Hello everybody,

i have to replace our zywall with an 5520 asa.

the following configuration:

outside-ip: 82.218.6.10/255.255.255.255

default route 82.218.6.254

inside-ip: 10.0.1.201/255.255.0.0  dhcp 10.0.5.1-10.0.5.100

wlan-ip: 192.168.0.1/255.255.255.0    dhcp 192.168.0.2-100

dmz: 82.218.135.6/255.255.255.248

our mailserver(dmz-network) 82.218.135.3 is connected to the dmz.

an rdp-server(inside-network) 10.0.1.200:3389 should be reached from 82.218.6.10:3389

connections from inside out outside, inside to dmz and inside to wlan.

connections from wlan to outside, wlan to dmz

connections from dmz to outside

should be possible.

connection from outside to dmz only for port 25,110,143,80,443,22 on ip 82.218.135.3

connections from outside 82.218.6.10:3389 to ip 10.1.0.200:3389

i have problems to implement the connection to dmz and rdp-server

can anyone help me ?

mike

my asa 5520 vers 8.3(1) configuration looks like below.

: Saved

:

ASA Version 8.3(1)

!

hostname ciscoasa

enable password BAAHMFij1MQkOyaD encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 100

ip address 82.218.6.10 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.1.201 255.255.0.0

!

interface GigabitEthernet0/2

description WLAN

nameif wlan

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/3

nameif dmz

security-level 100

ip address 82.218.135.6 255.255.255.248

!

interface Management0/0

nameif management

security-level 50

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

object network mailserver

host 82.218.135.3

object service RDP

service tcp source eq 3389 destination eq 3389

object network rdpserver

host 10.0.1.200

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq ssh

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

access-list outside_access_in extended permit object RDP any host 10.0.1.200

access-list outside_access_in extended permit tcp any object mailserver object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit object RDP any object rdpserver

access-list outside_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list dmz_access_in extended permit ip any any

access-list dmz_access_in extended permit ip 10.0.0.0 255.255.0.0 82.218.135.0 255.255.255.248

access-list dmz_access_in extended permit ip 192.168.0.0 255.255.255.0 82.218.135.0 255.255.255.248

access-list wlan_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

mtu wlan 1500

mtu dmz 1500 

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (wlan,outside) source dynamic any interface

nat (dmz,outside) source dynamic any interface

!

object network mailserver

nat (dmz,outside) static mailserver service tcp www www

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group wlan_access_in in interface wlan

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 82.218.6.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 10.0.5.1-10.0.5.100 inside

dhcpd dns 10.1.1.254 interface inside

dhcpd option 3 ip 10.0.1.201 interface inside

dhcpd enable inside

!

dhcpd address 192.168.0.2-192.168.0.100 wlan

dhcpd dns 10.1.1.254 interface wlan

dhcpd option 3 ip 192.168.0.1 interface wlan

dhcpd enable wlan

!           

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 91.118.20.250 source outside prefer

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d249b8f11ad9acf55f444b9f4f3ee7bb

: end

ciscoasa(config)#