DMZ config! How to do? Easy question for experts! (ASA 5510

Dear All
I would like to add a DMZ and VPN to inside network to my ASA5510 configuration, but I'm not sure about the correct way to achieve my goal (I'm a newbie).
I'll rate your post and promise to send to the best answer a traditional Christmas gift from my country, I'm sure that you will be pleased with it!:)
Goal:
1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.
2- VPN access to inside network.
1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:
Access to EDGESRV from Internet (SMTP)
 Access from EDGESRV to internet (SMTP)
 Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
ROUTER :
Interface Serial IP: 195.22.12.46/30
IP route 0.0.0.0 0.0.0.0 195.22.12.45
Interface Ethernet f0/0: IP 195.22.26.17/29 (connect to router)
ASA NETWORK
Interface External e0/0 :IP 195.22.26.18/29 (connect to router)
Interface internal: e0/1: IP 10.10.100.1 mask 255.255.252.0
Interface DMZ: e0/2 : IP 10.10.150.1 mask 255.255.255.0 (not implemented yet)
ASA Configuration (actual)
ASA Version 8.0(2)
interface Ethernet0/0
nameif Interface_to_cisco_router
security-level 0
ip address 195.22.26.18 255.255.255.248
interface Ethernet0/1
nameif Int_Internal_domain
security-level 100
ip address 10.10.100.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxxxxxxxxxxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone WEST 0
clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Interface_to_cisco_router
dns domain-lookup Int_Internal_domain.com
dns server-group DefaultDNS
name-server 195.22.0.136
name-server 195.22.0.33
domain-name domain.com
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Interface_to_router_Cisco_access_in extended permit object-group TCPUDP any any eq domain
access-list Interface_to_router_Cisco_access_in extended permit tcp any any eq www
pager lines 24
logging list Registo_eventos_william level emergencies
logging list Registo_eventos_william level emergencies class vpn
logging asdm informational
logging recipient-address [email protected] level critical
mtu management 1500
mtu Interface_to_router_Cisco 1500
mtu Int_Internal_domain 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Interface_to_router_Cisco) 101 interface
nat (Int_Internal) 101 10.10.100.0 255.255.255.0
nat (Int_Internal) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
access-group Interface_to_router_Cisco_access_in in interface Interface_to_router_Cisco
route Interface_to_router_Cisco 0.0.0.0 0.0.0.0 195.22.26.17 1
access-list Int_Internal_access_in extended permit tcp any any
access-list Int_Internal_access_in extended permit udp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.100.0 255.255.255.0 Int_Internal_domain
http 10.10.10.0 255.255.255.0 management
http 195.22.26.16 255.255.255.248 Interface_to_router_Cisco
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
Kind Regards
MP

Mario,
I think you have much more to go but this is a start, I don't think I have cover everything .. others in netpro may add to this.
1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.
Use this example, Configuring Mail server on DMZ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
2- VPN access to inside network.
You can configure RA VPN server using/creating in ASA5510 Local user database
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
or configure RA VPN server using IAS RADIUS-Windows AD for authentication
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:
Access to EDGESRV from Internet (SMTP)
 Access from EDGESRV to internet (SMTP)
 Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
-Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create
inbound access rules to allow access on SMPT from outside internet.
If you do not have spare public IPs for a one-to-one nat on this server you can use ASA outside interface static PAT.
Example : static (dmz,outside) tcp interface smtp netmask 255.255.255.255
-Access from EDGESRV to internet (SMTP)
You need to PAT DMZ network, if EDGESRV does not have one-to-one static NAT
typical scenario
global (outside ) 101 interface
nat (dmz ) 101 0 0
or
nat (dmz) 101 <255.255.255.255>
also for the MAIL Server, if you are using DNS server from your inside network you need acl to allow traffic from MAILserver DMZ to DNS in inside network.
-Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
from low sec level 0 to high sec level access is permited by default, you do however need to create static nat to allow comm between inside and dmz
in your scenario if you have 192.168.1.0/24 for inside interface network you would then create something like this.
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Observation -
I see you have interface Ethernet0/2 free, I assume you will probably be using this interface for your DMZ, I would advice to use subinterfaces and use dot1q in order to scale your DMZs in the future.
Look this link for reference on working with subinterfaces
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html
Rgds
Jorge

Similar Messages

  • SQLPLUS multiple data entry. Very easy question for experts.

