Cisco ASA 5505 8.0(2) DMZ Server issues

drexthe01 · ‎12-27-2013

I am having some issues getting the dmz server up and running.

I have internet access from inside.

I would like internet access from dmz.

Also outside to dmz.

I have tried adding static routes and configuring the ACL to no avail. I know this is pre-8.3; so I couldn't find any nat examples before the change.

Here is my current config:

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password -------- encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 100.200.301.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 100.200.300.18 255.255.255.240

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd -------- encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

pager lines 24

logging enable

logging buffer-size 30000

logging buffered debugging

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 100.200.301.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.200.300.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 100.200.301.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh 100.200.300.18 255.255.255.255 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

username admin password xxxxxencrypted privilege 15

prompt hostname context

Cryptochecksum----------

: end

asdm image disk0:/asdm-602.bin

no asdm history enable

fb_webuser · ‎12-29-2013

you need NAT. By default internet access from inside and DMZ will work. Higher security level. Inside to DMZ as well.

In CLI: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/ime/8_0_2/config/asa.html

Google is your friend

And also upgrade to 8.2.(5). 8.0(2) is very buggie...

---

Posted by WebUser Erik Boss from Cisco Support Community App