confident the connection is not being blocked. For some reason this is still not connecting..
I have looked in the arp table and there is no device or record of the DMZ subnet created or the MAC address of the device?
Is the DMZ issuing an IP as a dhcp server as I cannot assign a static IP to the Vodafone device??....
Any thoughts…..
0
 
vreinaldoCommented:
First at all, you should check your connectivity between the devices, (asa & Vodaphone),

from the CLI in the asa, or by ASDM, try to ping the vodaphone device, or vice versa,

The ports 500 and 4500 are TCP or UDP?

Try to connect a computer in the DMZ and try to access the internet, when you get it, it doesn't matter if it static or dynamic addressing you should use those settings in your vodaphone...

If you still can connect either in the computer, so is probably that you have made something wrong, or there's something missing..!

Good Luck.!!

0
 
FlyingFortressAuthor Commented:
Hi
Both of the ports are UDP.
The dmz is not issuing an IP. I connected a laptop and it resolved the 169 address. I manually configured the card and with a 192.168.3.100 address and successfully connected out through the gateway.

So as far as I can see everything is mustard apart from the dmz as a dhcp server. Is it possible to set up a dhcp scope in the dmz so that the vodabox can dynamically be issued an IP?

Thanks again!
0
 
Istvan KalmarHead of IT Security Division Commented:
Hi there is a problem, please enable DMZ:

interface Vlan3
 forward interface Vlan1
0
 
Istvan KalmarHead of IT Security Division Commented:
I you don't buy security plus license you not eble to use DMZ!!
0
 
FlyingFortressAuthor Commented:
I do not understand your last post sorry.
The ASA has been upgraded and the DMZ active.....
I need the interface to issue IP by DHCP to an appliance that can only get an ip through DHCP...  is this possible??
0
 
vreinaldoCommented:
here's the command:

dhcpd address 192.168.3.10-192.168.3.100 dmz
dhcpd enable dmz

dhcpd dns 200.42.213.11 196.3.81.5 --> Replace this for your own DNS servers.
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain yourdomain.local


Good luck!!
0
 
Istvan KalmarHead of IT Security Division Commented:
please provide us:

sh ver
0
 
vreinaldoCommented:
Hello,

Just for the record, you don't need security plus in order to create a dmz!
without security-plus the dmz interface CAN'T communicate with the inside, but it CAN communicate with the outside...
0
 
FlyingFortressAuthor Commented:
Great that is working fine and the vodbox is showing in the arp table now.
Still not connecting......do i have to define the udp ports 4500 and 500? That is the only thing i can think of, however i thought the DMZ would be letting everything through?... Getting there - learning new stuff in nothing else!
0
 
vreinaldoCommented:
Hello there,

one thing you should know is that those ports belong to (isakmp UDP/500) (Nat-Traversal UDP/4500), maybe you vodbox is trying to build a ipsec tunnel, but i think it gonna be impossible, (as i can see), because you are already finishing ipsec tunnels in you firewall, tunnels that are using those ports...

If you what to make a TEST try this in a non working time (ensure that nobody is using the tunnels), and do the following:

no crypto map outside_map interface outside
no crypto isakmp enable inside
no crypto isakmp enable outside

Test if your vodbox is working, and when you're done:

crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside

Anything else, let us know.!
0
 
FlyingFortressAuthor Commented:
That makes perfect sense because when I called Vodafone they said that the Vodbox would try and create a VPN however, I thought this would run parallel to the existing defined policies. (As I already had multiple VPN tunnels).

I have run the command and my ip phone went dead instantly but the Vodbox is still not connecting so maybe the ports?......
Anyway your support has been excellent detailed and you have answered the original post. So will close this one down and award the points. Many thanks again!
0
 
FlyingFortressAuthor Commented:
Awesome.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 10
  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now