Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA5505 DMZ setup with ASDM

Posted on 2011-10-12
5
Medium Priority
?
1,590 Views
Last Modified: 2012-05-12
I am trying to setup a new router with a DMZ interface. How to I setup this interface using ASDM and allow users connected to this interface to reach the internet? I don't want the DMZ to be able to communicate with the inside interface.
0
Comment
Question by:adanser83
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 36957162
Set your interface to be a DMZ:

interface Ethernet0/2
 nameif mirth
 security-level 50
 ip address 172.16.30.1 255.255.255.0

You must NAT your DMZ traffic. You probably have a line like this:
global (outside) 10 interface

This nat's all traffic on set '10' to the IP address of the outside interface. Assuming yours is the same, then you need:
nat (DMZ) 10 172.16.30.0 255.255.255.0

That should be it.
0
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 36957182
If you insist on using ASDM, try this link:

http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/dmz_p.html

It's for the PIX but it's very similar if you are familiar with the concepts. If you post your full config with passwords and public IP address removed, we can post a customized config you too.
0
 

Author Comment

by:adanser83
ID: 36957263
Here is my current config:

Result of the command: "show run"

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 6ZoFBEConbp3Z7DJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name XO-Gateway
name 10.23.141.93 SEO1-IN
name SEO1-OUT
name 10.23.141.62 SEO2-IN
name SEO2-OUT
name 10.23.141.94 SEO3-IN
name SEO3-OUT
name 10.23.141.88 SEO4-IN
name SEO4-OUT
name 10.23.141.70 SEO5-IN
name SEO5-OUT
name 10.23.141.51 SEO6-IN
name SEO6-OUT
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.23.140.51 255.255.252.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.5.x.x 255.255.255.224
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 10.23.136.51 255.255.255.0
!
ftp mode passive
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp echo-reply
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq telnet
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool IP-Remote-VPN 10.23.140.201-10.23.140.204 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 10.23.136.0 255.255.255.0
static (inside,outside) SEO1-OUT SEO1-IN netmask 255.255.255.255
static (inside,outside) SEO2-OUT SEO2-IN netmask 255.255.255.255
static (inside,outside) SEO3-OUT SEO3-IN netmask 255.255.255.255
static (inside,outside) SEO4-OUT SEO4-IN netmask 255.255.255.255
static (inside,outside) SEO5-OUT SEO5-IN netmask 255.255.255.255
static (inside,outside) SEO6-OUT SEO6-IN netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XO-Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PTMS-AD protocol ldap
aaa-server PTMS-AD (inside) host 10.23.140.5
 timeout 5
 server-type auto-detect
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc enable
group-policy PTMS-RemoteVPN internal
group-policy PTMS-RemoteVPN attributes
 vpn-tunnel-protocol svc
tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
 address-pool IP-Remote-VPN
 authentication-server-group PTMS-AD
 default-group-policy PTMS-RemoteVPN
!
!
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:f3047ba03b7bd5760c6fdc99f9c3b515
: end
0
 
LVL 12

Accepted Solution

by:
jjmartineziii earned 2000 total points
ID: 36957315
I believe your problem is this line:

nat (DMZ) 0 10.23.136.0 255.255.255.0

You are performing NAT exemption.

Try adding these lines:

no nat (DMZ) 0 10.23.136.0 255.255.255.0
nat (DMZ) 1 10.23.136.0 255.255.255.0
0
 

Author Comment

by:adanser83
ID: 36957366
Thank you for your help I will try these changes after hours and let you know tomorrow.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question