08-23-2009 12:06 PM - edited 03-11-2019 09:08 AM
Guys I'm stuck and need as much help as possible please. I'm from Guyana, South America. I have my ISP connected to one cisco 2800 series Router connected to a Cisco ASA 5520 firewall then to a dell power connect switch then 9 small networks on Cisco 881 Routers. Also from the ASA 5520 I have my servers connected as DMZ. Now What I want to accomplish is for my DMZ to have outbound and inbound access to the internet and my small networks to reach the DMZ and also the internet. Also VPN from remote networks to access the DMZ. below is my current running-config on the ASA 5520.
ASA Version 7.2(4)
!
hostname POLICEWALL
domain-name GPF.LOCAL
enable password
encrypted
passwd encrypted
names
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 100.100.100.1 255.255.255.252
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 172.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name GPF.LOCAL
same-security-traffic permit intra-interface
object-group protocol ip-allow
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list OUTSIDE_access_in extended permit object-group ip-allow any 192.168.1.0 255.255.255.0
access-list OUTSIDE_access_in extended permit tcp any 192.168.1.0 255.255.255.0
access-list INSIDE_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list OUTSIDE_1_cryptomap extended permit ip 100.100.100.0 255.255.255.252 192.168.1.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 100.100.100.0 255.255.255.252 192.168.1.0 255.255.255.0
access-list allow_outside_connections extended permit icmp any any echo-reply
access-list allow_outside_connections extended permit icmp any any source-quench
access-list allow_outside_connections extended permit icmp any any unreachable
access-list allow_outside_connections extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu management 1500
no failover
monitor-interface OUTSIDE
monitor-interface INSIDE
monitor-interface DMZ
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 101 100.100.100.3-100.100.100.4 netmask 255.255.255.252
global (OUTSIDE) 200 interface
global (INSIDE) 1 10.10.10.2 netmask 255.0.0.0
global (DMZ) 1 192.168.1.2 netmask 255.255.255.0
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 10.10.10.0 255.255.255.0
nat (INSIDE) 101 0.0.0.0 0.0.0.0
nat (DMZ) 1 192.168.1.0 255.255.255.0 outside
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_out out interface INSIDE
access-group DMZ_access_out out interface DMZ
route OUTSIDE 100.100.100.3 255.255.255.255 100.100.100.1 1
route INSIDE 10.10.10.2 255.255.255.255 192.168.1.0 1
route DMZ 192.168.1.32 255.255.255.255 100.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
NOTE; MISSING THE REST OF THE CONFIG
08-23-2009 03:01 PM
Hello Mark,
I will be glad to help you.
Please message me via MSN Messenger: joshwalton@msn.com.
I will also post the solution (config) to your questions here for everyone to see.
08-24-2009 08:30 AM
hey Josh! thanks so far, I'm off to a running start. However I still have some issues.
08-25-2009 06:08 AM
no fix as it......... I'm lost.
08-27-2009 03:50 PM
I might be able to help you with part of your problem. I had a similar situation on my network the other day.
If you check your logs after one of your small networks tries to access the DMZ you might see an error about not having a translation group. I am not sure if this is the correct way of doing it but it worked for me.
You need a STATIC statement for the ASA to pass traffic from the LAN > DMZ and vice versa, without it trying to NAT. So your statement would look something like this:
STATIC (inside,DMZ) xxx.xxx.xxx.0 xxx.xxx.xxx.0 netmask 255.255.255.0
if your ACLs are correct then this should work. Like I said before though, I am not sure if this is the correct and secure way of doing it, but I know this worked for me.
08-28-2009 08:59 AM
I'll try that and get back to you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide