topic Re: Configure Dmz on ASA5505 in Network Security

Configure Dmz on ASA5505

Thomas_Madsen — Mon, 11 Mar 2019 22:04:42 GMT

I've been doing a quick search without finding the correct answere to my problem, might be that i should done some more searching but here it goes.

I have a asa 5505 Sec plus with 3vlan, inside, outside and dmz.

On the outside i have 5 ip's for my use, and in the dmz i have a webserver that need to communicate with one sql server on the inside.

The "sql" also needs to be accessible from outside and thus has a static nat with a dynamic nat so it replies from same ip as on nat ie 72.72.72.5

webserver is natted with 72.72.72.6

sql inside ip is 192.168.1.2, gw 192.168.1.1

webserver ip is 192.168.2.100 gw 192.168.2.1

sec lvl on inside is 100 and on dmz 50

with a dynamic policy running inside-net/24 to dmz-network/24 translagt to dmz 192.168.2.2 i can get it to ping 1 way from inside to dmz, but not the other way around...

All i need is to open 1 port ie 6677 both ways for this communication to work.

I'm not very familiar with the CLI and do most stuf in GUI (know i should learn CLI, but time doesnt let me)...

any tips on what i need to do ???

on access rules i have just added everything from any to any using , ip, icmp, tcp and udp just to be sure... 🙂

Happy for any pointers...

Configure Dmz on ASA5505

Julio Carvajal — Wed, 21 Dec 2011 16:17:03 GMT

Hello Thomas,

You want to mantain communication between the DMZ an inside right?

You will need an ACL on the DMZ permitting the traffic to the Inside

Also you will need a static (inside,dmz).

Can you post your configuration, also the IP address of the host on the dmz that needs to talk with a host on the Inside( Host IP)

Regards

Julio

Configure Dmz on ASA5505

Thomas_Madsen — Wed, 21 Dec 2011 20:34:00 GMT

Result of the command: "show conf"

: Saved
: Written by hm-k at 12:21:10.213 UTC Mon Dec 19 2011
!
ASA Version 8.2(1)
!
hostname cisco
domain-name friends.local
enable password ********* encrypted
passwd ********** encrypted
names
name 10.40.96.250 SQL-Server_Innside
name 217.111.111.108 Utside-Ekte_IP_108
name 217.111.111.242 Utside-Ekte-IP-242
name 217.111.111.243 Utside-Ekte-IP-243
name 217.111.111.244 Utside-Ekte-IP-244
name 217.111.111.245 Utside-Ekte-IP-245
name 217.111.111.246 Utside-Ekte-IP-246
name 10.40.97.254 Inside-Webserver
!
interface Vlan1
nameif inside
security-level 100
ip address 10.40.96.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Utside-Ekte-IP-242 255.255.255.248
!
interface Vlan12
nameif DMZ
security-level 50
ip address 10.40.97.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name friends.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Giant-Leap tcp
port-object eq 2077
port-object eq 2020
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq https
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq 2040
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-244 eq www
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 object-group Giant-Leap
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq www
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-244 eq https
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-246 eq www
access-list inside_nat0_outbound extended permit ip any 10.40.96.128 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool IP-VPN-Pool 10.40.96.150-10.40.96.175 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 Utside-Ekte-IP-246 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp Utside-Ekte-IP-246 www Inside-Webserver www netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2040 10.40.96.27 2040 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 https 10.40.96.252 https netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2077 SQL-Server_Innside 2077 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2020 SQL-Server_Innside 2020 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 www SQL-Server_Innside www netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.111.111.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-Friends protocol radius
aaa-server VPN-Friends (inside) host 10.40.96.254
timeout 5
key xxxxxxxxx
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_Friends internal
group-policy VPN_Friends attributes
dns-server value 10.40.96.254
default-domain value friends.local
address-pools value IP-VPN-Pool
username hm-k password xxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group VPN_Friends type remote-access
tunnel-group VPN_Friends general-attributes
address-pool (outside) IP-VPN-Pool
authentication-server-group VPN-Friends LOCAL
authentication-server-group (outside) VPN-Friends LOCAL
default-group-policy VPN_Friends
tunnel-group VPN_Friends ipsec-attributes
pre-shared-key *
tunnel-group VPN_Friends ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I've changed the outside ip's just in case, and removed i think all passwords and stuff 🙂

Configure Dmz on ASA5505

Julio Carvajal — Wed, 21 Dec 2011 20:45:06 GMT

Hello Thomas,

Ok lets say the IP address of the host on the inside ( SQL server) is 10.40.97.2 and the Web server on the DMZ is 10.40.96.2.

You need to have communication between those two servers on port 6677.

So here is the commands you need:

static(dmz,inside) 10.40.96.2 10.46.96.2

static (inside, dmz) tcp 72.72.72.6 6677 10.40.97.2 6677

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

Please rate helpful posts,

Give it a try and let me know the result!!

Julio

Configure Dmz on ASA5505

Thomas_Madsen — Wed, 21 Dec 2011 20:52:02 GMT

if sql uses 10.40.96.100 and webserver uses 10.40.97.200

should i then use

static(dmz,inside) 10.40.97.200 10.40.96.100

static (inside, dmz) tcp 10.40.96.100 6677 10.40.97.200 6677

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

Configure Dmz on ASA5505

Julio Carvajal — Wed, 21 Dec 2011 21:25:44 GMT

Hello Thomas,

No, They got to be natted to different ip address ( available ip addresses not the ones for the servers on each interface)

You got to know this first?

When the web-server wants to go to the SQL server what IP address do you want as destination (SQL server)

When the SQL server wants to go to the Inside Web-server what ip address do you want as the destination (Web-server)?

Then create the Static translation based on that.

Do you understand my point here?

Regards,

Julio

Re: Configure Dmz on ASA5505

Thomas_Madsen — Wed, 21 Dec 2011 21:30:37 GMT

yeah that was what i was thinking but not fully understanding 🙂 so what i need then is this ??

If webserver runs on 10.40.97.200 and sqlserver runs on 10.40.96.250

static(dmz,inside) 10.40.97.200 10.40.96.2

static (inside, dmz) tcp 10.40.96.250 6677 10.40.97.2 6677

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

would this solve it ?

Should static(dmz,inside) 10.40.97.200 10.40.96.2

be static(dmz,inside) tcp 10.40.97.200 6677 10.40.96.2 6677

Re: Configure Dmz on ASA5505

Julio Carvajal — Wed, 21 Dec 2011 21:46:37 GMT

Hello Thomas,

Yes, that should do it.

Now regarding the second question:Should static(dmz,inside) 10.40.97.200 10.40.96.2

be static(dmz,inside) tcp 10.40.97.200 6677 10.40.96.2 6677?

R/ You can use both of them, I think you will go for the Port forwarding, because that is what you are looking for.

So (dmz,inside) tcp 10.40.97.200 6677 10.40.96.2 6677 will work as well.

Please rate helpful posts.

Julio

Re: Configure Dmz on ASA5505

Thomas_Madsen — Wed, 21 Dec 2011 22:55:53 GMT

if i need them to reach eachoter on the actual ip adr of the servers, can i do this by setting same securitylvl ?

Re: Configure Dmz on ASA5505

Julio Carvajal — Wed, 21 Dec 2011 23:54:28 GMT

Hello Thomas,

No that cannot be done with the command same-security command.

You can have connectivity between them using the same ip address just by configuring identity nat:

static(dmz,inside) tcp 10.40.96.2 6677 10.40.96.2 6677

Regards,

Do please rate helpful posts.

Julio

Re: Configure Dmz on ASA5505

Thomas_Madsen — Thu, 22 Dec 2011 07:16:09 GMT

So if I want the webserver to use the sql internal ip adress and same with webserver to be reached from webserver using the webservers dmz ip i have to do this ??

static(dmz,inside) 10.40.97.200 6677 10.40.97.200 6677

static (inside, dmz) tcp 10.40.96.250 6677 10.40.97.250 6677

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

Is this command correct if the webserver ip in dmz is 10.40.97.200 and sql server on inside is 10.40.96.250 ?

Will the ASA do the subnet or does the subnet has to be changed from /29 to /28 ?

Will this affect any other NAT settings ??

Can i still have inside on lvl 100 and dmz on lvl50 or do i have to have them on lvl 100 ??

Re: Configure Dmz on ASA5505

Julio Carvajal — Thu, 22 Dec 2011 17:38:39 GMT

Hello Thomas,

That is the exact nat statement you need to acomplish a identity nat, witch seems like what you are looking for, it will not affect something else, just that if a host on the other interface wants to access one of those servers will need to to go the real ip address instead of one natted as usual.

Do not worry for the security level, you configured the ACLs to allow the communication with them.

Please do rate helpful posts.

Regards,

Julio

Re: Configure Dmz on ASA5505

Thomas_Madsen — Thu, 22 Dec 2011 18:01:32 GMT

might be me beeing stupid here but i did the following

static (inside, dmz) 10.40.96.250 10.40.97.250

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

skipped the protocol and port to be sure to get it up'n running, then i can add the ports later 🙂

I can ping from both sides now, but the program i'm trying to use doesnt work so i have to go to the customer tomorrow and set the servers on same network to be sure it's not the firewall messing with my head...

But if i got it right thoose settings should do what i need it to do..

all other machines are on inside vlan and can access the server as usual, and the webserver are only to be reached from outside or from sql server. The webserver on dmz vlan are aslo only to be able to reach the sql server on the inside vlan on given ports when i've got the communication up'n running 🙂

Thnks for all help....

Re: Configure Dmz on ASA5505

Julio Carvajal — Thu, 22 Dec 2011 18:11:24 GMT

Hello Thomas,

My pleasure, glad to hear that you can ping from both sides now.

If you have any other problem just let me know.

Regards,

Julio

Re: Configure Dmz on ASA5505

Thomas_Madsen — Fri, 23 Dec 2011 13:14:28 GMT

Is there any other things that can stop the communication between the dmz and inside ?

I've done the following

static (inside, dmz) 10.40.96.250 10.40.96.250

static (dmz, inside) 10.40.97.254 10.40.97.254

access-list dmz_to_in permit ip any any

access-group dmz_to_in in interface dmz

If i try unc it works, i can type \\ip and get shares, i can ping, i can access the webservice on both sides but the program i need working does not communicate.

I changed the ip of the "webserver" and tried the webservice once more and then it connects to 10.40.96.250 without problem. Move the webserver back to dmz and nothing.....

Any idea ?????

Would the identity nat work just as well if i just did

static (inside, dmz) 10.40.96.250 10.40.96.250

if i got this right i can then access the 96.250 ip from all ip's on the dmz, but only 96.250 can access ip's from the dmz ??

And if i just did

static (dmz, inside) 10.40.97.254 10.40.97.254

then i can access all ip's in the inside lan can access 97.254 but only 97.254 can access ip's in the insizde vlan ?

Re: Configure Dmz on ASA5505

Julio Carvajal — Fri, 23 Dec 2011 17:30:54 GMT

Hello Thomas,

Can you do a packet tracer,

packet-tracer input inside icmp 10.40.96.249 8 0 10.40.97.254

Regards,

Julio

Re: Configure Dmz on ASA5505

Thomas_Madsen — Fri, 23 Dec 2011 19:08:48 GMT

Result of the command: "packet-tracer input inside icmp 10.40.96.250 8 0 10.40.97.254"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.40.97.0 255.255.255.0 DMZ

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log disable
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
service-policy global-policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,DMZ) SQL-Server_Innside SQL-Server_Innside netmask 255.255.255.255
match ip inside host SQL-Server_Innside DMZ any
static translation to SQL-Server_Innside
translate_hits = 5, untranslate_hits = 59
Additional Information:
Static translate SQL-Server_Innside/0 to SQL-Server_Innside/0 using netmask 255.255.255.255

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp Utside-Ekte-IP-243 2077 SQL-Server_Innside 2077 netmask 255.255.255.255
match tcp inside host SQL-Server_Innside eq 2077 outside any
static translation to Utside-Ekte-IP-243/2077
translate_hits = 4, untranslate_hits = 168
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 2 10.40.97.0 255.255.255.0
match ip DMZ 10.40.97.0 255.255.255.0 outside any
dynamic translation to pool 2 (Utside-Ekte-IP-246)
translate_hits = 279, untranslate_hits = 14
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1238768, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Re: Configure Dmz on ASA5505

Thomas_Madsen — Fri, 23 Dec 2011 20:29:27 GMT

Result of the command: "packet-tracer input dmz icmp 10.40.97.254 8 0 10.40.96.250"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,DMZ) SQL-Server_Innside SQL-Server_Innside netmask 255.255.255.255
match ip inside host SQL-Server_Innside DMZ any
static translation to SQL-Server_Innside
translate_hits = 5, untranslate_hits = 60
Additional Information:
NAT divert to egress interface inside
Untranslate SQL-Server_Innside/0 to SQL-Server_Innside/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_to_in in interface DMZ
access-list dmz_to_in extended permit ip any any log debugging
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
service-policy global-policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 2 10.40.97.0 255.255.255.0
match ip DMZ 10.40.97.0 255.255.255.0 outside any
dynamic translation to pool 2 (Utside-Ekte-IP-246)
translate_hits = 279, untranslate_hits = 14
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,DMZ) SQL-Server_Innside SQL-Server_Innside netmask 255.255.255.255
match ip inside host SQL-Server_Innside DMZ any
static translation to SQL-Server_Innside
translate_hits = 5, untranslate_hits = 60
Additional Information:

