DMZ Sub interfaces into sub interface
Hi,
We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's like
DMZ-1 = 172.20.1.x - VLAN 1000
DMZ-2 = 172.20.2.x - VLAN 1200
DMZ-3 = 172.20.3.x - VLAN 1300
DMZ-4 = 172.20.4.x - VLAN 1400
My question is:
Can we break sub interface (DMZ-4) into again another sub interface and assign another IP address like
DMZ-4 = 172.20.4.x
---------= 172.20.5.x
Means one VLAN has two IP addresses for gateway.
One thing more how many times we can break one interface into subinterfaces.
I hope my question is enough for understanding.
Regards,
Saeed
> Can we break this feature on catalyst switches 2960 or 3560?
You just want to have two IP-networks in one VLAN? If yes, that is possible on Routers and Switches with secondary IP-addresses. But the ASA doesn't support that.
Similar Messages
-
ASA 5505 Unable to assign ip to DMZ vlan interface
hi all,
I have ASA 5505 with base license.
I created 3rd vlan on it.it was created.
but i am unable to assign IP to it.
i assign ip address it takes it.
But when i do sh int ip brief it does not show any ip.
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Vlan2 192.168.11.2 YES CONFIG up up
Vlan3 unassigned YES manual up up*************************************************************
Virtual0 127.0.0.1 YES unset up up
ciscoasa# config t
ciscoasa(config)# int vlan 3
ciscoasa(config-if)# ip ad
ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0
ciscoasa(config-if)# end
ciscoasa# wr mem
Building configuration...
Cryptochecksum: 808baaba ced2a226 07cfb41f 9f6ec4f8
4608 bytes copied in 1.630 secs (4608 bytes/sec)
[OK]
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Vlan2 192.168.11.2 YES CONFIG up up
Vlan3 unassigned YES manual up up
Virtual0 127.0.0.1 YES unset up up
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(9)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 17 hours
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 001d.a24d.ed0e, irq 11
1: Ext: Ethernet0/0 : address is 001d.a24d.ed06, irq 255
2: Ext: Ethernet0/1 : address is 001d.a24d.ed07, irq 255
3: Ext: Ethernet0/2 : address is 001d.a24d.ed08, irq 255
4: Ext: Ethernet0/3 : address is 001d.a24d.ed09, irq 255
5: Ext: Ethernet0/4 : address is 001d.a24d.ed0a, irq 255
6: Ext: Ethernet0/5 : address is 001d.a24d.ed0b, irq 255
7: Ext: Ethernet0/6 : address is 001d.a24d.ed0c, irq 255
8: Ext: Ethernet0/7 : address is 001d.a24d.ed0d, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
<--- More --->
Need to know does this License support IP to 3rd vlan ?
Thanks
MaheshHi Julio,
I tried to config namef if but here is result
ciscoasa# sh run int vlan 3
interface Vlan3
description DMZ to 3550 New Switch
no nameif
security-level 50
ip address 192.168.12.2 255.255.255.0
ciscoasa# config t
ciscoasa(config)# int vlan 3
ciscoasa(config-if)# name
ciscoasa(config-if)# namei
ciscoasa(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured. -
NAT, DMZ single interface two firewalls... Create Edge topology
Hello,
I have a two firewall DMZ so I'm strugging to understand why the toplogy builder is asking me for the "Internal" IP of the edge server... the edge server is not internal (by design) it's in the perimeter network (DMZ) it does not
have an internal interface nor am I interested in giving it one (that's why I have firewalls).... Its NAT'd..
Is this explained somewhere ? How do I setup the topology wizard to understand my firewall configuration.. I see the NAT'd external IP.. obviously that's on the public side...
Thanks for help,
Steve LithgowAnthony's two posts win the PRIZE ! Ben get's runner-up !
It still baffles me why it is necessary to have an additional network in my DMZ. You are not increasing your level of security by increasing the complexity (security by obfuscation). The internal network can have persistent routes to the
DMZ IP of the Edge Server as well as firewall rules governing traffic by source IP to the internal network from the DMZ. A host with two interfaces that becomes compromised is no more secure than one with a single interface. Our firewall rules
are not based on "networks" to from DMZ.. they are based on source/destination IP's.
So basically.. my point is MS should not ASSume a particular firewall configuration and force this via the Topology builder... just my .02
Can anyone tell me if MS is doing some memory level protection in the Edge server to that masks the external facing process from internal ones or something really special? My guess is that the edge server is NOT ISA/TMG so......
To someone else's point.. that stated "You don't want the edge server to be your firewall" my response is you dang right ! But... in essence that is what you are doing by placing an internal interface on the edge server , firewall rules/routes
or not. That is what you are doing is creating a firewall leg on the edge server.
Thanks for all then FAST help ! Though I 'm still shaking my head a bit....
Steve Lithgow -
IDS 4215, right place for a sniffing interface (DMZ or LAN)
I have got at work this sensor with two interfaces only, I have been asked to check that
IDSWORK# show version
Application Partition:
Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47
OS Version 2.4.18-5smpbigphys-4215
Platform: IDS-4215
one interface which is Ethernet 0 connected to switch in DMZ , and Ethernet 1 connected to switch 4005,,,,logically I have to monitor DMZ zone not switch 4005 (since I have got only two interfaces, my case),,,Am I right ?
That means Ethernet 0 should be for sniffing (monitoring)since it is connected to DMZ,and interface 1 for command and control since it is connected to 4005 switch, but according to cisco specification
http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1051279
Table 5-2
FastEthernet0/0: Interfaces Supporting Inline VLAN Pairs (Sensing Ports)
FastEthernet0/1: Interfaces Not Supporting Inline (Command and Control Port)
Note: Cisco has mentioned FastEthernet, the one that I have got Ethernet ,,,,does make any difference ?
Since I have not done that configuration , it has been done by some one else, do I need to change that ?Looks like your IDS come with basic ports (2 x Ethernet) with E0 as C&C port, while E1 is monitoring port.
BTW, Ethernet/FastEthernet ports are actually the same.
To monitor your DMZ segment, place the E1 in that segment, while E0 on inside segment where besides direct managing the box from its web management GUI or CLI, you can probably can use basic VMS that is bundled free with it.
And since you have dedicated switch to host the whole DMZ segment, you can easily monitor (SPAN) the whole box and send all traffic to IDS.
Whether or not you need to change the config, you probably need to check it out, at least to verify which signature(s) is enabled/disabled, and pc/mgt host is allowed to access the box and so on. But it's a good practise to check and review the config/setup again as this is a security box that you need to trust to monitor and tell you about any possible threats, attacks or violations.
HTH
AK -
My ASA5540 8.2.4(4) can not monitor and failover on certain interfaces
the story is
we configure the
monitor interface inside
monitor interface outside
monitor interface partner
and save configue
but when i show run monitor-interface
the configure do not show the 3 montitor interfaces, it only show other monitor interfaces,which can failover , but not the above 3 interfaces, however they are all showed interface monitor in the ASDM configure
here is the show version
==================================
Cisco Adaptive Security Appliance Software Version 8.2(4)4
Device Manager Version 6.4(5)
Compiled on Thu 03-Mar-11 17:18 by builders
System image file is "disk0:/asa824-4-k8.bin"
Config file at boot was "startup-config"
dcm-lidc-fw1 up 9 days 18 hours
failover cluster up 16 days 20 hours
Hardware: ASA5540, 2048 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 30e4.db7b.6f82, irq 9
1: Ext: GigabitEthernet0/1 : address is 30e4.db7b.6f83, irq 9
2: Ext: GigabitEthernet0/2 : address is 30e4.db7b.6f84, irq 9
3: Ext: GigabitEthernet0/3 : address is 30e4.db7b.6f85, irq 9
4: Ext: Management0/0 : address is 30e4.db7b.6f86, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
7: Ext: GigabitEthernet1/0 : address is 30e4.db02.1f96, irq 255
8: Ext: GigabitEthernet1/1 : address is 30e4.db02.1f97, irq 255
9: Ext: GigabitEthernet1/2 : address is 30e4.db02.1f98, irq 255
10: Ext: GigabitEthernet1/3 : address is 30e4.db02.1f99, irq 255
11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 5000
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5540 VPN Premium license.
