Solved

How do I assign public IP's to our cisco ASA 5510 (For MS Direct Access)

Posted on 2010-08-23
8
1,113 Views
Last Modified: 2012-05-10
Hi,

We are about to set up a test lab for Direct Access. As DA requires two public IP adresses, we've purchased a few additional IPs' for this purpose. What is the best course of action? Will DA allow me to NAT it, or do i have to set up a public DMZ?

If so, how do I set up a public DMZ?

Many thanks
0
Comment
Question by:daxa78
  • 3
  • 3
  • 2
8 Comments
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33502225
The way I read it (http://technet.microsoft.com/en-us/library/dd637797(WS.10).aspx) You need two consecutive public IP addresses, so a public DMZ may be your best bet.

To create:
1. subnet your IP range from the ISP into an outside subnet, and a dmz subnet.
2. change your subnet mask on the outside interface to accomodate your outside subnet.
3. create or enable a DMZ interface (security level 50 is typical) and assign an IP address from the dmz subnet to the interface. You will need to connect to seperate switch or VLAN
4. Add you DA servers to the new DMZ switch/VLAN, assign two consecutive IP addresses to its outside interface, and a default gateway of the ASA DMZ inerface
5. Address the DA server intranet interface for your inside network and add static routes for whatever other internal networks it may need to access or be accessed from

Good Luck
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33502243
Alternatively you could just place the DA server on the outside network and give it the two IPs. Just make sure your Windows 2008 R2 firewall is enabled and locked down and you install a good AV package.
0
 
LVL 10

Expert Comment

by:rscottvan
ID: 33507946
It's a requirement to have the DA server span two networks (with two NICs).  One needs to be accessible on the internet, and the other needs to be on the internal LAN.

While you could technically get away with not using a DMZ, it's a security best practice to protect the devices facing the internet by placing them in a DMZ.  

You should configure the firewall to only allow traffic on the required ports to pass into the DMZ.
0
 
LVL 1

Author Comment

by:daxa78
ID: 33512826
Update:

I've created a public_DMZ interface on ethernet0/3 with the first public IP in our new range. I've also set up a vlan for the DMZ which i've connected to one of the nics on the server.

This is the current situation:

ethernet0/1: internet
ethernet0/2 inside (internal network)
ethernet0/3 DMZ (vlan2)

My problem now is to get the DMZ to connect to the internet with those public ip's. Our ISP supplied us with this info:

Subnet: 85.xx.xx.96/29
Netmask: 255.255.255.248
Recommended GW-address: 85.xx.xx.97
Your IP-addresses in the subnet: 85.xx.xx.98-102
broadcast ip in subnet 85.xx.xx.103

routed by linknet 82.xx.xx.2/30 (which is the ethernet0/1 device)
your address in linknet: 82.xx.xx.4


I've spent as much time as I can on this now, without getting any results, any input would be appreciated :)
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 10

Expert Comment

by:rscottvan
ID: 33516146
It's difficult to tell you all the required items without having the firewall config.  Here are a couple items you'll need for certain:
1.  Access-lists allowing the needed traffic applied to the outside zone, allowing the required ports from "any" to the DA server
2.  Static NAT between the DMZ and other security zones

If you want more specific guidance, we'll need to look at the FW config.  You can scrub out names and IPs.
0
 
LVL 1

Author Comment

by:daxa78
ID: 33518509
Here is my config, thanks for the interest im really lost and i promised my boss that i
would have this fixed yesterday :-)