    Hi sorry to bother you again but is it the same method as in MySQL to enter multiple data at once?
    I am trying to save time by entering all the contents of a table all at once,
    For example;
    INSERT INTO Borrower (BorId, BorName, BorMaxBooks) VALUES (
    (001, 'Bob', 4),
    (002, 'James', 5),
    (003, 'Dave', 6);
    Please can you tell me where I cam going wrong and I promise I will shut up and go away.
    Thanks.

    i can! :)
    SQL> create table T
      2  (BorId varchar2(64),
      3  BorName varchar2(64),
      4  BorMaxBooks number)
      5  /
    Table created
    SQL> insert into t
      2  select '001', 'Bob', 4 from dual
      3  union all
      4  select '002', 'James', 5 from dual
      5  union all
      6  select '003', 'Dave', 6 from dual
      7  /
    3 rows inserted
    SQL> select * from t
      2  /
    BORID                                                            BORNAME                                                          BORMAXBOOKS
    001                                                              Bob                                                                        4
    002                                                              James                                                                      5
    003                                                              Dave                                                                       6
    SQL>

  • HT5312 I don't know how to change my questions for my Apple ID

    I don't know how to change my questions for my Apple ID

    Alternatives for Help Resetting Security Questions and Rescue Mail
         1. Apple ID- All about Apple ID security questions.
         2. Rescue email address and how to reset Apple ID security questions
         3. Apple ID- Contacting Apple for help with Apple ID account security.
         4. Fill out and submit this form. Select the topic, Account Security.
         5.  Call Apple Customer Service: Contacting Apple for support in your
              country and ask to speak to Account Security.
    How to Manage your Apple ID: Manage My Apple ID

  • HT1918 How recalled the security question for account iTunes

    How recalled the security question for account iTunes

    Check the AppleCare number for your country here:
    http://support.apple.com/kb/HE57
    Call them up, and let them know you would like to be transferred to the Account Security Team.

  • HT5621 How to change your question for iTunes I for got them ...?

    How to change your question for iTunes I forgot them ...?

    Your question is unclear and confusing...
    Apple ID FAQs
    http://support.apple.com/kb/HE37

  • Easy question for the MODS

    Unlike more difficult questions like CRC problems, ps problems, etc, this is rather an easy question.
    The KT4V manual (page 3-8) lists the onboard NIC as a "boot device" option.  This "feature" is available in Bios 1.1, 1.2 but not available in Bios 1.4 and later.  
    Any reason why this feature was mutilated and not available anymore in the later bioses?
    Are there two different bioses for KT4V and KT4V-L?  If yes where can one find the bios for KT4V-L?
    I know this feature is not very popular with the majority of users, and I'm not trying to bust anyone's balls for removing un-popular features, but the "boot from NIC"  was one of the features/reasons why I got this mb, and I would rather use a much newer bios than 1.2 (for known reasons).
    Also, while on this topic, boot-from-usb (especially thumb drives) feature would also be greatly appreciated - I think it is also listed in the manual.
    TIA

    Hi,
    Quote
    Please suggest him to update the BIOS Ver1.9 which can support Boot from LAN and boot from USB devices.
    AMI BIOS can boot from the devices which support BIOS Boot specifications (BBS, you can refer to the attached file for the information).
    Email me, so I can send you the BIOS PDF.

  • REMOTE DESKTOP CONNECTION (Questions For Experts)

    Q1) Is it possible to connect remotely to a computer even if the user is in one country and computer is in another (without internet? If Yes Please tell HOW.
    Q2) Is it possible to use hardware like printer while in remote connection with a tab or  lets say I am connected with a tablet which has a USB port so if I connect a USB in my TAB will it work for the remote
    desktop? (usb connected to the tab but should work as if its connected to remote computer -any possibility) If Yes Please Tell how to implement.
    Q3) For ex. If I am connected to a remote computer and since my computer is not good for gaming and I want to use the remote computer to play games while the DVD is in my physical computer.....Is there any possibility
    FINAL QUESTION : Can I connect to windows with an android or IOS devices without internet (PLEASE TELL HOW IF POSSIBLE) and I want to use my local Internet is the remote computer.
    Friends whosoever has any knowledge regarding any question please answer me, help required. I will be really thankful to you . 

