topic ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration in Network Security

ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration - Only one Public IP

patrick.hurley — Tue, 12 Mar 2019 01:42:06 GMT

I am using a Cisco E4200 router today but I am moving to a ASA5505. I have a device that sets up a VPN tunnel that I want to put in my DMZ. It's called the ATT Gateway. I have attached the diagram. When I use a Cisco E4200 all I do is put the outside private ip address of 192.168.0.99 of the ATT Gateway into the DMZ of the E4200 and the VPN tunnel of the ATT Gateway comes right up. I cannot configure the DMZ to do the same with the ASA. I also need to have the laptop behind the gateway access the printers in the inside network. Any document or advice that anyone has that addresses similar situations?

DMZ Configuration Question ASA5505

Jouni Forss — Sun, 12 May 2013 11:02:36 GMT

Hi,

I am not completely sure about the setup and the configurations of the ASA5505.

Generally if you have setting up some VPN connection from a device behind ASA I would configure a dedicated public IP address for the VPN device through the use of Static NAT on the ASA5505. Ofcourse if the public address space gives the chance then even better choice is to have the public subnet directly configured between the ASA DMZ and the actual VPN device.

One thing that concerns me is that fact that we are using an ASA5505. What license do you have on it? Because the Base License only allows for 3 Vlan interfaces and one of those interfaces has to be limited to be able to initiate connections to ONLY ONE of the other 2 interfaces. (This by itself might make the above setup impossible, depending what kind of VPN setup you are doing and how the public IP addresses is done on the ASA)

- Jouni

Re: DMZ Configuration Question ASA5505

patrick.hurley — Sun, 12 May 2013 17:30:18 GMT

I only have one public IP address. I have security plus license. This is a small home office. I am just trying to recreate the DMZ capability I have with my Cisco E4200 on the ASA 5505. Were you able to review the diagram? Are you familar with Cisco Linksys DMZ configurations?

ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration

Jouni Forss — Sun, 12 May 2013 18:06:49 GMT

Hi,

I have not used the Linksys devices. I guess they are Ciscos devices aimed at consumers.

I am assuming that the ATT Gateway automatically forms a VPN connection to the some device on the Internet as soon as it has connectivity to the Internet.

It would probably be best to check your ASA configuration for any possible problems with the basic configurations. Can you share the ASA configurations?

- Jouni

ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration

patrick.hurley — Sun, 12 May 2013 18:41:16 GMT

I am not configured yet. I played around with it and it would not come up. I know it's a different paradigm but I was hoping for someone to show me a configuration they had done which allows the device in the diagram to build it's VPN connectivity using the ASA with only a single outside IP address.

Re: ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration

Ionut.Hristea — Sun, 12 May 2013 18:51:30 GMT

Hi,
Can you please paste the configuration on the ASA?

ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration - O

Jouni Forss — Sun, 12 May 2013 18:58:17 GMT

Well,

The very basic configurations to get Internet connections working for all users would for example be

Interfaces / Routing

interface Vlan1

description LAN

nameif inside

security-level 100

ip add 192.168.0.1 255.255.255.0

interface Ethernet0/1

description LAN

interface Vlan10

description WAN

nameif outside

security-level 0

ip address (with static ip)

ip address dhcp setroute (with dhcp)

interface Ethernet0/0

description WAN

switchport access vlan 10

interface Vlan5

description DMZ

nameif dmz

security-level 50

ip add 192.168.5.1 255.255.255.0

interface Ethernet0/2

description DMZ - ATT Gateway

switchport access vlan 5

route outside 0.0.0.0 0.0.0.0 (if static ip on interface "outside")

route dmz 172.20.20.20.0 255.255.255.0 192.168.5.2 (if the network behind ATT should be visible to the rest of the network)

NAT Rules

If using software 8.2 or below

no nat-ctonrol

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.5.0 255.255.255.0

nat (dmz) 1 172.20.20.0 255.255.255.0

access-list INSIDE-NAT0 remark NAT0 between local networks

access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.255.0 172.20.20.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

If using software 8.3 or above

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.0.0 255.255.255.0

network-object 192.168.5.0 255.255.255.0

network-object 172.20.20.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

ICMP Inspection

fixup protocol icmp

fixup protocol icmp error

Those are some very basic configurations.

- Jouni

ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration - O

patrick.hurley — Sun, 12 May 2013 19:35:39 GMT

Thanks Jouni. That's what I need to get me started for sure. How do I expose 192.168.5.2 ports (all of them as that is the configuration they recommend) as if it was the public IP address of the ASA?

Re: ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration

Jouni Forss — Sun, 12 May 2013 19:40:45 GMT

Hi,

To be honest if we configured the public IP address on the "outside" interface of the ASA to be used only by the ATT device (Static NAT) then we would not have anything to NAT/PAT the LAN devices to.

On the 8.2 or below software as an alternative we would have to forward port by port to my understanding

On the 8.3 or above software as an alternative we could forward ranges of ports to the DMZ device.

The above NAT configuration only enable the ATT device to open connections to the Internet. It doesnt enable any connections from the Internet towards that device.

