Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2094
Views
0
Helpful
4
Replies

Setting up DMZ on ASA 5505 With Basic License

it
Level 1
Level 1

‎10-12-2010 01:31 PM - edited ‎03-11-2019 11:53 AM

I am trying to find out if anyone has had luck with setting up a DMZ on a ASA 5505 with a basic license. I belive it should be possible to do but have not been able to get an outside connection to work when connecting it through a linksys router acting as an access point. Any help would be appreciated.

Bryan

Labels:
0 Helpful
4 Replies 4

praprama
Cisco Employee
Cisco Employee

‎10-12-2010 05:18 PM

Hi Bryan,

With BASE license on ASA 5505, we can have a maximum of 3 VLANs configured but the 3rd VLAN can communicate only with one of the other 2 VLANs that you have.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819

Quoting from the above link: "For example, you have one VLAN assigned to the  outside for Internet access, one VLAN assigned to an inside business  network, and a third VLAN assigned to your home network. The home  network does not need to access the business network, so you can use the  no forward interface command on the home VLAN; the  business network can access the home network, but the home network  cannot access the business network."

If you have already have this cleared up but are still facing issues, please post your santizied canfig here with the problems you are facing and we will have a look into it.

Thanks and Regards,

Prapanch

0 Helpful

it
Level 1
Level 1

‎10-13-2010 07:36 AM

Hi Prapanch,

Thanks for the response. We have 3 VLANS setup one for inside one for outside and the one for the DMZ. We are not wanting the DMZ to acces the inside network only access outside for clients or vendors coming in that need internet access. We have set the DMZ to restict traffic to VLAN 1 which is our inside business network but cannot get access. My other question is that we have the DMZ connecting to a Linksys router acting as an access point. It is setup to DHCP and have an ip address assigned to it but when it tries to connect all we get is DNS errors. Will post ASA config file.

Thanks,

Bryan

ASA Version 8.3(1) 
!
hostname ASA
domain-name default.domain.invalid
enable password encrypted
passwd encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xxx.131 255.255.255.192 
!
interface Vlan12
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 192.168.30.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 2
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup DMZ
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name default.domain.invalid
object network NETWORK_OBJ_192.168.10.0_24 
 subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.120.0_26 
 subnet 192.168.120.0 255.255.255.192
object network host.10 
 host 192.168.10.10
object network host.108 
 host 192.168.10.108
object network host.114 
 host 192.168.10.114
object network host.133 
 host 192.168.10.133
object network host.19 
 host 192.168.10.19
object network host.5 
 host 192.168.10.5
object network host.4 
 host 192.168.10.4
object network host.6 
 host 192.168.10.6
object network host.74 
 host 192.168.10.74
object network host.36 
 host 192.168.10.36
 description xxxxxxxxxxx 
object network 192.168.10.179 
 host 192.168.10.179
object network FOCR 
 host 192.168.10.147
object network xxxxxxxxxxx 
 host 192.168.10.19
object network NETWORK_OBJ_192.168.30.0_24 
 subnet 192.168.30.0 255.255.255.0
object-group network net192_10
object-group network DM_INLINE_NETWORK_1
 network-object host 192.168.10.114
 network-object host 192.168.10.133
 network-object host 192.168.10.19
 network-object host 192.168.10.36
 network-object host 192.168.10.4
 network-object host 192.168.10.6
 network-object host 192.168.10.74
object-group service rdp tcp
 port-object eq 3389
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo-reply
 icmp-object time-exceeded
object-group service FTP tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service Adobe tcp
 description Adobe Pro Connect
 port-object eq 1935
object-group service Gmail_SMTP tcp
 port-object eq 465
object-group service FTP_to_IDS tcp
 port-object eq 1180
 port-object eq 1181
 port-object range 1200 1299
object-group service Gmail_imap tcp
 port-object eq 993
access-list xxxxxxxxxx_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 
access-list outside_access_in remark xxxxxxxxxxx
access-list outside_access_in extended permit tcp any host 192.168.10.5 object-group DM_INLINE_TCP_1 log errors 
access-list outside_access_in remark RDP for desktops and terminal servers
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389 
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list DMZ_access_out extended permit ip 192.168.30.0 255.255.255.0 xx.xx.xxx.128 255.255.255.192 
pager lines 24
logging enable
logging buffer-size 40960
logging asdm-buffer-size 512
logging asdm warnings
logging from-address Firewall@xxxxxxxxxx.com
logging recipient-address xxxxxxxxxxxxxxxxxxxx.com level errors
logging flash-maximum-allocation 102400
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool ipsec_pool 192.168.120.1-192.168.120.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.120.0_26 NETWORK_OBJ_192.168.120.0_26
nat (inside,outside) source dynamic any interface
nat (outside,DMZ) source dynamic NETWORK_OBJ_192.168.30.0_24 interface destination static interface any
!
object network host.133
 nat (any,any) static xx.xx.xxx.158 dns
object network host.19
 nat (any,any) static xx.xx.xxx.152 dns
object network host.5
 nat (any,any) static xx.xx.xxx.153 dns
object network host.4
 nat (any,any) static xx.xx.xxx.156 dns
object network host.6
 nat (any,any) static xx.xx.xxx.159
object network host.74
 nat (any,any) static xx.xx.xxx.150 dns
object network host.36
 nat (any,any) static xx.xx.xxx.160 dns
access-group outside_access_in in interface outside
access-group DMZ_access_out out interface DMZ
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WINad protocol ldap
aaa-server WINad (inside) host 192.168.10.174
 ldap-base-dn DC=mxxxxxxxxxxxx,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password xxxxxxx
 ldap-login-dn CN=xxxxxxxxxxxx,CN=users,DC=xxxxxxxxxxxx,DC=com
 server-type microsoft
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy xxxxxxxxxxxxx internal
group-policy xxxxxxxxxxxxx attributes
 wins-server value 192.168.10.176
 dns-server value 192.168.10.176 192.168.10.174
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value xxxxxxxxxxx_splitTunnelAcl
 default-domain value xxxxxxxxxxx.com
 split-dns value xxxxxxxxxxxxxxx.com 
username xxxxx password xxxxxxxxxxxxxx encrypted privilege 0
username xxxxx attributes
 vpn-group-policy xxxxxxxxxxxxx
tunnel-group xxxxxxxxxxxxx type remote-access
tunnel-group xxxxxxxxxxxxx general-attributes
 address-pool ipsec_pool
 authentication-server-group WINad
 default-group-policy xxxxxxxGroup
tunnel-group xxxxxxxxxxxx ipsec-attributes
 pre-shared-key xxxxxxx
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect ip-options 
  inspect ftp strict 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to it

‎10-13-2010 07:57 AM

Hi,


When you say you "cannot get access" what and how are you trying to access from where? Also, what is the DNS error that you are getting? If possible, please draw a corresponding line topology if possible.

Thanks and Regards,

Prapanch

0 Helpful

it
Level 1
Level 1
In response to praprama

‎10-13-2010 09:23 AM

Thanks again for the quick response. Okay the DMZ is connecting into a Linsys router serving as an access point. This way vendors can come in and hookup their laptops through wireless connect. There is not a specific error or code it just cannot resolve a DNS host. The router is setup to use google DNS servers @ 8.8.8.8. I will include a topology diagram. Maybe this will explaing better.

Preview file
88 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card