    A1- its possible to establish a remote desktop connection even if the user and remote computer in differerent countries but NOT possible without internet coonection... as you will have to use public ip of remote computer.
    A2- To redirect devices and resources
    Open Remote Desktop Connection by clicking the Start button , In the search box, type Remote
    Desktop Connection, and then, in the list of results, click Remote Desktop Connection.
    Click Options, and then click the Local
    Resources tab.
    Under Local devices and resources, select the devices or resources you want to redirect.
    To see additional devices, or to redirect Plug and Play devices or drives and devices that you plug in later, click More.
    To redirect supported Plug and Play devices, under Local devices and resources, double-click Other
    supported Plug and Play (PnP) devices.
    The Plug and Play devices that support redirection and are currently plugged in appear in this list.
    To redirect supported USB devices, under Local devices and resources, double-click Other
    supported RemoteFX USB devices. The USB devices that support redirection and are currently plugged in appear in this list.
    Select the check box next to each device that you want to redirect.
    To automatically redirect drives or devices that you plug in or connect to in the future, under Local devices and
    resources, double-click Drives, and then click Drives
    that I plug in later.
    – or –
    Double-click Other supported Plug and Play (PnP) devices, and then click Devices
    that I plug in later.
    A3 - not possible to mountDVD drive on remote desktop.
    Yes you can establish remote desktop connection from android... there is an app called, Microsoft Remote desktop app, its very good , ı use it myself too...

  • Activity monitor question for experts.

    When I open activity monitor it is constantly changing. I have safari open, but it is there and then it isn't and then it is in activity monitor. How do I read this and is that normal?

    mike sanders3 wrote:
    I entered the thread because it clearly said Activity Monitor for experts and I had an AM problem please tell me where I went wrong I thought we were here to help each other not be picky about threads. If your thread was something different then maybe it should have been more specific I just needed help and there was an opening that seemed to refer to my problem. I don't spend half my life here as you seem to do judging by your posts, let's just be nice to people who need help.
    In order to help people, they should understand the purpose of these boards.
    Had you read the OP's post, you would see that his Activity Monitor is working and his question was simply why Safari appears and disappears from the AM window.
    Your issue is entirely different and that is why I suggested starting a new thread with your particular problem/issue which has nothing to do with Safari in the Activity Monitor.
    Perhaps the term "hijacking a thread" seems rash to you, but it is a common expression with no personal attachment to it. It merely means that someone has used another poster's thread to pose a completely different topic.
    To best get help on this or any technical board, first search for instances of your particular issue, which may have already been solved, and if you do not find such a topic, start a new thread with the Subject describing your issue.
    Once people start responding to other posts in a thread, nobody any longer knows who is answering whom.
    It is always preferable to start a new topic if you want a quick solution to a problem, rather than bury it in another person's thread. It's called "Netiquette" and it is not my invention. It's been around as long as the net has been around AFAIK.
    Message was edited by: nerowolfe

  • I am using Aurora, but I can't find out how to ask a question for it and not firefox. My real question is how to reach the about: config page in Aurora.

    For some reason, Mozilla Support has no section for me to ask a question about Mozilla Aurora. I need to know how to reach the about: config page in Aurora and no one has apparently asked this question before. Someone please help me on this issue because no one seems to know

    Note that your System Details List shows that you have a user.js file in the profile folder to initialize prefs each time Firefox starts.
    The user.js file is only present if you or other software has created this file and normally it wouldn't be there.
    You can check its content with a plain text editor (right-click: Open with) if you didn't create this file yourself.
    The user.js file is read each time Firefox is started and initializes preferences to the value specified in this file, so preferences set via user.js can only be changed temporarily for the current session.
    *http://kb.mozillazine.org/Preferences_not_saved

  • HT1491 How to change the Questions for ur apple ID

    Knowing how to change things if u forget

    See Kappy's previous write-up.
      Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities

  • How to cancel security questions for ur Apple ID?

    I Would like help

    Read this about how to change the security questions: http://support.apple.com/kb/HT5312
    If you can't use these procedures because you don't have a rescue email address you will have to contact Apple. See http://support.apple.com/kb/HT5699
    You can also call your country number from http://support.apple.com/kb/HE57 and ask to speak with Account Security.
    You can also go to the ExpressLane at https://expresslane.apple.com and then iTunes > iTunes Store > Password and Security Questions and fill out the form.

  • Easy question for all you ActionScript wizzkids!

    I have created the following Actionscript to control a 'Next
    Question' button. The idea is that it will choose a random frame to
    link to in the current scene (Part2).
    nextQ_btn.onRelease = function (){
    gotoAndStop("Part2", n);
    n = Math.random()*1+3;
    At the moment, when I click the 'Next Question' button,
    nothing happens. What's up with my script? My programming knowledge
    is very limited and this is just about all that it can manage!
    The button works when I take out the n variable and put in a
    frame number manually.

    monkee,
    There appear to be two issues with your code:
    1. you're calling n before you have defined it
    2. you need to generate a random whole number and the random
    number generator will have decimals
    The solution is
    1. call for n after you define it
    2. use a rounding action to make the random number a whole
    number
    So:
    nextQ_btn.onRelease = function (){
    // generate a rounded random number between 0 and 4
    n = Math.round(Math.random() * 4);
    trace (n)
    // go to the random number +1, making the range 1-5
    gotoAndStop(n+1);
    As you may already know, the trace action helps solve these
    types of issues by letting you know the value of n if it is
    defined... when you test movie, the results of the trace statement
    show n has a value in the output window. In your original code, it
    would show undefined.
    Hope this helps. One other thing you may face is figuring out
    a way not to ask the same question twice. You probably will want to
    use an array of eligible questions before long.

  • Easy question for Apple pro users from new users

    How do you copy pictures from the iPhoto on our system to an external HD? In other words I can highlight the pictures in the source location and do the copy function, however no paste function shows when going to the external HD location. I have also tried dragging and dropping the select files or folders of pics with no success.

    Click on the drive, choose Get Info from the File menu, and check the format.
    If it's formatted as NTFS, reformat it as MS-DOS, exFAT, or Mac OS Extended (Journaled) as desired, or install software such as Paragon NTFS on the computer.
    If it's formatted as FAT32 or exFAT, use the Disk Utility's Repair Disk command on it; this may also happen for a flash drive which is about to fail.
    If it's formatted as Mac OS Extended, click Authenticate and provide your administrator password, or change the permissions on that specific folder in its Get Info window.
    (113772)

  • Easy questions for Pro about ASM block size

    hi
    how can we change DB_BLOCK_SIZE in ASM (while instalation)
    we have a default of 4096

    As for databases 'later' is not possible. I'm not sure what happens when you choose another blocksize at creation time. ASM blocksize is only for metadata,it's not related to the actual database data (having the database blocksize) stored in ASM diskgroups.
    These are the blocks which are used for extent maps in shared pool.o you dont need to worry about this blocksize difference.
    here is the actul link that i copied over from(above)
    ASM instance's block size

  • 2 Easy Questions for - Safari 1.3.2

    Since I can no longer make FireFox work (QT/?), I am returning to Safari, once my first choice, but Safari wouldn't open certain sites, there for so I went to FireFox.
    I am still using Safari 1.3.2 - I've searched the discussions and am not sure if the next update from 1.3.2 is without problems. Any opinions on this whether or not it's safe to update if 1.3.2 isn't broken?
    Is there a way to automatically alphabetize the bookmarks? At this time, I drag them into the correct order.

    You're welcome Patt. Glad to help.
    Older version of Firefox is compatible with OS X Jaguar, Panther and Tiger, as it uses its own internal engine for web site rendering (if it suits you, upgrade to the most recent version by going to Firefox>Help Menu>Check for updates).
    By contrast, Safari uses an engine called "WebKit", which is also found in other Apple applications such as iTunes. As these various applications evolve, the older versions of OS X become incompatible. For example, Panther's WebKit engine is quite different than Tigers. Same will hold true for OS X Leopard because of product enhancements and new features.
    Sometimes it's hard to keep up with the technology given how quickly it changes!
    Mahalo for the and Aloha from Big Island.

Maybe you are looking for

  • Windows format / ipod not recognized

    More of a 2 part question. I am having the same problem as everyone else. Updated to 5.0 and 5.0.1 and my ipod is not longer recognized by itunes. I've followed all the different tutorials and "5 step fixes" and nothing works. I ran through the 5-ste

  • TS3276 Yahoo! sent mail not updated in the server.

    I have an issue with Yahoo! Mail. When I'd sent email from my Mail from my mac book air, it can be sent but a copy is not updated in the server, thus when I view from the web or other device I can't see it as it is not updated. I've checked the "stor

  • CD burn of iPhone video

    CD burner does not accept iPhone3S generated video, though exported/compressed into MP4 file. Wrong burner program? Or other export file?

  • Date Type UI in JSP (similar to Web Dynpro)

    Hi, Is there any way in hbj or jsps to display calendar and allow user to choose any date from that calendar? I know that there is similar type of UI element available in Web Dynpro .. an input field having calendar displayed at it's right corner. Th

  • APP-SQLAP-10380: You cannot select this payment document

    User did a quick payment. When the check failed to print user voided the check and tried to reprint. Now when the user is trying to reissue the check they are getting the following: APP-SQLAP-10380: You cannot select this payment document because it