- Jouni

Re: ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration

patrick.hurley — Sun, 12 May 2013 19:55:04 GMT

here is the configuration now. I can't get the tunnel to come up. will my other device that I have the outside interface pulled into ignore the vlan tag for vlan 2? I think I might have an issue there too.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.05.12 12:52:32 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.99 255.255.255.0
!
interface Vlan5
nameif dmz
security-level 0
ip address 192.168.5.1 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Netgate
host 192.168.5.2
object network A_192.168.0.1
host 192.168.0.1
access-list outside_access_in extended permit ip any object Netgate
access-list outside_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip any interface inside
access-list dmz_access_in extended permit ip any interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network Netgate
nat (dmz,outside) static A_192.168.0.1
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route dmz 172.20.20.0 255.255.255.0 192.168.5.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 dmz
http 172.20.20.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 dmz
ssh 172.20.20.0 255.255.255.0 dmz
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
!
tls-proxy maximum-session 12
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ph1819 password Jw8sD68tfrYmonI4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ed8c7f20fb793c3500a71d442812e377
: end

ciscoasa#

ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration - O

Jouni Forss — Sun, 12 May 2013 20:05:22 GMT

Hi,

The DMZ ACL doesnt really allow traffic through the ASA at all.

Also the current configuration doesnt seem to match the PDF document. There to my understanding the network 192.168.0.0/24 was the "inside" network and the ASA "outside" had the public IP address directly.

- Jouni

Re: ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration

patrick.hurley — Sun, 12 May 2013 20:08:37 GMT

you are right on the 2nd paragraph. I was afraid to tear apart my network to install the ASA only to find out it couldn't do the DMZ piece correctly. I am trying to get the ATT Gateway to work before I tear it a part.

How do I fix the DMZ ACL that you mention in the first paragraph?

ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration - O

Jouni Forss — Sun, 12 May 2013 20:12:35 GMT

Hi,

To have the ASA allow traffic from behind the DMZ interface you would need something like this

access-list dmz_access_in extended permit ip 192.168.5.0 255.255.255.0 any

access-list dmz_access_in extended permit ip 172.20.20.0 255.255.255.0 any

Provided you want to allow all TCP/UDP traffic from the DMZ networks to anywhere.

- Jouni

Re: ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration

patrick.hurley — Sun, 12 May 2013 20:21:17 GMT

is there a brief book that you'd recommend that explains basic operations of the asa? I have two from 2005 and 2006 and they are both old and 800 pages long. LOL.

Here is the new configuration.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.05.12 13:17:48 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa

names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.99 255.255.255.0
!
interface Vlan5
nameif dmz
security-level 0
ip address 192.168.5.1 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Netgate
host 192.168.5.2
object network A_192.168.0.1
host 192.168.0.1
access-list outside_access_in extended permit ip any object Netgate
access-list outside_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip any interface inside
access-list dmz_access_in extended permit ip any interface outside
access-list dmz_access_in extended permit ip 192.168.5.0 255.255.255.0 any
access-list dmz_access_in extended permit ip 172.20.20.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network Netgate
nat (dmz,outside) static A_192.168.0.1
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route dmz 172.20.20.0 255.255.255.0 192.168.5.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 dmz
http 172.20.20.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 dmz
ssh 172.20.20.0 255.255.255.0 dmz
ssh timeout 5
console timeout 0

ciscoasa#

ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration - O

Jouni Forss — Sun, 12 May 2013 21:59:56 GMT

Hi,

To be honest I started with Cisco firewalls without knowing anything about them and without having as much as a single course about them.

I did my final work at school about a small business network with Cisco PIX firewall.

I used the graphical configuration tool to configure the basic settings and then used the CLI to change the configurations.

When I finally got my current job I basically had to start going through existing configurations and eventually learn how everything works. Every problem that I faced always teached my something new. Eventually I started regularly using the Configuration Guide and Command Reference documents found for every software level of the firewalls. These are a great supporting document when configuring the firewall. But to be honest I wish sometimes that they went more into the subject that they currently do OR that Cisco would release some thorough documents which I am sure they must have.

So I cant really suggest a book for you since I have never read one related to firewalls. Currently I am reading myself a couple of 700 pages books related to routing for my certification exams that I decided to start. Though they arent really required from my employers perspective but though I might as well get some of them now that I have several years of expirience.

If you want to check the different Configuration Guides and Command References, check these links

Configuration Guide

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

Command Reference

http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

There is also a wealth of information online that can be found just Googling around.

Naturally this forum is also a good place. But related to this situation we would really need to know exactly what the configuration should do.

Problem for me is that I am not sure how your Linksys is actually handling the traffic and with 1 public IP address. By the things you say it would almost seem that there should be some Port Forward / Static PAT configurations but that would also be something that you should remember configuring and I dont know how the device would automate that simple configuration.

Do you have some screen captures of the Linksys configurations? I imagine its configured through some graphical interface?

- Jouni

Re: ASA5505 DMZ Configuration vs Linksys E4200 DMZ Configuration

patrick.hurley — Mon, 13 May 2013 01:16:01 GMT

Let me put some screen shots together but basically I have been using Linksys for home networking forever and you can put one private IP address in what is called the DMZ but it's not really. They then allow all ports open from the public side to that private IP address without blocking anything.