05-11-2013 10:36 PM - edited 03-11-2019 06:42 PM
I am using a Cisco E4200 router today but I am moving to a ASA5505. I have a device that sets up a VPN tunnel that I want to put in my DMZ. It's called the ATT Gateway. I have attached the diagram. When I use a Cisco E4200 all I do is put the outside private ip address of 192.168.0.99 of the ATT Gateway into the DMZ of the E4200 and the VPN tunnel of the ATT Gateway comes right up. I cannot configure the DMZ to do the same with the ASA. I also need to have the laptop behind the gateway access the printers in the inside network. Any document or advice that anyone has that addresses similar situations?
05-12-2013 04:02 AM
Hi,
I am not completely sure about the setup and the configurations of the ASA5505.
Generally if you have setting up some VPN connection from a device behind ASA I would configure a dedicated public IP address for the VPN device through the use of Static NAT on the ASA5505. Ofcourse if the public address space gives the chance then even better choice is to have the public subnet directly configured between the ASA DMZ and the actual VPN device.
One thing that concerns me is that fact that we are using an ASA5505. What license do you have on it? Because the Base License only allows for 3 Vlan interfaces and one of those interfaces has to be limited to be able to initiate connections to ONLY ONE of the other 2 interfaces. (This by itself might make the above setup impossible, depending what kind of VPN setup you are doing and how the public IP addresses is done on the ASA)
- Jouni
05-12-2013 10:30 AM
I only have one public IP address. I have security plus license. This is a small home office. I am just trying to recreate the DMZ capability I have with my Cisco E4200 on the ASA 5505. Were you able to review the diagram? Are you familar with Cisco Linksys DMZ configurations?
05-12-2013 11:06 AM
Hi,
I have not used the Linksys devices. I guess they are Ciscos devices aimed at consumers.
I am assuming that the ATT Gateway automatically forms a VPN connection to the some device on the Internet as soon as it has connectivity to the Internet.
It would probably be best to check your ASA configuration for any possible problems with the basic configurations. Can you share the ASA configurations?
- Jouni
05-12-2013 11:41 AM
I am not configured yet. I played around with it and it would not come up. I know it's a different paradigm but I was hoping for someone to show me a configuration they had done which allows the device in the diagram to build it's VPN connectivity using the ASA with only a single outside IP address.
05-12-2013 11:51 AM
Hi,
Can you please paste the configuration on the ASA?
05-12-2013 11:58 AM
Well,
The very basic configurations to get Internet connections working for all users would for example be
Interfaces / Routing
interface Vlan1
description LAN
nameif inside
security-level 100
ip add 192.168.0.1 255.255.255.0
interface Ethernet0/1
description LAN
interface Vlan10
description WAN
nameif outside
security-level 0
ip address
ip address dhcp setroute (with dhcp)
interface Ethernet0/0
description WAN
switchport access vlan 10
interface Vlan5
description DMZ
nameif dmz
security-level 50
ip add 192.168.5.1 255.255.255.0
interface Ethernet0/2
description DMZ - ATT Gateway
switchport access vlan 5
route outside 0.0.0.0 0.0.0.0
route dmz 172.20.20.20.0 255.255.255.0 192.168.5.2 (if the network behind ATT should be visible to the rest of the network)
NAT Rules
If using software 8.2 or below
no nat-ctonrol
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 192.168.5.0 255.255.255.0
nat (dmz) 1 172.20.20.0 255.255.255.0
access-list INSIDE-NAT0 remark NAT0 between local networks
access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.255.0 172.20.20.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
If using software 8.3 or above
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.0.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 172.20.20.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
ICMP Inspection
fixup protocol icmp
fixup protocol icmp error
Those are some very basic configurations.
- Jouni
05-12-2013 12:35 PM
Thanks Jouni. That's what I need to get me started for sure. How do I expose 192.168.5.2 ports (all of them as that is the configuration they recommend) as if it was the public IP address of the ASA?
05-12-2013 12:40 PM
Hi,
To be honest if we configured the public IP address on the "outside" interface of the ASA to be used only by the ATT device (Static NAT) then we would not have anything to NAT/PAT the LAN devices to.
On the 8.2 or below software as an alternative we would have to forward port by port to my understanding
On the 8.3 or above software as an alternative we could forward ranges of ports to the DMZ device.
The above NAT configuration only enable the ATT device to open connections to the Internet. It doesnt enable any connections from the Internet towards that device.
- Jouni
05-12-2013 12:55 PM
here is the configuration now. I can't get the tunnel to come up. will my other device that I have the outside interface pulled into ignore the vlan tag for vlan 2? I think I might have an issue there too.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.05.12 12:52:32 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.99 255.255.255.0
!
interface Vlan5
nameif dmz
security-level 0
ip address 192.168.5.1 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Netgate
host 192.168.5.2
object network A_192.168.0.1
host 192.168.0.1
access-list outside_access_in extended permit ip any object Netgate
access-list outside_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip any interface inside
access-list dmz_access_in extended permit ip any interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network Netgate
nat (dmz,outside) static A_192.168.0.1
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route dmz 172.20.20.0 255.255.255.0 192.168.5.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 dmz
http 172.20.20.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 dmz
ssh 172.20.20.0 255.255.255.0 dmz
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
tls-proxy maximum-session 12
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ph1819 password Jw8sD68tfrYmonI4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ed8c7f20fb793c3500a71d442812e377
: end
ciscoasa#
05-12-2013 01:05 PM
Hi,
The DMZ ACL doesnt really allow traffic through the ASA at all.
Also the current configuration doesnt seem to match the PDF document. There to my understanding the network 192.168.0.0/24 was the "inside" network and the ASA "outside" had the public IP address directly.
- Jouni
05-12-2013 01:08 PM
you are right on the 2nd paragraph. I was afraid to tear apart my network to install the ASA only to find out it couldn't do the DMZ piece correctly. I am trying to get the ATT Gateway to work before I tear it a part.
How do I fix the DMZ ACL that you mention in the first paragraph?
05-12-2013 01:12 PM
Hi,
To have the ASA allow traffic from behind the DMZ interface you would need something like this
access-list dmz_access_in extended permit ip 192.168.5.0 255.255.255.0 any
access-list dmz_access_in extended permit ip 172.20.20.0 255.255.255.0 any
Provided you want to allow all TCP/UDP traffic from the DMZ networks to anywhere.
- Jouni
05-12-2013 01:21 PM
is there a brief book that you'd recommend that explains basic operations of the asa? I have two from 2005 and 2006 and they are both old and 800 pages long. LOL.
Here is the new configuration.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.05.12 13:17:48 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.99 255.255.255.0
!
interface Vlan5
nameif dmz
security-level 0
ip address 192.168.5.1 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Netgate
host 192.168.5.2
object network A_192.168.0.1
host 192.168.0.1
access-list outside_access_in extended permit ip any object Netgate
access-list outside_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip any interface inside
access-list dmz_access_in extended permit ip any interface outside
access-list dmz_access_in extended permit ip 192.168.5.0 255.255.255.0 any
access-list dmz_access_in extended permit ip 172.20.20.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network Netgate
nat (dmz,outside) static A_192.168.0.1
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route dmz 172.20.20.0 255.255.255.0 192.168.5.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 dmz
http 172.20.20.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 dmz
ssh 172.20.20.0 255.255.255.0 dmz
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
tls-proxy maximum-session 12
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ph1819 password Jw8sD68tfrYmonI4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:095d696ddb6c7913583dfc0f0534b16f
: end
ciscoasa#
05-12-2013 02:59 PM
Hi,
To be honest I started with Cisco firewalls without knowing anything about them and without having as much as a single course about them.
I did my final work at school about a small business network with Cisco PIX firewall.
I used the graphical configuration tool to configure the basic settings and then used the CLI to change the configurations.
When I finally got my current job I basically had to start going through existing configurations and eventually learn how everything works. Every problem that I faced always teached my something new. Eventually I started regularly using the Configuration Guide and Command Reference documents found for every software level of the firewalls. These are a great supporting document when configuring the firewall. But to be honest I wish sometimes that they went more into the subject that they currently do OR that Cisco would release some thorough documents which I am sure they must have.
So I cant really suggest a book for you since I have never read one related to firewalls. Currently I am reading myself a couple of 700 pages books related to routing for my certification exams that I decided to start. Though they arent really required from my employers perspective but though I might as well get some of them now that I have several years of expirience.
If you want to check the different Configuration Guides and Command References, check these links
Configuration Guide
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
Command Reference
http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html
There is also a wealth of information online that can be found just Googling around.
Naturally this forum is also a good place. But related to this situation we would really need to know exactly what the configuration should do.
Problem for me is that I am not sure how your Linksys is actually handling the traffic and with 1 public IP address. By the things you say it would almost seem that there should be some Port Forward / Static PAT configurations but that would also be something that you should remember configuring and I dont know how the device would automate that simple configuration.
Do you have some screen captures of the Linksys configurations? I imagine its configured through some graphical interface?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide