Add interfaces to DMZ
Hello Everyone
I have a new ASA 5512 which does not allow me to use VLANs like I did with previous version. I have 3 interfaces, inside, outside and dmz. I want to add another unused interface to my DMZ network instead of uplinking my dmz interface to a switch. Before i could create a vlan for DMZ and then add the interfaces to that. How can i have multiple interfaces on the same network? I essentionally want to make int gi0/3 into an acces port on the dmz network.
Thanks in advance
Hi,
To my understanding you wont be able to have 2 interface be part of the same subnet since all the ports are router/routed ports instead of switch ports.
You can configure a physical interface as a Trunk and configure the required Vlans on that Trunk. You can also configure an Etherchannel/Port-channel of multiple interfaces and use it as Trunk (which would be more logical choice wih the new ASA5500-X series as they have a better performance/throughput than the original ASA series.
We have actually run out of allocated Vlan interfaces on an FWSM once. The device had so many virtual firewalls (Security Contexts) that we reached the 1000 interface cap on the device.
- Jouni
Similar Messages
-
Add Interface mapping to Receiver Determination is not possible
Hello,
I create some scenarios from R\3 to BW and R\3 to File.
When I want to add Interface mapping to Receiver Determination is not possible.
Not to choose from list and not with copy and paste.
Any ideas?
Regards
EladHi Elad,
Just check whether ur interface mapping that u defined in IR is activated properly or not.It will be present in the hit list as soon as u click the help button of the interface mapping of the interface determination in the ID.
Regards,
Prasanthi. -
How to add interface to customlize MXML Component when use Flex Builder 3?
How to add interface to customlize MXML Component when use
Flex Builder 3?David,
I don't believe you can add the interface via the creation
dialog in FlexBuilder 3. You can always manually add the
"implements" property to your MXML Component root tag. Something
like this: <mx:VBox implements="com.mycorp.IMyInterface">
If you want autogeneration of the interface, then create an
ActionScript class with that interface and then copy the generated
functions and setter/getters into the script block of your MXML
component. -
Add interfaces to page items.
Hi,
We have many documents already, and need to "tag" or add attributes to items, which will be written to the IDML. The idea is for us to be able to select items on a page, and then convert them later to interactive fields in PDF. I am trying to figure out how to select an item on a page, like a TextFrame, and add a custom interface to it. I suppose once I have added an custom interface tot the object, I should be able to control how it prints IDML, and add an attribute to the IDML that is printed for that item.
Thanks,
Dave.ok, I have been working with the BPI sample for a little while.. but I am stuck, and am really new to this SDK.. I am trying to add another attribute which will be printed next to BPIData in the IDML. I am stuck trying to Set the value of the new attribute.
Here is how I am attempting to add the attribute (mine is the second Property below):
BPI.fr:
// BPIData - a string label
Property
kBPIDataPropertyScriptElement, // this property's script element ID
p_BPIData, // ScriptID
"bpi data", // name
"BasicPersistInterface label for a page item ", // description
StringType, // type
{} // alternate types
kNoAttributeClass, // attribute class ID
// BPIData - a string label
Property
kJMANamePropertyScriptElement, // this property's script element ID
p_JMAName, // ScriptID
"JMA Name", // name
"BasicPersistInterface label for a page item ", // description
StringType, // type
{} // alternate types
kNoAttributeClass, // attribute class ID
THEN I WAS looking at
ErrorCode BPIHelper::ProcessBPISetDataCmd(const UIDList& itemList, const WideString& value)
to attempt to set the attrbute, but this is where I get lost.
What do you think, am I on the right track? How would you set the new attribute listed above? -
How can I add interface languages to my Android yoga 2?
Hi,
I just bought a new Yoga 2 830F 8" Android tablet. To my surprise, the Hebrew language that exists natively in Android for a few years now was ommited from Lenovo's build, so I am left with using only English as the interface language. I would be OK with that but this tablet is for my son who doesn't know English.
Is there any way to re-add the lost language?
Thanks,
OrenOOpen dictionary.app in applications and go to its preferences and check the boxes for the dictionaries you want.
