12-02-2012 07:53 PM - edited 03-11-2019 05:31 PM
Evening all!
so I have tried this a few configuring this a few times now, and I have not had much success!
I am trying to do two things:
- first, have the DMZ be completely transparent to the inside network (icmp, https, and a few other TCP ports).
- secondly, I want to NAT my DMZ network to external.
Think anyone can give me a hand with this?
Below is a base config of my ASA.
~~~~~~~~~~~~~~~~~
ASA Version 8.0(4)
!
hostname igniteCSGfw
enable password awUSpLuFs5wdhqJE encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 inside-network
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 208.118.125.130 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz_inside
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any inside-network 255.0.0.0
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz_inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 inside-network 255.0.0.0
static (dmz_inside,outside) 208.118.125.131 172.16.10.10 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 208.118.125.129 1
route inside inside-network 255.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http inside-network 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside-network 255.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 management
telnet timeout 5
ssh inside-network 255.0.0.0 inside
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ignitecsg password 028ZcrY5F/cbezVk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:626845dd33f8aeaa909dcbda9b04af05
: end
Solved! Go to Solution.
12-02-2012 09:17 PM
Hello Darren,
Okay... I will start with the DMZ being transparent to the DMZ
static (inside,dmz_inside) 10.1.1.0 10.1.1.10 netmask 255.255.255.0
static (dmz_inside,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
Now lets talk about being able to talk from DMZ to inside.. If this is required you need this:
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz
OUTSIDE to DMZ
You have the following in place already:
static (dmz_inside,outside) 208.118.125.131 172.16.10.10 netmask 255.255.255.255
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any
Does the access from outside to the DMZ server works????
Remember to rate all of the CSC answers, ( the stars at the bottom of each reply)
Julio
12-02-2012 09:17 PM
Hello Darren,
Okay... I will start with the DMZ being transparent to the DMZ
static (inside,dmz_inside) 10.1.1.0 10.1.1.10 netmask 255.255.255.0
static (dmz_inside,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
Now lets talk about being able to talk from DMZ to inside.. If this is required you need this:
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz
OUTSIDE to DMZ
You have the following in place already:
static (dmz_inside,outside) 208.118.125.131 172.16.10.10 netmask 255.255.255.255
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any
Does the access from outside to the DMZ server works????
Remember to rate all of the CSC answers, ( the stars at the bottom of each reply)
Julio
12-03-2012 10:22 AM
Julio, Thank you so much. Worked perfectly!
Darren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide