topic Re: ASA 5510 DMZ configuration in Network Security

ASA 5510 DMZ configuration

Amarsanaa_a — Mon, 11 Mar 2019 19:45:43 GMT

Dear all,

I'm in newbie in CISCO firewalls. I have a problem with DMZ configuration. Our web server is using inside IP address and DMZ ip address also port is using 83. When i type from inside interface http://192.168.14:83 i can access to web server. Now i want it to enable access from internet using firewall public ip address(for example http://202.165.200.225:83). Please check below schema.

Any help would be appreciated

Re: ASA 5510 DMZ configuration

Jennifer Halim — Mon, 07 Feb 2011 08:23:09 GMT

Which version of ASA are you using? and also is there typo in the ip address (web server dmz ip address you have 10.10.30.14), however, dmz interface ip address of the ASA is 10.30.30.1 (they are not in the same subnet), please kindly advise which is the correct subnet.

Also, assuming that you would like to access the web server from the Internet via its DMZ interface instead of the inside interface, right? You have default gateway on the web server pointing towards the ASA dmz interface ip address?

Re: ASA 5510 DMZ configuration

Amarsanaa_a — Mon, 07 Feb 2011 09:27:35 GMT

Asa version is

"ASA5510> show version

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51"

DMZ Web server IP address is 10.30.30.14. I draw it wrong.

I want to access web server from Inside and Internet. On the web server i manually configured 2 IP addresses and 2 gateways.

Re: ASA 5510 DMZ configuration

Jennifer Halim — Mon, 07 Feb 2011 09:36:09 GMT

so i assume that you would like to use the DMZ ip address for access from the Internet?

If so, then here is the configuration:

static (dmz,outside) tcp interface 83 10.30.30.14 83 netmask 255.255.255.255

Also, on the access-list applied to your outside interface, you will have to add the following:

access-list permit tcp any interface outside eq 83

BTW, would applying 2 default gateways on the web server work? Does it detect automatically where the traffic is coming from and send the traffic towards the correct default gateway? Because if traffic is routed from ASA DMZ towards the web server DMZ interface, and if the reply goes outbound from web server inside interface towards ASA inside interface, ASA will drop the packet because of assymetric routing. Traffic needs to come in and out of the same interface pair as ASA keeps track of the connection state.

Hope that helps.

Re: ASA 5510 DMZ configuration

Amarsanaa_a — Mon, 07 Feb 2011 09:54:43 GMT

Sometimes our inside network is down. When i restart web server. network is come back. I suspect this problem related using 2 gateways on web server.

My current situation is: all salesmen come to office and synchronize their data via wireless using http://192.168.14:83. Now when they are out of office they want to synchronize data via internet http://202.165.200.225:83

I will test your configration and let you know.

Appriciate your help

Many Thanks

Amaraa

Re: ASA 5510 DMZ configuration

Jennifer Halim — Mon, 07 Feb 2011 10:03:26 GMT

From my experience, having 2 default gateways might not work.

I would recommend that you configure default gateway towards the ASA DMZ interface ip address as this will be for inbound access from the Internet.

For the inside NIC of the web server, if the wireless ip subnet is also in 192.168.1.0/24 then you don't need to configure default gateway for that inside NIC because they are in the same subnet, so it will arp for the ip address. Otherwise, if your wireless is in different subnet, then you can configure static route for routing towards the inside NIC.

Re: ASA 5510 DMZ configuration

Amarsanaa_a — Wed, 09 Feb 2011 10:06:16 GMT

Our web server is also sending data over VPN via 192.168.1.14. If i remove gateway it cannot send data over VPN.

That's mean:

1st. I need to remove default gateway of 192.168.1.0/24 range

2n I need to write static route on 192.168.1.0/24 range. Is that correct.

"route add -p 192.168.1.14 mask 255.255.255.255 192.168.1.1"

Re: ASA 5510 DMZ configuration

Jennifer Halim — Wed, 09 Feb 2011 10:11:42 GMT

1st/ yes, you are correct. You have to removed the default gateway for the 192.168.1.0/24 (inside subnet).

2nd/ no, you don't configure static route for 192.168.1.0/24 because that is directly connected subnet. What is your vpn ip pool? you will need to add route for your vpn ip pool subnet to point to 192.168.1.1

Re: ASA 5510 DMZ configuration

Amarsanaa_a — Thu, 10 Feb 2011 07:27:59 GMT

How to configure IP Pools and route on the firewall. Please kindly advice for me.

Thanks

Amaraa

Re: ASA 5510 DMZ configuration

Jennifer Halim — Thu, 10 Feb 2011 07:30:20 GMT

No, you mentioned that it's also sending traffic towards the VPN, so you would need to find out what is the VPN remote LAN subnets, and configure route on the web server itself for the VPN remote LAN subnet to point towards the firewall inside interface.

Re: ASA 5510 DMZ configuration

Amarsanaa_a — Thu, 10 Feb 2011 07:47:37 GMT

I think this is remote VPN address. Now how to configure route on web server.

Thanks

Amaraa

Re: ASA 5510 DMZ configuration

Jennifer Halim — Thu, 10 Feb 2011 07:50:58 GMT

route add -p 10.2.16.0 mask 255.255.254.0 192.168.1.1

route add -p 10.2.2.0 mask 255.255.255.0 192.168.1.1

route add -p 10.2.5.0 mask 255.255.255.0 192.168.1.1

route add -p 166.166.0.0 mask 255.255.0.0 192.168.1.1