-
Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword. -
Castable to any class or dynamically add interface to Dynamic Proxy
I have your typical creation of a DynamicProxy:
MyInterface handler = (Gra) Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(), new Class<?>[] { MyInterface.class }, handler);After this, now I want handler to be castable to a different interface, let's say Iface2.
If I try to do so:
Iface2 try = (Iface2)handler;it will throw a class cast exception. I know I could create a new proxy, but that won't work for me because I may already have places in the code that have a reference to this specific instance.
So, either I want to be able to magically make the handler instance castable to a new type, or... is there some way in the initial creation of handler that I could make it castable to any anything to begin with?
Ideally, I want a proxy that is castable to anything--any calls to it go to InvocationHandler.invoke and I handle appropriately.
Thanks!mentics wrote:
Dynamically at runtime is the key thing here. The interfaces all already exist.The interfaces that you are using you are not creating at runtime. My suggestion is just another interface.
But I want to be able to have it castable to an arbitrary interface at runtime.Can't do that anymore than you can arbitrarily cast a random object to a specific interface. -
Cisco Prime Infrastructure is a damned nightmare of browser bugs (some features work in IE8, some in IE9, and some only in Firefox). And I am not sure if what I am experiencing is a browser bug - or a real bug - or something that I was able to do before and can't any more? I would love for someone to either explain why this is happening to me, or reproduce the bug!
I'm running Prime 2.1.1. I am doing this ...
Configure > Controller Template Launchpad
System > Dynamic Interface
Select a command > Add interface (GO)
Enter all the properties - roll to the bottom of the page, and click Apply to Controllers
I have four controllers. And normally I would add an interface for each controller. But I can only create two out of the four. It doesn't matter which two I choose. When I click Add under Manage Interfaces for the third controller, I cannot click the Done button to apply it (see screenshot, attached). I have found that if I change the VLAN to something else, it will let me save it. But ... why? I went back and reviewed all of my existing interface templates and I am not doing anything different. Although, they were all created a long while ago using WCS 7.x.
Any help, guidance, or confirmation of insanity would be appreciated.
-Steve BallantyneI doubt I will get any hits on this here but I always try. I opened a TAC case. I will come back and comment on whatever they find.
-
Hello,
I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.
I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.
I need to be able to do the following:
- RDP access from inside network to the DMZ servers
- Internet access for the DMZ
I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:
- DMZ HTTPS to outside (Office 365 Services)
- Outside HTTPS to DMZ (ADFS Servers on DMZ only)
- DMZ HTTPS to inside (ADFS Servers Only)
- Inside HTTPS to DMZ (ADFS Servers Only)
Running Config:
interface Vlan1
nameif inside
security-level 100
ip address ccl-sua-asa 255.255.255.0
ospf cost 10
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
interface Vlan100
nameif outside
security-level 0
ip address 77.107.90.202 255.255.255.248
ospf cost 10
interface Ethernet0/0
switchport access vlan 100
speed 100
duplex full
interface Ethernet0/1
description Connected to CCL-SUA-SW1 port 16
interface Ethernet0/2
switchport access vlan 3
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp
access-list inbound remark Inbound ACT for Ruth Edmonds Only
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 5022 inactive
access-list inbound remark Inbound rules for OWA 30/06/09 MD
access-list inbound extended permit tcp any host 77.107.90.203 eq https log
access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD
access-list inbound extended permit tcp object-group mimecast interface outside eq ldap
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp
access-list inbound remark change request MET 56030 inbound POP3 for mimecast
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3
access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq https
access-list inbound remark Inbound rule for survey 011012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq www
access-list inbound extended deny ip any any
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 192.168.255.0 255.255.255.0
access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list outbound extended deny udp any 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 10.0.0.0 255.0.0.0
access-list outbound extended deny ip any 192.168.0.0 255.255.0.0
access-list outbound extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.40.0 255.255.255.0
nat (inside) 1 192.168.41.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255
static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface www WEB www netmask 255.255.255.255
static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255
static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255
static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255
static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255
access-group outbound in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.107.90.201 1
route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1
Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working
Many Thanks
JamesHi,
If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE
You can confirm the License level with "show version" command. It should read at the end of the output.
