Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
10
Helpful
3
Replies

DMZ config! How to do? Easy question for experts! (ASA 5510

MARIO PAIVA
Level 1
Level 1

‎11-30-2008 11:43 AM - edited ‎02-21-2020 03:08 AM

Dear All

I would like to add a DMZ and VPN to inside network to my ASA5510 configuration, but I'm not sure about the correct way to achieve my goal (I'm a newbie).

I'll rate your post and promise to send to the best answer a traditional Christmas gift from my country, I'm sure that you will be pleased with it!:)

Goal:

1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.

2- VPN access to inside network.

1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:

Access to EDGESRV from Internet (SMTP)

 Access from EDGESRV to internet (SMTP)

 Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)

ROUTER :

Interface Serial IP: 195.22.12.46/30

IP route 0.0.0.0 0.0.0.0 195.22.12.45

Interface Ethernet f0/0: IP 195.22.26.17/29 (connect to router)

ASA NETWORK

Interface External e0/0 :IP 195.22.26.18/29 (connect to router)

Interface internal: e0/1: IP 10.10.100.1 mask 255.255.252.0

Interface DMZ: e0/2 : IP 10.10.150.1 mask 255.255.255.0 (not implemented yet)

ASA Configuration (actual)

ASA Version 8.0(2)

!

interface Ethernet0/0

nameif Interface_to_cisco_router

security-level 0

ip address 195.22.26.18 255.255.255.248

!

interface Ethernet0/1

nameif Int_Internal_domain

security-level 100

ip address 10.10.100.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxx encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone WEST 0

clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Interface_to_cisco_router

dns domain-lookup Int_Internal_domain.com

dns server-group DefaultDNS

name-server 195.22.0.136

name-server 195.22.0.33

domain-name domain.com

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Interface_to_router_Cisco_access_in extended permit object-group TCPUDP any any eq domain

access-list Interface_to_router_Cisco_access_in extended permit tcp any any eq www

pager lines 24

logging list Registo_eventos_william level emergencies

logging list Registo_eventos_william level emergencies class vpn

logging asdm informational

logging recipient-address william@domain.com level critical

mtu management 1500

mtu Interface_to_router_Cisco 1500

mtu Int_Internal_domain 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (Interface_to_router_Cisco) 101 interface

nat (Int_Internal) 101 10.10.100.0 255.255.255.0

nat (Int_Internal) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

access-group Interface_to_router_Cisco_access_in in interface Interface_to_router_Cisco

route Interface_to_router_Cisco 0.0.0.0 0.0.0.0 195.22.26.17 1

access-list Int_Internal_access_in extended permit tcp any any

access-list Int_Internal_access_in extended permit udp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.100.0 255.255.255.0 Int_Internal_domain

http 10.10.10.0 255.255.255.0 management

http 195.22.26.16 255.255.255.248 Interface_to_router_Cisco

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

....

Kind Regards

MP

0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎11-30-2008 02:53 PM

Mario,

I think you have much more to go but this is a start, I don't think I have cover everything .. others in netpro may add to this.

1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.

Use this example, Configuring Mail server on DMZ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

2- VPN access to inside network.

You can configure RA VPN server using/creating in ASA5510 Local user database

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

or configure RA VPN server using IAS RADIUS-Windows AD for authentication

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:

Access to EDGESRV from Internet (SMTP)

 Access from EDGESRV to internet (SMTP)

 Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)

-Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create

inbound access rules to allow access on SMPT from outside internet.

If you do not have spare public IPs for a one-to-one nat on this server you can use ASA outside interface static PAT.

Example : static (dmz,outside) tcp interface smtp netmask 255.255.255.255

-Access from EDGESRV to internet (SMTP)

You need to PAT DMZ network, if EDGESRV does not have one-to-one static NAT

typical scenario

global (outside ) 101 interface

nat (dmz ) 101 0 0

or

nat (dmz) 101 <255.255.255.255>

also for the MAIL Server, if you are using DNS server from your inside network you need acl to allow traffic from MAILserver DMZ to DNS in inside network.

-Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)

from low sec level 0 to high sec level access is permited by default, you do however need to create static nat to allow comm between inside and dmz

in your scenario if you have 192.168.1.0/24 for inside interface network you would then create something like this.

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Observation -

I see you have interface Ethernet0/2 free, I assume you will probably be using this interface for your DMZ, I would advice to use subinterfaces and use dot1q in order to scale your DMZs in the future.

Look this link for reference on working with subinterfaces

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

Rgds

Jorge

Jorge Rodriguez

MARIO PAIVA
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-01-2008 07:37 AM

Hi Jorge

Thanks for your detailed answer.

So here are my issues:

Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create

inbound access rules to allow access on SMPT from outside internet.

Yes I do have spare public IP, so which is the correct config for this scenario:

Spare IP Address: 195.22.26.19 mask - 255.255.255.248.

So the Interface DMZ: e0/2 will be : xxx.xxx.xxx.xxx ?

And the IP address for the Server?

Thanks in advance for your cooperation.

Kind Regards

MP

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to MARIO PAIVA

‎12-01-2008 09:46 AM

You need to creatre dot1q trunking between asa ethernet0/2 and your DMZ switch in order to create subinterfaces in ASA and respective VLANs in switch

for example: say you call DMZ network DMZ1 and give it VLAN 100 in switch

1 - In dmz switch create vlan for DMZ1

first allocate a port on DMZ switch to connect to ASA E0/2 interface, say you have 3550 switch and picked port 48 for trunk port.

switch#vlan database

switch#vlan 100 name DMZ1_10.10.150.0/24

switch(config)#interface fe0/48

switch(config-if)#Description Connection to ASAFe0/2

switch(config-if)#Switchport trunk encapsulation dot1q

switch(config-if)#switch port mode trunk

switch(config-if)#switchport trunk allowed vlan 100,200,300 etc...

switch(config-if)#speed 100

switch(config-if)#duplex full

switch(config)#exit

then allocate a port on the switch for your MAIL server and put it in VLAN 100

etc..

on asa

asa(config)#interface ethernet0/2

asa(config-if)#no shutdown

asa(config-if)#speed 100

asa(config-if)#duplex full

asa(config-if)#no shutdown

asa(config-if)#exit

asa(config)# interface ethernet0/2.100

asa(config-subif)# vlan 100

asa(config-subif)#Description DMZ1_NETwork

asa(config-subif)#nameif DMZ1

asa(config-subif)#security-level 50

asa(config-subif)#ip address 10.10.150.1 255.255.255.0

if in future you need to create another DMZ network simply iterate the above process

for for different vlan# and allow new vlan in switch trunk port.

Yes I do have spare public IP, so which is the correct config for this scenario:

Spare IP Address: 195.22.26.19 mask - 255.255.255.248.

So the Interface DMZ: e0/2 will be : xxx.xxx.xxx.xxx ?

And the IP address for the Server?

for your Mail server your static will look as: assuming 10.10.150.100/24 is your mail server IP.

static (DMZ1,outside) 195.22.26.19 10.10.150.100 netmask 255.255.255.255

then create inbound access rules with appropriate tcp ports .

HTH

Jorge

PLS rate any helpful post

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card