Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
2
Replies

Configure ASA 5505 for DMZ

eholz1eholz1
Level 1
Level 1

‎08-19-2013 01:57 PM - edited ‎03-11-2019 07:27 PM

                   I think i have configured an ASA 5505 for DMZ.

There is an outside ip 96.229.98.123, which should allow remote access (3389) to a computer which should be

a DMZ, 10.1.1.99.

I am unable to get to this computer (windows XP) using the outside ip, and MS rdp conneciton.

I can ping the 10.1.1.99 box from the ASA,

I will assume that my config for the DMZ and network, etc is "almost" correct, as a first time configurer

Here is a copy of my running config - where did I go wrong???  Thanks for any help.

ASA Version 7.2(3)
!
hostname BrahmaASA
domain-name brahma.local
enable password OLwrzN2..uVF.NHM encrypted
names
!
interface Vlan1
description Internal Network to Brahma Design
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description Outside Public Internet
nameif outside
security-level 0
ip address 96.229.98.122 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 0
ip address 10.1.1.99 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd OLwrzN2..uVF.NHM encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
timeout 3
name-server 192.168.1.10
domain-name brahma.local
object-group service Remote_Access tcp
port-object eq 5900
port-object eq 3389
object-group service Mail_Ports tcp
port-object eq smtp
port-object eq imap4
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside extended permit tcp any host 96.229.98.124 object-group Remote_Access
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 96.229.98.125 object-group Mail_Ports
access-list outside extended permit tcp any host 96.229.98.125 eq https
access-list outside extended permit tcp any host 96.229.98.125 eq www
access-list outside extended permit tcp any host 96.229.98.125 object-group Remote_Access
access-list outside extended permit tcp any host 96.229.98.123 eq 3389
access-list VPNSPLIT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list DMZ_in extended deny ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_in extended permit tcp any host 96.229.98.123 eq 3389
pager lines 24
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Brahma 172.16.1.1-172.16.1.50 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp 96.229.98.123 3389 10.1.1.99 3389 netmask 255.255.255.255
static (inside,outside) 96.229.98.124 192.168.1.30 netmask 255.255.255.255
static (inside,outside) 96.229.98.125 192.168.1.10 netmask 255.255.255.255
static (inside,outside) 96.229.98.123 10.1.1.99 netmask 255.255.255.255
access-group outside in interface outside
access-group DMZ_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 96.229.98.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Brahma protocol radius
aaa-server Brahma host 192.168.1.10
timeout 5
key il2btwac
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 800 set transform-set ESP-3DES-MD5
crypto map VPNmap 40 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.10
dhcpd wins 192.168.1.10
dhcpd lease 604800
dhcpd ping_timeout 500
dhcpd domain brahma.local
!
dhcpd address 192.168.1.50-192.168.1.177 inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
group-policy Brahma internal
group-policy Brahma attributes
wins-server value 192.168.1.10
dns-server value 192.168.1.10
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNSPLIT
default-domain value brahma.local
split-dns value brahma.local
tunnel-group BRAHMA type ipsec-ra
tunnel-group BRAHMA general-attributes
address-pool Brahma
authentication-server-group Brahma
default-group-policy Brahma
tunnel-group BRAHMA ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:9e4a384b5ab53c8bea2366c7f4a0bd5d
: end
Thanks so much,

Eric

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎08-19-2013 02:15 PM

Hi,

Your servers/hosts IP address cant be 10.1.1.99 since that is already configured as the interface IP address on the ASA

interface Vlan3

no forward interface Vlan1

nameif DMZ

security-level 0

ip address 10.1.1.99 255.255.255.0

You should change the host IP address to something else and reconfigure the NAT configurations using that IP address.

Or change the IP address of the Vlan3 interface to something else but that would mean that all hosts on the Vlan3 would need to have their default gateway changed.

Also you have Static PAT and Static NAT configured with that local IP address also and also using 2 different source interfaces

static (DMZ,outside) tcp 96.229.98.123 3389 10.1.1.99 3389 netmask 255.255.255.255

static (inside,outside) 96.229.98.123 10.1.1.99 netmask 255.255.255.255

So you should remove the Static NAT between "inside" and "outside" interfaces.

no static (inside,outside) 96.229.98.123 10.1.1.99 netmask 255.255.255.255

- Jouni

0 Helpful

Karsten Iwen
VIP
VIP

‎08-19-2013 02:16 PM

A problem is that your DMZ has the same security-level as the outside interface. Typically the DMZ gets a level between inside and outside:

interface Vlan3

  security-level 50

alternatively, if you see any benefit in using the same security-level (I doubt that), then you could enable communication between these two interfaces with the following command:

same-security-traffic permit inter-interface

And Jouni's points are of course also relevant. After all these changes, your connection should work which can also be tested with the packet-tracer.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card