In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command
no forward interface Vlan1
Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.
OUTSIDE -> DMZ
INSIDE -> DMZ
Connection initiating should be possible.
So it seems to me that you already have one problem that will limit connectivity and not just the NAT.
You already seem to have the Default PAT configuration for DMZ Internet traffic.
You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.
The corrent NAT configuration to enable that traffic would be to use
static (inside,dmz) netmask
Repeat for all
EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.
- Jouni -
ASA 5505 Site-to-Site VPN to remote dmz access
I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.
I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.
Lets call:
Site 1 LAN: 192.168.1.0
Site 2 LAN: 192.168.2.0
Site 2 DMZ: 172.16.2.0
Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation (192.168.1.10) can ping anything in site 2s LAN (192.168.2.0/24).
Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address 172.16.2.2. I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "192.168.2.8." Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.
I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.
Awesome, I can now ping 192.168.2.8 from anywhere within Site 2. The problem is... I can't ping 192.168.2.8 from my workstation in site 1 (192.168.1.10). If I run Packet Tracer (interface dmz, packet type TCP, source 172.16.2.2 port "echo", destination 192.168.1.10 port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?
I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.
Thanks,
GarrickHere's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.
ASA Version 8.4(1)
no names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address -OMITTED- 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.21.1 255.255.255.0
interface Ethernet0/0
description Outside WAN1 port
switchport access vlan 2
interface Ethernet0/1
description Inside LAN port
interface Ethernet0/2
description Inside LAN port
interface Ethernet0/3
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/4
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/5
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/6
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/7
description Outside DMZ port
switchport access vlan 3
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name -OMITTED-
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net_SITE1_lan
subnet 192.168.1.0 255.255.255.0
object network net_SITE2_lan
subnet 192.168.21.0 255.255.255.0
object network net_SITE1_dmz
subnet 172.16.1.0 255.255.255.0
object network net_SITE2_dmz
subnet 172.16.21.0 255.255.255.0
object network SITE2_DMZ_WAP
host 172.16.21.2
object network 192.168.21.8
host 192.168.21.8
description FOR SITE2 WAP
access-list inside_access_in extended permit ip object net_SITE2_lan any
access-list inside_access_in extended deny tcp any any eq smtp
access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
pager lines 24
logging enable
logging buffer-size 16384
logging buffered notifications
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.1.35 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
object network obj_any
nat (inside,outside) dynamic interface
object network SITE2_DMZ_WAP
nat (dmz,any) static 192.168.21.8
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 162.227.34.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec LOCAL
http server enable
http server idle-timeout 60
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 192.168.1.35 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CMAP_OUTSIDE 1 set reverse-route
crypto map CMAP_OUTSIDE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 60
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd dns 192.168.2.2 192.168.1.6 interface inside
dhcpd lease 34000 interface inside
dhcpd domain -DOMAIN OMITTED- interface inside
dhcpd update dns both interface inside
dhcpd address 172.16.21.100-172.16.21.200 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd lease 34000 interface dmz
dhcpd enable dmz
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server -NTP SERVERS OMITTED-
ntp server -NTP SERVERS OMITTED-
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username -OMITTED- password -OMITTED- encrypted privilege 15
tunnel-group -IP OMITTED- type ipsec-l2l
tunnel-group -IP OMITTED- general-attributes
default-group-policy GroupPolicy1
tunnel-group -IP OMITTED- ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 5
class-map netflow-export-class
match any
class-map inspection_default
match default-inspection-traffic
class-map QoS_RDP
match access-list QoS_RDP_Server_Branch
class-map QoS_EA
match port tcp eq 2000
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect xdmcp
class netflow-export-class
flow-export event-type all destination 192.168.1.35
class QoS_RDP
priority
class QoS_EA
priority
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Logoff -
DMZ config! How to do? Easy question for experts! (ASA 5510
Dear All
I would like to add a DMZ and VPN to inside network to my ASA5510 configuration, but I'm not sure about the correct way to achieve my goal (I'm a newbie).
