Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with DMZ on ASA 5510

Status
Not open for further replies.
Dec 1, 2011
4
I'm a total newb at this, and I need help with configuring a DMZ on a ASA 5510 running 8.2(4)

So lets say my ASA has the following ports configured:

LAN: 10.0.0.3 Security 100
TWT_Internet: 15.192.45.138 Security 0
DMZ: 192.168.10.1 level 50 Security 50

And I have two web servers 192.168.10.2 and 192.168.10.3 in the dmz

How do I configure it to:

1. allow outside traffic to the web servers, port 80 or 443 only
2. allow inside traffic to ping them, and access all of the services (website, ssh, etc)
3. allow the web servers to communicate with servers on the inside?

I've tried several approaches with no success, the only thing I can do is ping the DMZ interface on the ASA from the webserver, and vice versa. So I have removed everything involving the DMZ, except the Interface itself, from my configs and want to start over again.

Thanks,

Allen
 
Here is scrubbed version of my config as it stands.

hostname SCO-ASA-01

interface Ethernet0/0
nameif TWT_Internet
security-level 0
ip address xxx.xxx.xxx.43 255.255.255.248
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif LAN
security-level 100
ip address 10.0.0.3 255.255.0.0
!
ftp mode passive
dns domain-lookup LAN
dns server-group DefaultDNS
name-server 10.0.0.85
name-server 10.0.0.100
domain-name xxxx.net
access-list from_outside extended permit icmp 10.0.0.0 255.255.0.0 xxx.xxx.245.40 255.255.255.248 echo
access-list from_LAN extended permit icmp any any echo
access-list My_IPSEC_TG_splitTunnelAcl standard permit 10.0.0.0 255.255.0.0
access-list TWT_Internet_access_in extended permit ip any any
access-list LAN_access_in extended permit ip any any
access-list LAN_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.255.253.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.255.252.0 255.255.255.0
access-list My_IPSEC_TG_splitTunnelAcl_1 standard permit 10.0.0.0 255.0.0.0
access-list out extended permit icmp any any
access-list out-in extended permit tcp any interface DMZ eq pptp
access-list out-in extended permit icmp any any
access-list cap extended permit ip host 10.0.0.90 host 10.0.8.3
access-list cap extended permit ip host 10.0.8.3 host 10.0.0.90
access-list Medicare-DDE_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
logging host LAN 10.0.0.151 17/1514
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export delay flow-create 60
mtu TWT_Internet 1500
mtu LAN 1500
mtu DMZ 1500
ip local pool My_IPSEC_AP_1 10.255.253.2-10.255.253.250 mask 255.255.255.0
ip local pool My_SSL_AP_1 10.255.252.2-10.255.252.250
icmp unreachable rate-limit 1 burst-size 1
icmp permit any LAN
asdm history enable
arp timeout 14400
nat-control
global (TWT_Internet) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
access-group out in interface TWT_Internet
access-group LAN_access_in in interface LAN
route TWT_Internet 0.0.0.0 0.0.0.0 xxx.xxx.245.41 1
route LAN 10.0.0.0 255.0.0.0 10.0.0.1 1
route LAN 32.77.242.3 255.255.255.255 10.0.0.6 1
route LAN 32.90.100.7 255.255.255.255 10.0.0.6 1
route LAN 32.91.198.116 255.255.255.255 10.0.0.6 1
route LAN 32.91.198.117 255.255.255.255 10.0.0.6 1
route LAN 69.222.73.69 255.255.255.255 10.0.0.6 1
route LAN 158.73.0.0 255.255.0.0 10.0.0.6 1
route LAN 164.120.156.14 255.255.255.255 10.0.0.6 1
route LAN 172.20.192.119 255.255.255.255 10.0.0.6 1
route LAN 204.146.91.0 255.255.255.0 10.0.0.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

http server enable
http 192.168.1.0 255.255.255.0 LAN
http 0.0.0.0 0.0.0.0 LAN
snmp-server host LAN 10.0.0.114 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 LAN
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 LAN
ssh timeout 5
console timeout 0
management-access LAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
: end
 
try starting with this:
Code:
no nat-control

access-list LAN_nat0_outbound extended permit 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list dmz_nat0 extended permit 192.168.10.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any interface eq 80
access-list outside_access_in extended permit tcp any interface eq 443
access-list outside_access_in extended permit tcp any x.x.x.44 eq 80
access-list outside_access_in extended permit tcp any x.x.x.44 eq 443

static (DMZ,TWT_Internet) tcp interface 80 192.168.10.2 80
static (DMZ,TWT_Internet) tcp interface 443 192.168.10.2 443
static (DMZ,TWT_Internet) tcp x.x.x.x 80 192.168.10.3 80
static (DMZ,TWT_Internet) tcp x.x.x.x 443 192.168.10.3 443

nat (DMZ) 0 access-list dmz_nat0
nat (DMZ) 1 192.168.10.0 255.255.255.0
access-group outside_access_in in interface TWT_Internet

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
unclerico,

Thanks for helping me with this.

But I'm getting on the following two lines

access-list LAN_nat0_outbound extended permit 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list dmz_nat0 extended permit 192.168.10.0 255.255.255.0 10.0.0.0 255.255.0.0

States invalid input. see below

SCO-ASA-01(config)# access-list HPCCR_LAN_nat0_outbound extended permit 10.0.0$

access-list HPCCR_LAN_nat0_outbound extended permit 10.0.0.0 255.255.0.0 192.168 ^.10.0 255.255.255.0

ERROR: % Invalid input detected at '^' marker.
SCO-ASA-01(config)# exit
SCO-ASA-01# conf t
SCO-ASA-01(config)# access-list dmz_nat0 extended permit 192.168.10.0 255.255.$

access-list dmz_nat0 extended permit 192.168.10.0 255.255.255.0 10.0.0.0 255.255 ^.0.0
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top