Announcement

Collapse
No announcement yet.

Cisco ASA 5510: DMZ allowed Inside help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5510: DMZ allowed Inside help

    I'm looking for a bit of help on our Cisco ASA 5510. I've done my best by learning on my own and posted below is the result config. I'm normally a voyeur on the forums but after 4 days of trying to wrap my head around this, I'm lost.

    The ASA has redundant Internet connections, does IPSEC/L2TP & SSL VPN, acts as a DMZ, and allows trusted visiting users Internet access via the DMZ segment. The problem I'm running into is that I want the WWW server to access the internal MySQL database. I also want to allow WWW traffic into the server from all the interfaces (outside, dmz, and inside). I've tried a variety of different ways to allow the traffic in but I fail each time. I've posted the config I have without any opening of traffic in hopes of a bit of help.

    In my previous attempts, I could get port 3306 opened to the inside, but Wireshark showed other ports involved. I think I'm not doing "STATIC" correctly. Could someone give me a clue? If somebody wouldn't mind critiquing my newbie config for things I'm doing incorrectly, that would be a huge help too.

    (Here is a pictorial of what I've got: Click Here!


    : Saved
    : Written by enable_15 at 12:03:38.169 UTC Mon Feb 16 2009
    !
    ASA Version 8.0(4)
    !
    terminal width 132
    hostname inet-asa
    names
    !
    interface Ethernet0/0
    description "Comcast"
    nameif outside
    security-level 0
    ip address aa.bb.cc.65 255.255.255.248
    !
    interface Ethernet0/1
    description "I2K DSL"
    nameif i2kdsl
    security-level 0
    ip address dd.ee.ff.240 255.255.255.0
    !
    interface Ethernet0/2
    description "DMZ/Publc Wireless"
    nameif dmz
    security-level 50
    ip address 172.40.50.1 255.255.255.0
    !
    interface Ethernet0/3
    description "Inside Network"
    nameif inside
    security-level 100
    ip address 172.20.253.2 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    object-group network DM_INLINE_NETWORK_1
    network-object 172.20.0.0 255.255.0.0
    network-object 192.168.0.0 255.255.255.0
    access-list allow_icmp extended permit icmp any any echo-reply
    access-list allow_icmp extended permit icmp any any unreachable
    access-list allow_icmp extended permit icmp any any time-exceeded
    access-list allow_icmp extended permit icmp any any source-quench
    access-list VPN-USERS_splitTunnelAcl standard permit 172.20.0.0 255.255.0.0
    access-list VPN-USERS_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 10.10.10.0 255.255.255.224
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list outside_access_in extended permit icmp any any source-quench
    pager lines 40
    logging enable
    logging asdm warnings
    mtu outside 1500
    mtu i2kdsl 1500
    mtu dmz 1500
    mtu inside 1500
    mtu management 1500
    ip local pool VPNPOOL 10.10.10.2-10.10.10.19 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-615.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (i2kdsl) 1 interface
    nat (dmz) 1 0.0.0.0 0.0.0.0
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group outside_access_in in interface outside
    access-group allow_icmp in interface i2kdsl
    route outside 0.0.0.0 0.0.0.0 aa.bb.cc.70 1 track 101
    route i2kdsl 0.0.0.0 0.0.0.0 dd.ee.ff.1 2
    route inside 172.20.0.0 255.255.0.0 172.20.253.1 1
    route inside 192.168.0.0 255.255.0.0 172.20.253.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server radius_servers protocol radius
    aaa-server radius_servers (inside) host 172.20.1.201
    timeout 5
    key mysuperdupersecretkey
    radius-common-pw mysuperdupersecretkey
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 172.20.0.0 255.255.0.0 inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 1
    type echo protocol ipIcmpEcho xx.xx.xx.xx interface outside
    frequency 30
    sla monitor schedule 1 life forever start-time now
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map outside_map interface i2kdsl
    crypto isakmp enable outside
    crypto isakmp enable i2kdsl
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    !
    track 101 rtr 1 reachability
    telnet timeout 5
    ssh xx.xx.xx.xx 255.255.255.255 outside
    ssh xx.xx.xx.xx 255.255.255.255 i2kdsl
    ssh 172.20.0.0 255.255.0.0 inside
    ssh timeout 20
    console timeout 0
    dhcpd address 172.40.50.20-172.40.50.40 dmz
    dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface dmz
    dhcpd enable dmz
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    enable i2kdsl
    svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
    svc enable
    tunnel-group-list enable
    group-policy SSL-VPN-USERS internal
    group-policy SSL-VPN-USERS attributes
    banner value You are now connected to the XXXX VPN!
    wins-server value 172.20.1.201
    dns-server value 172.20.1.201
    vpn-tunnel-protocol l2tp-ipsec svc
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN-USERS_splitTunnelAcl
    default-domain value xxxx.org
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol svc webvpn
    group-policy VPN-USERS internal
    group-policy VPN-USERS attributes
    banner value You are now connected to the XXXX VPN!
    wins-server value 172.20.1.201
    dns-server value 172.20.1.201
    vpn-tunnel-protocol IPSec l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN-USERS_splitTunnelAcl
    default-domain value xxxx.org
    tunnel-group DefaultRAGroup general-attributes
    authentication-server-group radius_servers
    tunnel-group DefaultWEBVPNGroup general-attributes
    address-pool VPNPOOL
    authentication-server-group radius_servers
    default-group-policy SSL-VPN-USERS
    tunnel-group VPN-USERS type remote-access
    tunnel-group VPN-USERS general-attributes
    address-pool VPNPOOL
    authentication-server-group radius_servers
    default-group-policy VPN-USERS
    tunnel-group VPN-USERS ipsec-attributes
    pre-shared-key mysuperdupersecretkey
    tunnel-group VPN-USERS ppp-attributes
    authentication ms-chap-v2
    tunnel-group SSL-VPN type remote-access
    tunnel-group SSL-VPN general-attributes
    address-pool VPNPOOL
    authentication-server-group radius_servers
    default-group-policy SSL-VPN-USERS
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    : end

  • #2
    Re: Cisco ASA 5510: DMZ allowed Inside help

    I couldn't find any static entries in that config at all!
    If you are allowing inbound traffic from a low to a high secturity interface then you generally need to setup a static and an acl.
    So from outside to inside you would have something like
    Code:
    static (inside,outside) 1.1.1.1 10.0.0.2
    or for a specific port only
    Code:
    static (inside,outside) tcp 1.1.1.1 80 10.0.0.2 80
    then you have your acl of
    Code:
    access-list inbound_on_outside permit tcp any host 1.1.1.1 eq 80
    access-group inbound_on_outside in interface outside
    My understanding is that you can't setup more than one static to the same port/ip from different interfaces though so you couldn't setup

    Code:
    static (inside,outside) tcp 1.1.1.1 80 10.0.0.2 80
    and
    Code:
    static (inside,dmz) tcp 192.168.0.1 80 10.0.0.2 80
    Maybe you can setup the same site on different ports and work that way?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco ASA 5510: DMZ allowed Inside help

      I got the config working. I'll post my solution next week. Basically, my problem was NAT and globals.

      Your tips pointed me in the right direction. Exactly what I needed. Thanks!

      Comment


      • #4
        Re: Cisco ASA 5510: DMZ allowed Inside help

        Sounds good, thanks
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment

        Working...
        X