I'll rate your post and promise to send to the best answer a traditional Christmas gift from my country, I'm sure that you will be pleased with it!:)
Goal:
1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.
2- VPN access to inside network.
1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:
ï Access to EDGESRV from Internet (SMTP)
ï¨ Access from EDGESRV to internet (SMTP)
ï¨ Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
ROUTER :
Interface Serial IP: 195.22.12.46/30
IP route 0.0.0.0 0.0.0.0 195.22.12.45
Interface Ethernet f0/0: IP 195.22.26.17/29 (connect to router)
ASA NETWORK
Interface External e0/0 :IP 195.22.26.18/29 (connect to router)
Interface internal: e0/1: IP 10.10.100.1 mask 255.255.252.0
Interface DMZ: e0/2 : IP 10.10.150.1 mask 255.255.255.0 (not implemented yet)
ASA Configuration (actual)
ASA Version 8.0(2)
interface Ethernet0/0
nameif Interface_to_cisco_router
security-level 0
ip address 195.22.26.18 255.255.255.248
interface Ethernet0/1
nameif Int_Internal_domain
security-level 100
ip address 10.10.100.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxxxxxxxxxxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone WEST 0
clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Interface_to_cisco_router
dns domain-lookup Int_Internal_domain.com
dns server-group DefaultDNS
name-server 195.22.0.136
name-server 195.22.0.33
domain-name domain.com
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Interface_to_router_Cisco_access_in extended permit object-group TCPUDP any any eq domain
access-list Interface_to_router_Cisco_access_in extended permit tcp any any eq www
pager lines 24
logging list Registo_eventos_william level emergencies
logging list Registo_eventos_william level emergencies class vpn
logging asdm informational
logging recipient-address [email protected] level critical
mtu management 1500
mtu Interface_to_router_Cisco 1500
mtu Int_Internal_domain 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Interface_to_router_Cisco) 101 interface
nat (Int_Internal) 101 10.10.100.0 255.255.255.0
nat (Int_Internal) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
access-group Interface_to_router_Cisco_access_in in interface Interface_to_router_Cisco
route Interface_to_router_Cisco 0.0.0.0 0.0.0.0 195.22.26.17 1
access-list Int_Internal_access_in extended permit tcp any any
access-list Int_Internal_access_in extended permit udp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.100.0 255.255.255.0 Int_Internal_domain
http 10.10.10.0 255.255.255.0 management
http 195.22.26.16 255.255.255.248 Interface_to_router_Cisco
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
Kind Regards
MPMario,
I think you have much more to go but this is a start, I don't think I have cover everything .. others in netpro may add to this.
1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.
Use this example, Configuring Mail server on DMZ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
2- VPN access to inside network.
You can configure RA VPN server using/creating in ASA5510 Local user database
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
or configure RA VPN server using IAS RADIUS-Windows AD for authentication
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:
ï Access to EDGESRV from Internet (SMTP)
ï¨ Access from EDGESRV to internet (SMTP)
ï¨ Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
-Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create
inbound access rules to allow access on SMPT from outside internet.
If you do not have spare public IPs for a one-to-one nat on this server you can use ASA outside interface static PAT.
Example : static (dmz,outside) tcp interface smtp netmask 255.255.255.255
-Access from EDGESRV to internet (SMTP)
You need to PAT DMZ network, if EDGESRV does not have one-to-one static NAT
typical scenario
global (outside ) 101 interface
nat (dmz ) 101 0 0
or
nat (dmz) 101 <255.255.255.255>
also for the MAIL Server, if you are using DNS server from your inside network you need acl to allow traffic from MAILserver DMZ to DNS in inside network.
-Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
from low sec level 0 to high sec level access is permited by default, you do however need to create static nat to allow comm between inside and dmz
in your scenario if you have 192.168.1.0/24 for inside interface network you would then create something like this.
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Observation -
I see you have interface Ethernet0/2 free, I assume you will probably be using this interface for your DMZ, I would advice to use subinterfaces and use dot1q in order to scale your DMZs in the future.
Look this link for reference on working with subinterfaces
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html
Rgds
Jorge -
Public,pvt and dmz nodes
Hi..
