Solved: Cisco Asa 5510 configuration for dmz and web server

ksuber0758 · ‎02-05-2011

Hello all I'm very new to cisco and am looking for some advice on the following setup.

Here is our network setup:

Internet <----- ASA5510<---> Cisco 300 switch (2) <---->LAN clients

|

DMZ network (Webserver )

outside interface (38.101.64.x /24)

inside interface (192.168.1.1)

dmz interface (10.10.10.1)

Webserver ( real IP 10.10.10.2)

I need to accomplish the following.

1. All internal devices in the lan and dmz need to access the internet.

2. All internal devices in the lan can access any device in the dmz ( by its real ip address)

Once I can get that to working. I would like to configure outside access to the webserver. I have a block of 200 public ip address I will be dividing among several web servers. How can I

1. Have the asa listen for the block of ip addresses we have reserved

2.Have traffic routed to the correct server inside the dmz

3. Allow only http and ftp to servers in dmz from the outside

I haven't started yet just looking for advice on the best setup and figured it would easier to ask before starting then to have someone looking at a jacked up config file. Open to all suggestions thanks in advance

Maykol Rojas · ‎02-05-2011

Hi,

Well, it is not that hard. Basically, the DMZ and the LAN (Depending on the security levels) they will be able to access the internet if proper NAT is configure, for example.

Inside, security level 100

DMZ, security level 50

Outside security level 0

So that Means that traffic flowing from any higher security level, going to a less security level is going to be permitted. Now, in order for the DMZ and the LAN to be able to go to the internet, they need to be natted to a public IP. You can get as much creative as you want, since you have 200 IP addresses. The most common practice is to PAT the LAN and DMZ to the outside, but you can use one of those 200 IPs to do PAT as well.

In order to access the servers from the outside, what you need is an static NAT and an access list, that would do it.

If you want to get deeper in any of the topics you mentioned, just let me know, I will be glad to help.

Example for allowing access to an RDP server

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

ASA/PIX/FWSM NAT statements
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

If Using ASA version 8.3, the NAT statements would be a bit different, but is the same concept

Cheers

Mike

View solution in original post

Maykol Rojas · ‎02-05-2011

Hi,

Well, it is not that hard. Basically, the DMZ and the LAN (Depending on the security levels) they will be able to access the internet if proper NAT is configure, for example.

Inside, security level 100

DMZ, security level 50

Outside security level 0

So that Means that traffic flowing from any higher security level, going to a less security level is going to be permitted. Now, in order for the DMZ and the LAN to be able to go to the internet, they need to be natted to a public IP. You can get as much creative as you want, since you have 200 IP addresses. The most common practice is to PAT the LAN and DMZ to the outside, but you can use one of those 200 IPs to do PAT as well.

In order to access the servers from the outside, what you need is an static NAT and an access list, that would do it.

If you want to get deeper in any of the topics you mentioned, just let me know, I will be glad to help.

Example for allowing access to an RDP server

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

ASA/PIX/FWSM NAT statements
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

If Using ASA version 8.3, the NAT statements would be a bit different, but is the same concept

Cheers

Mike

ksuber0758 · ‎02-05-2011

Thanks for your quick reply I want to make sure I understand you.

1.If I setup the interfaces with the security levels you show then my inside should be able to talk to the dmz?

2. To give machines (inside, dmz) internet I just use pat and point to the outside interface ip address?

As far as adding outside to dmz access.

1. Just add a nat rule for 38.101.64.x /24 ( any ip address in my range) and point to 10.10.10.x( which ever webserver I assign that ip to)

2.Add access rule allow from any http to 38.101.64.x /24? from there my nat rule should ensure it touches the correct webserver.

Sorry for the novice questions just want to this quickly and without issues. Thanks again for your help

Maykol Rojas · ‎02-05-2011

Hi,

Hey dont worry, that is what this community is about.

1.If I setup the interfaces with the security levels you show then my inside should be able to talk to the dmz?

Adding just one Nat rule from the inside to the DMZ, Correct.

2. To give machines (inside, dmz) internet I just use pat and point to the outside interface ip address?

Correct

1. Just add a nat rule for 38.101.64.x /24 ( any ip address in my range) and point to 10.10.10.x( which ever webserver I assign that ip to)

Correct

2.Add access rule allow from any http to 38.101.64.x /24? from there my nat rule should ensure it touches the correct webserver.

And apply it on the outside interface. Correct.

If you have any questions let me know.

Milke

Mike

ksuber0758 · ‎02-05-2011

Thanks Mike I'm going to give this a try in a little while and I will let you know how it goes

Maykol Rojas · ‎02-05-2011

No worries, if you need help let me know.

Cheers

Mike

ksuber0758 · ‎02-07-2011

I should point out I have been trying to configure this using asdm. I setup the interfaces as you suggested and had both the inside and dmz interfaces with internet access. However it died about 5 min later and now neither interface can reach the internet. Using the packet analyzer it checks everything as good until it gets to acl and then the packet is dropped.

It says the pocket is dropped due to rule and points to one of the implicit rules I can not edit. I thought that it shouldn't even check acl when going from higher to lower security zone?

Also I wanted to be able to administer the device remotely. I went to mange device selected asdm/http and set the ip address as any( 0.0.0.0, 0.0.0.0,) then appled to ouside interface. However I still can not get access when I go to https://(ip for outside interface). Did I miss a step?

I also don't seem to be able to restore box to default from asdm it comes back with same setting. Should I just use cli and will I get better results?

This is really bugging me, I didn't think it would be hard to setup and I can get it to work for a few minutes and then nothing. I have to be missing something. I only have one static route showing and under nat 2 rules one for dmz and another for inside.

Any help is greatly appreciated

ksuber0758 · ‎02-09-2011

Thanks for all your help i now have it all working. I think I just did not understand how asdm was inputing the rules and routes. So I just did it from the cli and now its working as needed. Thanks again!!

Maykol Rojas · ‎02-09-2011

Hi,

Sorry I did not see the previous post. I am very glad that everything is working.

Cheers!

Mike