Solved: Need some help with my ASA 5510 setup - Page 2

a.grussner · ‎03-12-2007

I could really use some help getting this ASA 5510 configuration done. I?m by no means a firewall guru but since I?m the only network engineer at my company I?ve been asked to make the new Firewall/VPN work. I?m trying to setup the network to have a DMZ for our web servers and OWA so everything in the DMZ will have an IP of 192.168.2.0. My Internal network will have an IP of 192.168.0.0 and the people coming in on the VPN will get an IP of 192.168.3.0. Is this the best way to do it or can someone give me some tips on what?s the best way to do it? The servers in the DMZ and Inside network need to be able to communicate between each other for Active Directory and DNS traffic plus my users on the VPN and Internal networks need to be able to Remote Desktop into the servers in the DMZ and Internal network. I?ll paste my config below so any help would be greatly appreciated. Thanks. I guess it's to much data so I'll put the other half in the next post and I'll attach it as a doc to the original post.

ASA Version 7.2(2)

!

hostname asa5510

domain-name test.com

enable password XXXXXXXXXXX encrypted

names

dns-guard

!

interface Ethernet0/0

nameif External

security-level 0

ip address 209.x.x.10 255.255.255.248

!

interface Ethernet0/1

nameif Internal

security-level 90

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 80

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd XXXXXXXXXX encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

dns server-group DefaultDNS

domain-name test.com

access-list External_access_in extended permit tcp any host 209.254.99.65 eq www

access-list External_access_in extended permit tcp any host 209.254.99.66 eq ftp

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list Internal_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

access-list Internal_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any

access-list test_splitTunnelAcl standard permit any

access-list External_access_out extended permit ip 192.168.0.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu External 1500

mtu Internal 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN 192.168.3.1-192.168.3.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (External) 1 interface

nat (Internal) 0 access-list Internal_nat0_outbound

nat (DMZ) 1 0.0.0.0 0.0.0.0

nat (Internal) 1 0.0.0.0 0.0.0.0

static (DMZ,External) 209.254.99.65 192.168.2.2 netmask 255.255.255.255

static (DMZ,External) 209.254.99.66 192.168.2.3 netmask 255.255.255.255

access-group External_access_in in interface External

access-group External_access_out out interface External

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy NOS internal

group-policy NOS attributes

dns-server value 192.168.0.15

vpn-tunnel-protocol IPSec

username rabbit password XXXXXXXX encrypted privilege 0

username rabbit attributes

vpn-group-policy NOS

http server enable

http 192.168.0.0 255.255.255.0 Internal

no snmp-server location

no snmp-server contact

****SEE BELOW FOR THE REST****

acomiskey · ‎03-15-2007

hows it now?

a.grussner · ‎03-16-2007

It's working much better now. I'm going to try and schedule some time over the weekend to put it in place for some testing. I opened up communication between the 2 email servers by IP address instead dealing with all the ports between them. What do I need to do so it'll communicate with my Active Directory for user authentication? Thanks for all the help so far.

acomiskey · ‎03-16-2007

"Active Directory Communication

To communicate with Active Directory, the Exchange front-end server requires LDAP ports to be open. Both TCP and UDP are required: Windows 2000 on the front-end server will send a 389/UDP LDAP request to a domain controller to check if it is available for use; the LDAP traffic after that uses TCP. Windows 2000 Kerberos authentication is also used; therefore, the Kerberos ports must also be open. Both TCP and UDP are required for Kerberos as well: Windows uses UDP/88 by default, but when the data is larger than the maximum packet size for UDP, it uses TCP. Table 3 lists the ports required for communicating with Active Directory."

Taken from the following article...

http://www.microsoft.com/technet/prodtechnol/exchange/2000/maintain/e2kfront.mspx

a.grussner · ‎03-16-2007

Then I should be OK for the Exchange server sitting in my DMZ since I opened up all communication between that server and my back-end server on the Internal network. What I need to know is how I can setup my VPN users to authenticate to Active Directory when they login on the VPN instead of having to create accounts on the 5510.

acomiskey · ‎03-16-2007

In the asa you will define a aaa-server and assign that to the vpn group. You can then set up IAS (Internet Authentication Service) on your domain controller. Here you will define a radius client (asa) and a remote access policy. You must then register the service with active directory. You will then be able to authenticate your vpn clients with your ad.

a.grussner · ‎03-16-2007

Is this setup any different than setting it up on a 3005 concentrator? I watched a fellow engineer set one up and he pointed the concentrator to the domain controller and specified port 139 on the server. I don't remember him setting anything else up on the server for authentication. Did I miss something in his setup maybe? There was nothing setup on the 3005 for Radius and nothing under AAA.

acomiskey · ‎03-16-2007

Assumed you wanted radius...try this.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml

a.grussner · ‎04-03-2007

Thanks for all the help. I have another issue but I'll post a new topic.