I would like to know the difference between Public, Private and DMZ nodes. BY logging to the server , how can we find out which of the above three, it is ??
My understanding is Public node is accessible to all, private and dmz are limited to a particular set of people or a geography.
How many public,pvt and dmz nodes can we have in E-Business suite ( i guess number is not defined, and we can have as many as we want)
ThxHi,
You would be better of configuring the public IP address on the "outside" interface of the ASA5505
By default you will have some Vlan interface which has all the IP address configurations under it. That Vlan is then attached to some interface. In your case it seems to be Ethernet0 Port.
With the public IP address configured on the "outside" interface you could then use port forward to forward the Web service to the DMZ server
Heres an example configuration
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
ip add 1.1.1.1 255.255.255.252
interface Vlan1
description INSIDE
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
interface Vlan10
no forward interface Vlan1
description DMZ
nameif dmz
security-level 50
ip add 192.168.10.1 255.255.255.0
object network WEB-SERVER
host 192.168.10.10
nat (dmz,outside) static interface service tcp 80 80
access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 80
access-group OUTSIDE-IN in interface outside
The above configuration is meant to illustrate
"outside" , "inside" and "dmz" interface
The "dmz" interface is configured with the "no forward interface Vlan1" configuration as that is the only way to active a third Vlan interface on an ASA5505 with only Base License. This will prevent "dmz" host from opening a connection to "inside". Notice though that "inside" host can still open connection towards the "dmz"
Static PAT or Port Forward configuration between "outside" and "dmz" which provides the DMZ server 192.168.10.10 visibility to Internet using the "outside" interface public IP address. The only service forwarded to the "dmz" server is TCP/80/www
OUTSIDE-IN in the access-list attached to the "outside" interface to allow Web traffic from any source address to the DMZ server. -
Interface Mapping not supported in the JPA specification?
Are there any plans to add Interface support in the JPA specification? It is not supported by JPA annotations, which seems quite disruptive to proper object oriented design. However, individual implementations of JPA seem to support this:
http://docs.jboss.org/hibernate/stable/core/reference/en/html_single/#inheritance-tableperclass
http://wiki.eclipse.org/Using_EclipseLink_JPA_Extensions_%28ELUG%29#How_to_Use_the_.40VariableOneToOne_Annotation
There is visible interest in getting this implemented at an Annotation level for Hibernate also but the developers for Hibernate point out that this isn't even in the JPA specifications.
http://opensource.atlassian.com/projects/hibernate/browse/ANN-9
https://forum.hibernate.org/viewtopic.php?f=9&t=941363&sid=4abdbc72cbf04380f4a8e2cadd7dfada&start=15
Is this being talked about/in the works for JPA? Why not include @VariableOneToOne in the spec? It would seem to be quite an essential feature for wide adoption.Hi,
You can only choose the Interface mapping for the Enhanced recevier determination in the extended tab of Receiver determination. & I dont see the Interface mapping in the select list.
Where do I have to check for the proper outbound message???
Regards -
EPMA very slow to import large dimension from interface tables
I am attempting to import a dimension into the master library from the EPMA interface tables. The dimension is roughly 255,000 members. The import from the interface tables into an empty dimension member is taking close to 3 hours. CPU utilization on the EPMA server is a steady 6% (epma_server.exe) for the entire time. We are on 11.1.2.1.001 of EPMA. The rest of the suite is at 11.1.2.1. The dimension generic type. I have had the same result when importing into a local dimension. The performance degrades after about 6000 members.
Your thoughts would be much appreciated.I have found my answer from EPMA guide:
In addition to the dimension interface tables created by the template script, you can add interface tables for additional dimensions. For example, the template script contains one set of tables for the Entity dimension. You can add more Entity dimensions as needed. For each dimension added to the interface tables, you must also include the dimension in the IM_Dimension system table so that the dimension is available during profile creation. -
ASA5515 v8.6(1)2 NAT dmz public server
Could I get a validation that this config is correct in that it allows inbound access to the web server
and that I should be able to ping it from my inside interface.
I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the
object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.
