Question

  Asked: Jul 24 2008   1:45 PM GMT
  Asked by: Bradob


Cisco ASA 5505 setting up a DMZ


DMZ, Cisco ASA 5505, Network connectivity, Firewalls, ASA

I need it to talk to the internal network and for Outside to be able to access the website. We have an external IP's and would like to have two of them become static to two different internal Websites. Externals are 44.44.44.x . Internal is 192.168.x.x. VPN is in there too. I'd like for outside to see websites. Inside access the websites as well. I can't seem to get either to work. Below is a Show Run from the cisco

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname myhomecompany-asa5505
domain-name companyx.local
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 44.44.44.90 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name companyx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.17.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list MobileUser_splitTunnelAcl standard permit 192.168.13.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 44.44.44.91
access-list outside_access_in extended permit ip any interface dmz
access-list outside_access_in extended permit tcp any eq www host 44.44.44.91 eq www
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_Pool 192.168.17.0-192.168.17.50 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (dmz,outside) 44.44.44.91 10.10.10.30 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 44.44.44.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy MobileUser internal
group-policy MobileUser attributes
banner value Unauthorized access is prohibited.
dns-server value 192.168.13.250 192.168.15.250
vpn-tunnel-protocol IPSec
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MobileUser_splitTunnelAcl
default-domain value companyx.local
group-policy DfltGrpPolicy attributes
banner value Unauthorized access is prohibited.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
http server enable
http 192.168.17.0 255.255.255.0 inside
http 192.168.13.0 255.255.255.0 inside
http 88.88.88.0 255.255.255.248 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 88.88.88.134
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group 88.88.88.134 type ipsec-l2l
tunnel-group 88.88.88.134 ipsec-attributes
pre-shared-key *
tunnel-group MobileUser type ipsec-ra
tunnel-group MobileUser general-attributes
address-pool VPN_Pool
default-group-policy MobileUser
tunnel-group MobileUser ipsec-attributes
pre-shared-key *
telnet 192.168.13.0 255.255.255.0 inside
telnet 192.168.15.0 255.255.255.0 inside
telnet 192.168.17.0 255.255.255.0 inside
telnet 88.88.88.0 255.255.255.248 outside
telnet timeout 5
ssh 192.168.13.0 255.255.255.0 inside
ssh 192.168.15.0 255.255.255.0 inside
ssh 192.168.17.0 255.255.255.0 inside
ssh 88.88.88.0 255.255.255.248 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map global-class
match port tcp eq pptp
!
!
policy-map global-policy
description For PPTP access
class global-class
inspect pptp
!
service-policy global-policy global
prompt hostname context
: end

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window

Answer Wiki (Improve, edit or add to this answer)


 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0



ASA Version 7.2(2)
!
hostname reston-asa5505
domain-name companyx.local
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 44.44.44.90 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name companyx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.17.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list MobileUser_splitTunnelAcl standard permit 192.168.13.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 44.44.44.91 eq www
access-list outside_access_in extended permit tcp any host 44.44.44.91 eq https
access-list dmz_access_in extended permit tcp any host 10.10.10.30 eq www
access-list dmz_access_in extended permit tcp any host 10.10.10.40 eq smtp
access-list dmz_access_in extended permit tcp any host 10.10.10.30 eq https
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit ip host 192.168.1.110 host 10.10.10.30
access-list dmz_access_out extended permit tcp any host 10.10.10.30 eq www
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_Pool 192.168.17.0-192.168.17.50 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 44.44.44.91 10.10.10.30 netmask 255.255.255.255
static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0
static (dmz,inside) 192.168.13.110 10.10.10.30 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
route outside 0.0.0.0 0.0.0.0 66.173.205.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy MobileUser internal
group-policy MobileUser attributes
banner value Unauthorized access is prohibited.
dns-server value 192.168.13.250 192.168.15.250
vpn-tunnel-protocol IPSec
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MobileUser_splitTunnelAcl
default-domain value companyx.local
group-policy DfltGrpPolicy attributes
banner value Unauthorized access is prohibited.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
http server enable
http 192.168.17.0 255.255.255.0 inside
http 192.168.13.0 255.255.255.0 inside
http 198.137.232.0 255.255.255.0 outside
http 88.88.88.0 255.255.255.248 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 88.88.88.134
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group 88.88.88.134 type ipsec-l2l
tunnel-group 88.88.88.134 ipsec-attributes
pre-shared-key *
tunnel-group MobileUser type ipsec-ra
tunnel-group MobileUser general-attributes
address-pool VPN_Pool
default-group-policy MobileUser
tunnel-group MobileUser ipsec-attributes
pre-shared-key *
telnet 192.168.13.0 255.255.255.0 inside
telnet 192.168.15.0 255.255.255.0 inside
telnet 192.168.17.0 255.255.255.0 inside
telnet 198.137.232.0 255.255.255.0 outside
telnet 88.88.88.0 255.255.255.248 outside
telnet timeout 5
ssh 192.168.13.0 255.255.255.0 inside
ssh 192.168.15.0 255.255.255.0 inside
ssh 192.168.17.0 255.255.255.0 inside
ssh 88.88.88.0 255.255.255.248 outside
ssh 198.137.232.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map global-class
match port tcp eq pptp
!
!
policy-map global-policy
description For PPTP access
class global-class
inspect pptp
!
service-policy global-policy global
prompt hostname context


Became a working solution
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security and Networking.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register