ASA Version 8.0(4)
!
hostname ciscoasa
domain-name nordicsol.local
enable password TPElrzuRXEajseWy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif internet
 security-level 0
 ip address 82.xxx.95.2 255.255.255.252
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.50.5 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 nameif MID
 security-level 100
 ip address 192.168.100.10 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 nameif public_DMZ
 security-level 50
 ip address 85.xxx.225.97 255.255.255.248
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
ftp mode passive
dns domain-lookup internet
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 192.168.50.100
 domain-name nordicsol.local
object-group network DM_INLINE_NETWORK_1
 network-object host 82.xxx.95.2
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp
 service-object tcp eq www
access-list outside_access_in extended permit ip host 194.6.238.85 any
access-list outside_access_in extended permit tcp any interface internet eq sip
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq smtp
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 987
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq https
access-list outside_access_in extended permit udp any interface internet eq sip
access-list outside_access_in extended permit udp any object-group DM_INLINE_NETWORK_1 range 9000 9015
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 3478 log disable
access-list outside_access_in extended permit udp any host 82.xxx.95.2 eq 3478 log disable
access-list outside_access_in extended permit ip host 85.xxx.249.246 any
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq ftp
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 4000
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 4001
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 3389
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 4010
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 2224 log disable
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 2222 log disable
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 2221 log disable
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 4030
access-list outside_access_in extended permit object-group TCPUDP any host 82.xxx.95.2 eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 82.xxx.95.2
access-list outside_access_in extended permit tcp any host 82.xxx.95.2 eq 2121
access-list nsvpn_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.35.192 255.255.255.224
access-list nsvpn_splitTunnelAcl_1 standard permit 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu internet 1500
mtu inside 1500
mtu MID 1500
mtu management 1500
mtu public_DMZ 1500
ip local pool IP_VPN 192.168.35.201-192.168.35.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any internet
icmp permit any public_DMZ
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
nat-control
global (internet) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,internet) tcp interface 2224 192.168.50.100 2224 netmask 255.255.255.255
static (inside,internet) tcp interface 2222 192.168.50.100 2222 netmask 255.255.255.255
static (inside,internet) tcp interface 2221 192.168.50.100 2221 netmask 255.255.255.255
static (inside,internet) tcp interface 987 192.168.50.104 987 netmask 255.255.255.255
static (inside,internet) tcp interface smtp 192.168.50.108 smtp netmask 255.255.255.255
static (inside,internet) tcp interface https 192.168.50.108 https netmask 255.255.255.255
static (inside,internet) tcp interface ftp 192.168.50.100 ftp netmask 255.255.255.255
static (inside,internet) udp interface sip 192.168.50.170 sip netmask 255.255.255.255
static (inside,internet) tcp interface sip 192.168.50.170 sip netmask 255.255.255.255
static (inside,internet) udp interface 9000 192.168.50.170 9000 netmask 255.255.255.255
static (inside,internet) udp interface 9001 192.168.50.170 9001 netmask 255.255.255.255
static (inside,internet) udp interface 9002 192.168.50.170 9002 netmask 255.255.255.255
static (inside,internet) udp interface 9003 192.168.50.170 9003 netmask 255.255.255.255
static (inside,internet) udp interface 9004 192.168.50.170 9004 netmask 255.255.255.255
static (inside,internet) udp interface 9005 192.168.50.170 9005 netmask 255.255.255.255
static (inside,internet) udp interface 9006 192.168.50.170 9006 netmask 255.255.255.255
static (inside,internet) udp interface 9007 192.168.50.170 9007 netmask 255.255.255.255
static (inside,internet) udp interface 9008 192.168.50.170 9008 netmask 255.255.255.255
static (inside,internet) udp interface 9009 192.168.50.170 9009 netmask 255.255.255.255
static (inside,internet) udp interface 9010 192.168.50.170 9010 netmask 255.255.255.255
static (inside,internet) udp interface 9011 192.168.50.170 9011 netmask 255.255.255.255
static (inside,internet) udp interface 9012 192.168.50.170 9012 netmask 255.255.255.255
static (inside,internet) udp interface 9013 192.168.50.170 9013 netmask 255.255.255.255
static (inside,internet) udp interface 9014 192.168.50.170 9014 netmask 255.255.255.255
static (inside,internet) udp interface 9015 192.168.50.170 9015 netmask 255.255.255.255
static (inside,internet) tcp interface 3478 192.168.50.170 3478 netmask 255.255.255.255
static (inside,internet) udp interface 3478 192.168.50.170 3478 netmask 255.255.255.255
static (inside,internet) tcp interface 4000 192.168.50.163 4000 netmask 255.255.255.255
static (inside,internet) tcp interface 4001 192.168.50.163 4001 netmask 255.255.255.255
static (inside,internet) tcp interface 3389 192.168.50.153 3389 netmask 255.255.255.255
static (inside,internet) tcp interface 4010 192.168.50.163 4010 netmask 255.255.255.255
static (inside,internet) tcp interface 4030 192.168.50.163 4030 netmask 255.255.255.255
static (inside,internet) tcp interface www 192.168.50.163 www netmask 255.255.255.255
static (inside,internet) tcp interface 2121 192.168.50.250 2121 netmask 255.255.255.255
access-group outside_access_in in interface internet
route internet 0.0.0.0 0.0.0.0 82.xxx.95.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable 488
http 193.213.25.215 255.255.255.255 internet
http 88.88.72.217 255.255.255.255 internet
http 192.168.50.0 255.255.255.0 inside
http 195.18.201.1 255.255.255.255 internet
http 192.9.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 88.88.19.156 255.255.255.255 internet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet_map interface internet
crypto isakmp enable internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.9.2.0 255.255.255.0 inside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 50
console timeout 0
dhcpd address 192.168.50.120-192.168.50.125 inside
dhcpd dns 213.184.xxx.1 213.184.xxx.2 interface inside
!
dhcpd address 192.168.100.150-192.168.100.155 MID
dhcpd dns 213.184.xxx.1 213.184.xxx.2 interface MID
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 port 1045
 enable internet
 svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 1
 svc enable
group-policy sslvpnpol internal
group-policy sslvpnpol attributes
 vpn-tunnel-protocol svc
 webvpn
  url-list none
group-policy nsvpn_1 internal
group-policy nsvpn_1 attributes
 dns-server value 192.168.50.xxx
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nsvpn_splitTunnelAcl_1
 default-domain value nordicsol
group-policy nsvpn internal
group-policy nsvpn attributes
 dns-server value 192.168.50.100
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nsvpn_splitTunnelAcl
username sslvpn password /wqkW1nOKnhluDsi encrypted
username nordicsol password zgmiT./VCzXSBlAW encrypted privilege 0
username nordicsol attributes
 vpn-group-policy nsvpn_1
username trine password yEZR/N9aQxehMtwR encrypted
username rolfm password R1bC0Q4OxNyMP4bt encrypted
username rongarlid password CK5VMH06/kZU1SAw encrypted
tunnel-group nsvpn type remote-access
tunnel-group nsvpn general-attributes
 address-pool IP_VPN
 default-group-policy nsvpn_1
tunnel-group nsvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect sip  
  inspect ftp
!
service-policy global_policy global
mount NS type cifs
 server 192.168.50.100
 share software
 domain nordicsol
 username james
 password ********
 status disable
prompt hostname context
Cryptochecksum:7f819e73fa5f1a1f000a45c3f8f1a97a
: end
0
 
LVL 1

Author Closing Comment

by:daxa78
ID: 33520452
Put me in the right direction.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33520804
Glad you got it going - sorry I didn't get back to you but your config post was 1:30 am my time and I was sleeping!
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSH logs Cisco switch 4 33
Cisco iWAN 8 46
cisco nexus experiance 2 30
Monitor vmware windows vm status of services 9 34
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now