Example from 115904 doc.
object network WebServerPublic
host 24.25.26.80
object network WebServerPrivate
host 192.168.1.80
nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code
With the below code I do not get a ping reply sourcing from a 10.1.0.X host to 192.168.1.80 web server.
And I cannot browse in from the outside to it either.
I do see the MAC for 192.168.1.80 in the ASA's arp cache for the dmz interface.
The web server is on a VMware ESX environment and I'm not sure it is set up correctly.
ASA Version 8.6(1)2
hostname A5515
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 24.25.26.254 255.255.255.240
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.0.252 255.255.240.0
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0
object network N_OBJ_10.1.0.0_20
subnet 10.1.0.0 255.255.240.0
object network N_OBJ_10.24.0.0_18
subnet 10.24.0.0 255.255.192.0
object network DNSServer
host 10.24.0.86
object network WebServerPrivate
host 192.168.1.80
object network WebServerPublic
host 24.25.26.246
object network N_OBJ_DMZ_24
subnet 192.168.1.0 255.255.255.0
object-group network CampusNetworks
network-object 10.1.0.0 255.255.240.0
network-object 10.24.0.0 255.255.192.0
access-list outside_access_in extended permit tcp any object WebServerPrivate eq https
access-list outside_access_in extended permit tcp any object WebServerPrivate eq www
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks echo-reply
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks unreachable
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks time-exceeded
access-list dmz_access_in extended permit udp any object DNSServer eq domain
access-list dmz_access_in extended deny ip any object-group CampusNetworks
access-list dmz_access_in extended permit ip any any
nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
nat (dmz,outside) source static WebServerPrivate WebServerPublic
nat (inside,dmz) source static CampusNetworks CampusNetworks
nat (inside,outside) after-auto source dynamic CampusNetworks interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 24.25.26.241 1
route inside 10.24.0.0 255.255.192.0 10.1.0.254 1
ThanksHi,
You have some conflicting NAT configurations
For example you have this
nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
This overrides your Static PAT configuration that you are trying to achieve
Also one note regarding one of your NAT configurations
nat (inside,dmz) source static CampusNetworks CampusNetworks
You dont need NAT between local interfaces. No nat is done by default. So the traffic between "dmz" and "inside" should go trough untranslated without any need for NAT configurations.
If you want, you could change your current configurations to the following. Note that you would have to remove your existing NAT configurations.
object-group network DEFAULT-PAT-SOURCE
network-object 10.1.0.0 255.255.240.0
network-object 10.24.0.0 255.255.192.0
network-object 192.168.1.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The above configuration handles the Default PAT for all your networks. Both "dmz" and "inside".
object network WEB-SERVER
host 192.168.1.80
nat (dmz,outside) static interface service tcp 80 80
access-list outside_access_in permit tcp any object WEB-SERVER eq 80
access-list outside_access_in permit tcp any object WEB-SERVER eq 443
The above does the Static PAT (or Port Forward) for your DMZ server and allows the traffic on the ACL.
- Jouni
Maybe you are looking for
-
No video option in the camera app in iOS 7
On my iphone 4s, the video option seems to have vanished in the camera app along the bottom of the screen. I just get photo, square, and pano. Anyone know why video disappeared?
-
Create photo albums in the ipad
How can I create photo albums in the Ipad
-
PRKP-1001 CRS-0215 RAC unable to create instance in 2nd node.
HI, I configured oracle rac 10g on vmware. I configure oracle clusterware,oracle rac 10g software successfully. While creating database at the end ,I got the below error. PRKP-1001 : Error starting instance devdb2 on node rac2 CRS-0215: Could not sta
-
CS5/CS6 Illustrator suitcase font problems
We have been having incompatibility issues with Suitcase fusion 3 and Illustrator CS5 from months now. Now Illustrator CS6 has launched, we are having the same issues. Upon startup we load all our suitcase fonts then open Illustrator CS5, We also hav
-
T4 Template does not parse properly in Windows8.1 OS
Hi, I have sample.tt file for generating some view(.cshtml) and controller(.cs) files in MVC projects. I have create the .cshtml and .cs file format dynamically using the below function. Microsoft.VisualStudio.TextTemplating.Engine engine = new Micro