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp Utside-Ekte-IP-243 2077 SQL-Server_Innside 2077 netmask 255.255.255.255
match tcp inside host SQL-Server_Innside eq 2077 outside any
static translation to Utside-Ekte-IP-243/2077
translate_hits = 4, untranslate_hits = 168
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1249622, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Re: Configure Dmz on ASA5505

Julio Carvajal — Fri, 23 Dec 2011 20:57:01 GMT

Hello Thomas,

Ok so lets focus on this,

You need to be able to access the DMZ server 10.40.97.254 from all the inside users.

For that all you will need is

nat (inside) 1

Global (dmz) 1 interface

Please remove the following statement

no static (dmz, inside) 10.40.97.254 10.40.97.254

Now can you give it a try please?

After this changes please post the running-config.

Regards,

Julio

Re: Configure Dmz on ASA5505

Thomas_Madsen — Fri, 23 Dec 2011 21:17:10 GMT

Most important i believe is that the zspider program on the webserver in dmz can communicate with the sql server on the inside 🙂

Gone remove the VPN before next post...

Result of the command: "show config"

: Saved
: Written by hm-kontor at 03:08:40.846 UTC Fri Dec 23 2011
!
ASA Version 8.2(1)
!
hostname cisco
domain-name xxx.local
enable password xxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxx
names
name 10.40.96.250 SQL-Server_Innside
name xxxxxxxxxxx.242 Utside-Ekte-IP-242
name xxxxxxxxxxx.243 Utside-Ekte-IP-243
name xxxxxxxxxxx.244 Utside-Ekte-IP-244
name xxxxxxxxxxx.245 Utside-Ekte-IP-245
name xxxxxxxxxxx.246 Utside-Ekte-IP-246
name 10.40.97.249 Inside-Webserver
!
interface Vlan1
nameif inside
security-level 100
ip address 10.40.96.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Utside-Ekte-IP-242 255.255.255.248
!
interface Vlan12
nameif DMZ
security-level 50
ip address 10.40.97.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Giant-Leap tcp
port-object eq 2077
port-object eq 2020
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq https log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq 2040 log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-244 eq www log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 object-group Giant-Leap log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-243 eq www log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-244 eq https log disable
access-list outside_access_in extended permit tcp any host Utside-Ekte-IP-246 eq www log disable
access-list dmz_to_in extended permit ip any any log debugging
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm alerts
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool IP-VPN-Pool 10.40.96.150-10.40.96.175 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (inside) 3 10.40.96.2 netmask 255.0.0.0
global (outside) 1 interface
global (outside) 2 Utside-Ekte-IP-246 netmask 255.0.0.0
global (DMZ) 4 10.40.97.2 netmask 255.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 10.40.97.0 255.255.255.0
static (inside,outside) tcp Utside-Ekte-IP-243 2040 10.40.96.27 2040 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 https 10.40.96.252 https netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2077 SQL-Server_Innside 2077 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 2020 SQL-Server_Innside 2020 netmask 255.255.255.255
static (inside,outside) tcp Utside-Ekte-IP-243 www SQL-Server_Innside www netmask 255.255.255.255
static (inside,DMZ) SQL-Server_Innside SQL-Server_Innside netmask 255.255.255.255
static (DMZ,inside) Inside-Webserver Inside-Webserver netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_to_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 Router-IP
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-nds protocol radius
aaa-server VPN-nds (inside) host 10.40.96.254
timeout 5
key xxxxxxxxxx

http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_nds internal
group-policy VPN_nds attributes
dns-server value 10.40.96.254
default-domain value nds.local
address-pools value IP-VPN-Pool
username hmk password xxxxxxxxxxxxxxxencrypted privilege 15
tunnel-group VPN_nds type remote-access
tunnel-group VPN_nds general-attributes
address-pool (outside) IP-VPN-Pool
authentication-server-group VPN-nds LOCAL
authentication-server-group (outside) VPN-nds LOCAL
default-group-policy VPN_Friends
tunnel-group VPN_nds ipsec-attributes
pre-shared-key *
tunnel-group VPN_nds ppp-attributes
authentication ms-chap-v2
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global