05-03-2012 07:25 PM - edited 03-11-2019 04:01 PM
I would like to add a Meraki MR16 AP to our DMZ which is on our ASA 5510. I use a switch connected to the DMZ port of the ASA and that is where my webserver is plugged in. I want to keep the traffic completely seperate from our internal LAN. What is the best way to do this and the most secure. I will connect the AP to the DMZ switch. Below is the config:
ASA Version 8.2(1)
!
hostname fw
domain-name xxxxx
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.75.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 192.168.75.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxxxxxxxxxxxxx
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433
access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0
access-list DMZtoInside extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx www 192.168.75.5 www netmask 255.255.255.255
static (DMZ,outside) tcp xxx.xxx.xxx.xxx https 192.168.75.5 https netmask 255.255.255.255
static (inside,DMZ) 192.168.5.xx 192.168.5.xx netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group DMZtoInside in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.5.xx 255.255.255.255 172.16.75.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e6f986d4427
504d675bb1
ca51a81534
5
: end
no asdm history enable
Thank you
05-03-2012 09:15 PM
Hi,
Whats configured right now seems about right:
access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433
access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0
access-list DMZtoInside extended permit ip any any
That would allow traffic to go to the outside but not to the inside.
This NAT statement
nat (DMZ) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Would allow them to go to the internet.
Plug and play.
Mike
05-04-2012 05:25 AM
Thank you for your reply. The lines:
access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433
access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0
access-list DMZtoInside extended permit ip any any
are for my IIS web server that accesses a SQL box on the internal lan.
If I wanted to add a access pont to this config how can I add it in and ensure no users could jump over to the internal LAN?
Thanks
05-04-2012 09:20 AM
Basically they wont access the internal LAN with that config . Right now if you plug the Access point, they will be able to access the internet with no problem (assuming that the Access point will nat the users to one of the Addresses on the DMZ)
Mike
05-04-2012 09:47 AM
What should the IP address of the AP be then? Suppose I give the AP an IP address of 192.168.75.80 how should the ACL look? Meraki has the following, would I need to allow these? How should the config look? Thanks
Meraki APs must be allowed outgoing connections to the following ports and IP addresses. Make sure a web filter or firewall is not blocking these OUTBOUND connections. For simplicity, the IP network is provided (e.g. 64.x.x.x/24) where several IPs in that range are used by Meraki. If this is a highly secured network, using the individual IPs will provide more security but could require adjustments as we expand our datacenters and utilize more IPs in these ranges.
Ports
UDP 7351
UDP 9350 (if using a Meraki VPN product)
TCP 80
TCP 443
TCP 7734
TCP 7752
With Meraki hosted RADIUS server authentication
UDP 1812 or UDP 1645 depending on the UDP port your RADIUS server is listen on.
Only for Systems Manager's Remote Desktop:
TCP 60000-60100 on any of the IPs below
IPs
64.62.142.0/24
64.62.142.25
64.62.142.12
64.62.142.3
64.156.192.0/24
64.156.192.244
64.156.192.243
64.156.192.240
64.156.192.239
64.156.192.238
64.156.192.237
64.156.192.233
64.156.192.232
64.156.192.152
64.156.192.151
64.156.192.110
64.156.192.109
64.156.192.108
64.156.192.107
64.156.192.106
64.156.192.105
64.156.192.103
64.156.192.102
74.50.51.0/24
74.50.51.93
74.50.51.16
74.50.51.15
74.50.52.0/24
74.50.52.159
74.50.52.141
74.50.52.136
74.50.52.243
74.50.52.244
74.50.53.0/24
74.50.53.123
74.50.53.101
74.50.56.0/24
74.50.56.140
74.50.56.121
74.50.58.0/24
74.50.58.3
74.50.58.2
74.50.63.0/24
74.50.63.12
74.50.63.7
74.50.63.6
74.50.63.5
74.50.63.4
74.50.63.3
74.50.63.2
213.229.98.133
213.229.98.134
208.72.143.27
208.72.143.26
208.72.143.25
208.72.143.24
05-04-2012 10:08 AM
Yes, but this configuration already provides it by using the permit IP any any at the end of the statement. Bottom line, current configuration is not going to block anything outbound besides going to the internal network.
Mike
05-04-2012 10:39 AM
Okay now I got it. I will try it and let you know. Thanks for all your help on this
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide