Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
1
Replies

Setting up DMZ with Site to Site

jchristopher1
Level 1
Level 1

‎10-20-2014 06:39 AM - edited ‎03-05-2019 12:00 AM

Hello,

This is my first time posting on here and I am very new to Cisco and still very much a networking newbie. My company has 2 Cisco ASA 5510 and one located at each site. I am trying to setup DMZ so that our badge system located at Site A can talk to the node at Site B. I have setup Site to Site VPN. The badge company that we hired states that we will need to setup DMZ for them to talk to each other. Do I need to setup DMZ on both sites or just one. I will paste what I have so far. I am not sure what to do. The badge system is on the inside network. Their devices broadcast multicast traffic and uses port 7262 to talk to each other

 

interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 1.2.3.4 255.255.255.240
!
interface Ethernet0/1
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 192.168.201.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 172.16.1.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-amzn
 subnet 10.200.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.201.0_24
 subnet 192.168.201.0 255.255.255.0
object network Site-Plano-Internal
 subnet 192.168.223.0 255.255.255.0
object network Plano-External
 host 1.2.3.6
object network Site-Austin-Internal
 subnet 192.168.201.0 255.255.255.0
object network DMZ-subnet
 subnet 172.16.1.0 255.255.255.0
object network DMZ-Host-EXT
 host 1.2.3.5
object network DMZ-Host-INT
 host 172.16.1.1
object-group network obj-SrcNet
 network-object 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp information-reply
 service-object icmp information-request
 service-object icmp time-exceeded
 service-object icmp traceroute
 service-object icmp unreachable
 service-object tcp-udp destination eq echo
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp information-reply
 service-object icmp information-request
 service-object icmp time-exceeded
 service-object icmp traceroute
 service-object icmp unreachable
 service-object tcp destination eq echo
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service s2node tcp-udp
 description s2node
 port-object eq 7262
object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp time-exceeded
access-list 100 extended permit icmp any4 any4 echo-reply
access-list 100 extended permit icmp any4 any4 source-quench
access-list 100 extended permit icmp any4 any4 unreachable
access-list 100 extended permit icmp any4 any4 time-exceeded
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit ip host 2.1.2.1 host 1.2.3.4
access-list 100 extended permit ip host 2.1.2.0 host 1.2.3.4
access-list acl-amzn extended permit ip any4 10.200.0.0 255.255.0.0
access-list amzn-filter extended permit ip 10.200.0.0 255.255.0.0 192.168.201.0 255.255.255.0
access-list amzn-filter extended deny ip any4 any4
access-list outside_access_in remark ICMP type 11 for Windows Traceroute
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in remark ICMP type 3 for Cisco and Linux
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_acl extended permit icmp any any
access-list Outside_cryptomap extended permit ip object Site-Austin-Internal object Site-Plano-Internal
access-list Outside_cryptomap extended permit icmp any any
access-list Outside_cryptomap extended permit icmp object Site-Austin-Internal object Site-Plano-Internal
access-list Outside_cryptomap extended permit icmp object Site-Plano-Internal object Site-Austin-Internal
access-list Outside_cryptomap extended permit icmp any4 any4 echo-reply
access-list Outside_cryptomap extended permit icmp any4 any4 source-quench
access-list Outside_cryptomap extended permit icmp any4 any4 unreachable
access-list Outside_cryptomap extended permit icmp any4 any4 time-exceeded
access-list Outside_cryptomap extended permit icmp any any echo-reply
access-list Outside_cryptomap extended permit icmp any any source-quench
access-list Outside_cryptomap extended permit icmp any any unreachable
access-list Outside_cryptomap extended permit icmp any any time-exceeded
access-list Outside_cryptomap extended permit icmp any4 any4
access-list Outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 any4 object Site-Austin-Internal
access-list Outside_cryptomap extended permit object-group DM_INLINE_SERVICE_2 object Site-Austin-Internal any4
access-list Outside_cryptomap extended permit object-group TCPUDP any any object-group s2node
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit object-group TCPUDP any any object-group s2node
access-list global_access extended permit object-group TCPUDP any any object-group s2node
access-list global_access extended permit object-group DM_INLINE_SERVICE_3 any any
pager lines 24
logging enable
logging asdm-buffer-size 200
logging trap emergencies
logging asdm notifications
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
nat (Inside,Outside) source static Site-Austin-Internal Site-Austin-Internal destination static Site-Plano-Internal Site-Plano-Internal no-proxy-arp route-lookup
!
object network obj_any
 nat (Inside,Outside) dynamic interface
object network DMZ-subnet
 nat (DMZ,Outside) dynamic interface
access-group outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 1.2.3.4 1

dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.201.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 587
sla monitor 1
 type echo protocol ipIcmpEcho 10.200.0.1 interface Outside
 frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df Outside
crypto map journeyed_austin 1 match address acl-amzn
crypto map journeyed_austin 1 set pfs
crypto map journeyed_austin 1 set peer 2.1.2.0 2.1.2.1
crypto map journeyed_austin 1 set ikev1 transform-set transform-amzn
crypto map journeyed_austin interface Outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800

Labels:
0 Helpful
1 Reply 1

jchristopher1
Level 1
Level 1

‎10-23-2014 12:18 PM

Issue with the badge system was not the network but misconfigured equipment on their end.
 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card