01-23-2009 07:48 AM - edited 03-11-2019 07:41 AM
I've come to the conclusion that Cisco should rename their âCisco ASA 5505 Getting Started Guideâ to âCisco ASA 550 A Guide To Spending A Lot Of Money And Receive Utter Frustration In Returnâ. Nothing in this manual is consistent. On one page they use one set of IP addresses and on another they use something totally different. I'm not sure what IP addresses to place where anymore⦠I'm beginning to wonder about Cisco's ability to provide quality documentation. Anyway, I didn't mean to vent here but I am totally frustratedâ¦..
On with the problem at handâ¦â¦
I have 3 pc's. Two are on the inside network and one in the dmz which acts as a Web/E-Mail server. I use an ISP which provides a public internet address of let's say 216.130.17.10 via DHCP. I also have a base license for the ASA 5505 so I realize the dmz cannot initiate any contact with the inside vlan but the inside vlan can talk to the dmz vlan. Oh, also I'm using the ASDM interface.
Question 1: Does the dmz have to have a separate public ip address provided by the ISP?
Question 2: How do you do port forwarding on this thing? I'd like to forward the web and mail server ports to the dmz.
Any help with this would be greatly appreciatedâ¦..
Best Regards
Solved! Go to Solution.
01-23-2009 12:27 PM
Okay, i'm a bit confused here. If you want to access from outside then you need to use the public IP address in your access-list.
If you want to access from inside to DMZ then use the 192.168.5.2 address. You will also need a static statement eg. lets say your inside network is 192.168.1.0/24
static (inside,DMZ) 192.168.1.0 192.168.1.0 255.255.255.0
Jon
01-23-2009 12:50 PM
Jon,
the static statement you wrote has the same addresses in it?
Best Regards
01-23-2009 01:00 PM
Yes i know. This is how you tell the ASA that the inside addresses will appear as the same IP addresses on the DMZ.
Jon
01-23-2009 01:19 PM
why would I want to do this?
01-23-2009 01:22 PM
With the greatest respect if you don't want to read the manuals you should perhaps take the advice of people who have :-)
It's a pix/asa idiosyncracy that is basically telling the device not to NAT. On other vendor firewalls you don't have to do this. On an pix/asa you do unless you want to disable nat-control.
Jon
01-23-2009 01:24 PM
Thanks for the clarification, that makes sense.......
01-23-2009 02:39 PM
Jon,
I do appreciate what you are trying to do here but I think working in the blind is just going to frustrate you... So with deep appreciation below is a copy of my configuration as it stands right now...
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name my.domain.com
enable password ***** Taken out by me ***** encrypted
passwd ***** Taken out by me ***** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.8.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name my.domain.com
access-list outside_access_in extended permit tcp any host 98.122.121.101 eq smt
p
access-list outside_access_in extended permit tcp any host 98.122.121.101 eq pop
3
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,dmz) tcp 192.168.8.10 www 98.122.121.101 www netmask 255.255.255
.255
static (outside,dmz) tcp 192.168.8.10 smtp 98.122.121.101 smtp netmask 255.255.2
55.255
static (outside,dmz) tcp 192.168.8.10 pop3 98.122.121.101 pop3 netmask 255.255.2
55.255
static (dmz,inside) interface 192.168.1.0 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 98.122.112.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum: ***** Taken out by me *****
: end
01-23-2009 02:51 PM
Okay, few things.
1) what is IP address 98.122.121.101 - is that the outside interface address ? If so change the static statements from
static (outside,dmz) tcp 192.168.8.10 www 98.122.121.101 www netmask 255.255.255
.255
to
static (dmz,outside) tcp interface www 192.168.8.10 www netmask 255.255.255.255
etc.. for all statics.
If it isn't the outside address then let me know.
2) remove this line
static (dmz,inside) interface 192.168.1.0 netmask 255.255.255.255
3) add in to your config
global (dmz) 1 interface
this is instead of the previous static statement i gave you.
4) Your default route on the ASA points to
98.122.112.1.
Again what is 98.122.121.101 ?
Can you do all this config on the command line - i don't use ASDM but it looks like it has put things the wrong way round - certainly in terms of the statics.
Jon
01-23-2009 04:13 PM
If I hook my pc straight to the cable modem and do an ipdonfig /all this is what I get:
ip address 98.122.126.212
subnet mask 255.255.240.0
default gateway 98.122.112.1
I had placed a previous call to Cisco and was told to use 98.122.121.101 by their technician. It seems to work I can get from the inside network to the outside internet.
Hope this helps....
01-24-2009 04:58 PM
O.K Jon,
I created the above configuration.
A few problems though:
I can access my web page from outside but not from inside vlan.
I can send E-Mail from outside and the dmz email server receives it but cannot send or receive E-Mail from the inside vlan.
I cannot Remote desktop from inside to the dmz server...
Below is the config:
ciscoasa> ena
Password:
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name my.domain.com
enable password :*** Commented Out *** encrypted
passwd :*** Commented Out *** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.8.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name my.domain.com
access-list outside_access_in extended permit tcp any host xx.yyy.121.101
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www 192.168.8.2 www netmask 255.255.255.255
static (dmz,outside) tcp interface smtp 192.168.8.2 smtp netmask 255.255.255.255
static (dmz,outside) tcp interface pop3 192.168.8.2 pop3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 192.168.8.2 xx.yyy.121.101 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.yyy.112.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*** Commented Out ***
: end
01-24-2009 06:11 PM
Well at least we are making some progress :-)
You have this statement -
static (dmz,inside) 192.168.8.2 xx.yyy.121.101 netmask 255.255.255.255
When you try to access from inside - what IP address are you using as the destination IP address ?
Jon
01-24-2009 06:35 PM
It a good thing :)
I use www."domain name".com which is translated by DynDns.org to xx.yyy.121.101.
I also tried typing in 192.168.8.2 in the ie browser with same results....
What I think may be happening is I dont have the "interface" keyword on the static statement? Just guessing?
Jose
01-25-2009 05:02 AM
Fixed it.. But when I try to send or receive e-mail from inside vpn I get:
6 Jan 25 2009 07:54:16 106015 75.180.132.77 98.122.121.101 Deny TCP (no connection) from 75.180.132.77/110 to xx.yyy.121.101/1805 flags RST ACK on interface outside.
75.180.132.77 is RoadRunner cable my isp provider.
Do I need a nat rule or access rule? Not sure..
Best Regards
Jose
01-23-2009 01:18 PM
Jon,
I placed the static statement in my configuration. Can't send an email from inside and receive an email from dmz. Not sure what going on. Have followed your instructions.
01-23-2009 10:29 AM
Have you considered maybe using a managed firewall service like that of http://www.firewalloptions.com or http://www.viawest.net instead of doing it yourself? This may be a lot less stressful for you and you wouldn't have to read those manuals you dislike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide