ASA 5510 8.2(1) DMZ config help

lcruzlcruz · ‎07-26-2011

hi, I'm trying to configure an asa 5510 8.2(1)

I have a range of pub ips 3*.108.234.145-150

>>> E0/0 3*.108.234.146 outside public

>>> E0/1 192.168.1.1 inside

>>> E0/2 192.168.3.1 dmz

would like to map dmz host 192.168.3.107 to external 3*.108.234.147 on port 5000 and 50001

LOCAL LAN should also be able to get to dmz host ports.

i've tried a few configs and also following this example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

without any luck, any help or path towards solution would be greatly appreciate.

here is my config, also posted the out put of show arp which is able to see and ping the host on dmz, also the output of

show access-list which shows hits to it.

prophase-pix(config-if)# show running-config

: Saved

:

ASA Version 8.2(1)

!

hostname prophase-pix

enable password encrypted

passwd encrypted

names

!

interface Ethernet0/0

description Outside Interface

nameif outside

security-level 0

ip address 3*.108.234.146 255.255.255.248

!

interface Ethernet0/1

description Inside Interface

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

description DMZ interface

nameif dmz

security-level 10

ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.1 255.255.255.0

management-only

!

ftp mode passive

access-list outside_int extended permit tcp any host 3*.108.234.147 eq 5001

access-list outside_int extended permit icmp any any

access-list outside_int extended permit tcp any host 3*.108.234.147 eq www

access-list dmz_int extended permit tcp host 192.168.3.107 any eq 5001

access-list dmz_int extended permit tcp host 192.168.3.107 any eq www

pager lines 24

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 3*.108.234.147-3*.108.234.150 netmask 255.255.255.248

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) 3*.108.234.147 192.168.3.107 netmask 255.255.255.255

access-group outside_int in interface outside

access-group dmz_int in interface dmz

route outside 0.0.0.0 0.0.0.0 3*.108.234.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh ********** 255.255.255.252 outside

ssh ********** 255.255.255.248 outside

ssh timeout 15

console timeout 0

dhcpd dns 8.8.8.8

!

dhcpd address 192.168.1.10-192.168.1.100 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:86987d08c6e1e5cd81b4efb76d4b6e38

: end

prophase-pix(config-if)#

prophase-pix(config-if)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_int; 3 elements; name hash: 0x34f64c30

access-list outside_int line 1 extended permit tcp any host 3*.108.234.147 eq 5001 (hitcnt=5) 0xcddc1e66

access-list outside_int line 2 extended permit icmp any any (hitcnt=9) 0x39b835fb

access-list outside_int line 3 extended permit tcp any host 3*.108.234.147 eq www (hitcnt=1) 0x0827117a

access-list dmz_int; 2 elements; name hash: 0xacaf12cc

access-list dmz_int line 1 extended permit tcp host 192.168.3.107 any eq 5001 (hitcnt=0) 0xc9a3db55

access-list dmz_int line 2 extended permit tcp host 192.168.3.107 any eq www (hitcnt=0) 0xd3a5ac1e

prophase-pix(config-if)#

arp out put:

dmz 192.168.3.107 0a0b.0c0d.0e0f 11748

regards,

-LC

varrao · ‎07-26-2011

Hi Luis,

First of all you have a couple of conflicting nat statements, you would not require this global statement:

global (outside) 1 3*.108.234.147-3*.108.234.150 netmask 255.255.255.248

since the ip address 3*.108.234.147 is already used in the static statement.

Now the config that you woudl require for access from outside to dmz:

static (dmz,outside) tcp 3*.108.234.147 5000 192.168.3.107 5000

static (dmz,outside) tcp 3*.108.234.147 5001 192.168.3.107 5001

access-list outside_int extended permit tcp any host 3*.108.234.147

access-group outside_int in interface outside

The config for access from inside to dmz:

static (dmz,inside) tcp 3*.108.234.147 5000 192.168.3.107 5000

static (dmz,inside) tcp 3*.108.234.147 5001 192.168.3.107 5001

since you are going from higher security to lower security, you would not need an access-list.

Could you please try it and let me know.

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

lcruzlcruz · ‎07-27-2011

thanks Varun,

the config is for 1) much cleaner and 2) worked like a charm,

much obliged.

-LC