Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
1
Replies

ASA5505 DMZ and Internet access

rsydor
Level 1
Level 1

‎07-18-2012 08:49 PM - edited ‎03-11-2019 04:32 PM

Hi all,

I need help on ASA 5505 with Base License that uses 3 VLAN's.

My VLAN 1 is for used for my home network.

VLAN 2 is connected to the public Internet and my IP gets assigned by ISP dynamically.

VLAN 3 is DMZ where I will have few VM's that would need access to and from the Internet.

I am looking for help with following:

1) 172.16.0.2 that sits on DMZ will need to access public Internet over port 80

2) Permit access from the Internet over port 3389 to 172.16.0.2

3) Permit any host on private VLAN (192.168.0.0 network) to access 172.16.0.2 over the port 3389

4) Permit second VM on the DMZ VLAN let say 172.16.0.3 to access public Internet on all ports. Access in to this host is not permitted.

5) For some reason DHCP hosts are NOT getting DNS (8.8.8.8) entry when IP hets assigned or renew. I have a statements below but it is not working.

Also, if someone can tell me if ACL rules for VoIP are written correctly. The goal is to permit these ports (SIP related) to access VoIP router.

Thanks in advance!!!

ASA Version 8.4(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password fXFg7fEDliCVstT. encrypted

passwd fXFt7fEDliCVsbT. encrypted

names

name 192.168.0.6 VoIP

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

mac-address 0013.7207.9a04

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif DMZ

security-level 50

ip address 172.16.0.1 255.255.255.0

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name default.domain.invalid

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network VoIP

host 192.168.0.6

description Created during name migration

object network DMZ_host

subnet 172.16.0.0 255.255.255.0

object-group network obj_any

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list inside extended permit udp any object VoIP range 5001 5004

access-list inside extended permit udp any object VoIP range sip 5069

access-list inside extended permit udp any object VoIP range 16000 16500

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

!

object network obj_any-01

nat (inside,outside) dynamic interface

object network DMZ_host

nat (DMZ,outside) dynamic interface

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.0.3 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 192.168.0.3 255.255.255.255 inside

telnet timeout 30

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.40-192.168.0.50 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd update dns interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username Peter password 0/Io/9lZF4JaI8Ki encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3b6d157a80a8a2870641ee236614873e

: end

Labels:
0 Helpful
1 Reply 1

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-22-2012 03:35 AM

Hi Bro

Could you remove all your present configuration, and paste this instead. Let me know what works and what doesn't :-)

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!

interface Vlan3
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0

nat-control

object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0

object network obj-172.16.0.0
subnet 172.16.0.0 255.255.255.0

nat (inside,outside) dynamic interface
nat (DMZ,outside) dynamic interface


object network obj-172.16.0.2
  host 172.16.0.2


nat (inside,outside) source static obj-172.16.0.2 3389 interface 3389

nat (inside,DMZ) source static obj-172.16.0.0 obj-192.168.0.0

access-list inside permit tcp any host 172.16.0.2 eq 3389
access-list inside permit udp host 192.168.0.6 any range 5060 5061
access-list inside permit icmp any any
access-list inside deny ip any any log

access-list dmz permit icmp any any
access-list dmz permit tcp host 172.16.0.2 any eq 80
access-list dmz permit tcp host 172.16.0.2 any eq 443
access-list dmz permit tcp host 172.16.0.2 any eq 53
access-list dmz permit udp host 172.16.0.2 any eq 53
access-list dmz permit ip host 172.16.0.3 any
access-list dmz deny ip any any log

access-list outside permit icmp any any
access-list outside deny ip any any log

access-group inside in interface inside
access-group outside in interface outside
access-group dmz in interface DMZ


dhcpd address 192.168.0.40-192.168.0.50 inside
dhcpd dns 8.8.8.8
dhcpd enable inside
dhcpd lease 3600
dhcpd ping_timeout 50
dhcprelay timeout 60

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card