==========here is the show monitor interface, it does not show outside/inside/partner====================
-fw1# sh run monitor-interface
monitor-interface app
monitor-interface dmz
monitor-interface data
monitor-interface dev-app
monitor-interface dev-data
no monitor-interface management
-fw1#
-fw1(config)# sh run all | in monitor
banner motd * This is a private and monitored system. *
monitor-interface app
monitor-interface dmz
monitor-interface data
monitor-interface dev-app
monitor-interface dev-data
no monitor-interface management
===============failover test =============
- unplug the outside interface cable on primary , led go off, but failover does not happen-
- upplug the cable on inside, or parner , it still do not failover
- only unplug the cable on other monitor interface , it failover.
=======clear config monitor-interface, and enter monitor-interface command for all the interface, re test, again, same result=======fw1# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 8 of 210 maximum
Version: Ours 8.2(4)4, Mate 8.2(4)4
Last Failover at: 15:44:00 EST Nov 24 2011
This host: Secondary - Standby Ready
Active time: 767625 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(4)4) status (Up Sys)
Interface outside (209.202.65.132): Normal
Interface inside (10.100.161.2): Normal
Interface app (10.100.171.2): Normal
Interface dmz (10.100.172.2): Normal
Interface data (10.100.173.2): Normal
Interface dev-app (10.100.174.2): Normal
Interface dev-data (10.100.175.2): Normal
Interface management (10.7.4.9): Failed (Not-Monitored)
Interface partner (10.100.160.14): Normal
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Active
Active time: 77823 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(4)4) status (Up Sys)
Interface outside (209.202.65.131): Normal
Interface inside (10.100.161.1): Normal
Interface app (10.100.171.1): Normal
Interface dmz (10.100.172.1): Normal
Interface data (10.100.173.1): Normal
Interface dev-app (10.100.174.1): Normal
Interface dev-data (10.100.175.1): Normal
Interface management (10.7.4.8): Normal (Not-Monitored)
Interface partner (10.100.160.13): Normal
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet1/3 (up)
Stateful Obj xmit xerr rcv rerr
General 1001073 0 443701 25
sys cmd 194284 0 194283 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 262196 0 45389 2
UDP conn 342196 0 47480 3
ARP tbl 202397 0 156529 20
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 10 0 -
Tunnel comes up the syn packets denied on inbound interface
Hi all,
I have a issue with a ASA site to site VPN.
The Phase 1 and 2 negotiate fine but then when i see a syn initiated for the SFTP i see the syn denied in the logs even though it is allowed through.
I have changed the addresses in the config as a example the src is 1.1.1.1 and the dest 2.2.2.2. Config below:
access-list inside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 222
access-list SFTP extended permit tcp host 1.1.1.1 host 2.2.2.2
crypto map outside_map 50 match address SFTP
crypto map outside_map 50 set pfs group5
crypto map outside_map 50 set peer VPN_GW
crypto map outside_map 50 set transform-set ESP-AES-256-SHA
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set nat-t-disable
The phase 1 and phase 2 seem to negotiate fine.
But i get no encryption/decryption on a sh crypto ipsec sa.
Also i see the syn on the inside interface being denied from source 1.1.1.1.
So what appears to be happening is the initial packets are allowed through to setup the tunnel but then the additional packets appear to be denied.
Any help appreciated.
Thanks
KevMorning Jennifer,
Thanks for your continued assistance with this.
Going through the config i see vpn-filter 10 applied under:
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value 10
This is tied to ACL 10 which doesnt appear to have the public ip for this in.
This looks like a likey candidate to me.
Config below:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.31 12:56:34 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
ASA Version 7.0(8)
hostname FW
domain-name default.domain.invalid
enable password Wh3rCbG41fzpd0M. encrypted
passwd YYrn5ri6t.SCggWC encrypted
names
name 195.11.205.145 EXT_IP1
name 80.169.148.99 EXT_IP3
name 80.169.148.98 EXT_IP2
name 155.136.89.20 Coutts_Gateway_VPN
name 80.169.148.112 S21_Test_VPN
name 155.136.150.115 Coutts_Host_VPN
name 80.169.148.114 EXT_IP5
name 80.168.148.96 S21_Range
name 80.169.148.100 EXT_IP6
name 59.154.30.158 EXT_IP7
name 195.166.102.62 EXT_IP4
name 193.8.50.231 Coutts_Gateway_VPN_Switz
dns-guard
interface Ethernet0/0
description Outside interface 0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 80.169.124.4 255.255.255.224
interface Ethernet0/1
description Inside interface 0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.0.0
interface Ethernet0/2
description DMZ interface 0/2
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
interface Ethernet0/3
description LAN/STATE Failover Interface
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group service TCP_Port_Group tcp
port-object eq smtp
port-object range ftp-data ftp
port-object eq 123
port-object eq www
port-object eq https
port-object eq domain
port-object eq ftp-data
port-object eq ftp
port-object eq 3389
port-object eq ssh
object-group service UDP_Port_Group udp
port-object eq ntp
port-object eq 21
port-object eq 20
port-object eq domain
object-group network Trusted_Ext_Hosts
network-object EXT_IP1 255.255.255.255
network-object EXT_IP2 255.255.255.255
network-object EXT_IP3 255.255.255.255
network-object EXT_IP4 255.255.255.255
network-object EXT_IP5 255.255.255.255
network-object EXT_IP6 255.255.255.255
network-object EXT_IP7 255.255.255.255
object-group service www_services tcp
port-object eq www
port-object eq https
object-group service TCP_CSG tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq 1080
port-object eq citrix-ica
object-group network Trusted_Ext_Hosts_ref
network-object EXT_IP1 255.255.255.255
network-object EXT_IP2 255.255.255.255
network-object EXT_IP3 255.255.255.255
network-object EXT_IP4 255.255.255.255
network-object EXT_IP5 255.255.255.255
network-object EXT_IP6 255.255.255.255
object-group network S21_Range
network-object S21_Range 255.255.255.224
access-list inside_access_in extended permit tcp 192.168.100.0 255.255.255.0 any object-group TCP_Port_Group
access-list inside_access_in extended permit udp 192.168.100.0 255.255.255.0 any object-group UDP_Port_Group
access-list inside_access_in extended deny ip 192.168.0.0 255.255.0.0 any
access-list dmz_access_in extended permit tcp host 10.10.10.5 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list dmz_access_in extended permit tcp host 10.10.10.5 any object-group TCP_Port_Group
access-list dmz_access_in extended permit udp host 10.10.10.5 any object-group UDP_Port_Group
access-list dmz_access_in extended permit tcp host 10.10.10.7 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list dmz_access_in extended permit tcp host 10.10.10.7 any object-group TCP_Port_Group
access-list dmz_access_in extended permit udp host 10.10.10.7 any object-group UDP_Port_Group
access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any host 80.169.124.36 eq www
access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.35 object-group www_services
access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.37 object-group www_services
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host 193.8.50.180
access-list inside_access_out extended permit tcp object-group Trusted_Ext_Hosts_ref 192.168.0.0 255.255.0.0 eq 3389
access-list inside_access_out extended permit tcp any host 192.168.100.24 eq www
access-list inside_access_out extended permit tcp 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list inside_access_out extended deny ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list outside_cryptomap_30 extended permit ip host 80.169.124.35 155.136.30.0 255.255.254.0
access-list outside_cryptomap_30 extended permit ip host 80.169.124.37 155.136.30.0 255.255.254.0
access-list 10 extended permit tcp any host 80.169.124.35 object-group www_services
access-list 10 extended permit tcp any host 10.10.10.5 object-group www_services
access-list 10 extended permit tcp any host 80.169.124.37 object-group www_services
access-list 10 extended permit tcp any host 10.10.10.7 object-group www_services
access-list COUTTS_SWITZ_SFTP extended permit tcp 192.168.100.0 255.255.255.0 host 193.8.50.180 eq ssh
access-list outside_cryptomap_40 extended permit ip host 80.169.124.35 155.136.0.0 255.255.0.0
access-list outside_cryptomap_40 extended permit ip host 80.169.124.37 155.136.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface Failover Ethernet0/3
failover polltime interface 10
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 172.16.31.249 255.255.255.248 standby 172.16.31.250
no monitor-interface management
icmp permit any outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside) 20 80.169.124.32
global (dmz) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 20 192.168.0.0 255.255.0.0
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 20 10.10.10.0 255.255.255.0
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 80.169.124.33 192.168.100.11 netmask 255.255.255.255
static (inside,outside) 80.169.124.34 192.168.100.21 netmask 255.255.255.255
static (dmz,outside) 80.169.124.35 10.10.10.5 netmask 255.255.255.255
static (inside,outside) 80.169.124.36 192.168.100.24 netmask 255.255.255.255
static (dmz,outside) 80.169.124.37 10.10.10.7 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 80.169.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value 10
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions none
port-forward-name value Application Access
username Admin password 5VZ2yiLE0W2kEsod encrypted privilege 15
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 155.136.17.70
crypto map outside_map 30 set transform-set ESP-AES-256-SHA
crypto map outside_map 30 set security-association lifetime seconds 28800
crypto map outside_map 30 set security-association lifetime kilobytes 4608000
crypto map outside_map 30 set nat-t-disable
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer Coutts_Gateway_VPN
crypto map outside_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 40 set security-association lifetime seconds 3600
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 set nat-t-disable
crypto map outside_map 50 match address COUTTS_SWITZ_SFTP
crypto map outside_map 50 set pfs group5
crypto map outside_map 50 set peer Coutts_Gateway_VPN_Switz
crypto map outside_map 50 set transform-set ESP-AES-256-SHA
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set nat-t-disable
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
tunnel-group 155.136.17.70 type ipsec-l2l
tunnel-group 155.136.17.70 ipsec-attributes
pre-shared-key *
tunnel-group 155.136.89.20 type ipsec-l2l
tunnel-group 155.136.89.20 ipsec-attributes
pre-shared-key *
tunnel-group 193.8.50.231 type ipsec-l2l
tunnel-group 193.8.50.231 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 10
dhcpd lease 3600
dhcpd ping_timeout 50
ntp server 193.228.143.13 source outside
Cryptochecksum:87a0c89dced7eb36d9a9b2854eea3b95
: end
FW#
Cheers -
ZBFW - dmz-zone to in-zone access
Hi IOSers,
I have a Cisco 2901 which terminates a Class C address pool.
I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS
in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server
private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone
My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.
However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...
Can anyone please advise...
Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
I think I am making a basically incorrect assumption somewhere ...
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
Thank for any expertise you can bring to help resolve this.
Regards,
Zebity.Hi Karthikeyan,
thank you for offering to look at this, I do all my configuration using CCP, which is a lot easier than pawing over IOS commands.
I have dumped out the config, but as it is hard to pull out the partiular part of the config, so find following screen snap & config:
The areas where I think there are problems are with "self" zone items (can I get rid of self zone case completely, with exception of blocking any external (DSL) access to self?)
and the dmz-zone to in-zone and in-zone to dmz-zone configs.
Building configuration...
Current configuration : 32292 bytes
! Last configuration change at 00:16:54 UTC Mon Jun 11 2012 by admin
! NVRAM config last updated at 07:37:35 UTC Sun Jun 10 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname big
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 168.192.200.1 168.192.200.99
ip dhcp excluded-address 168.192.200.126 168.192.200.254
ip dhcp excluded-address 200.200.200.1 200.200.200.79
ip dhcp excluded-address 200.200.200.91 200.200.200.126
ip dhcp pool PRIVATE-POOL-1
import all
network 168.192.200.0 255.255.255.0
domain-name in.froghop.com
dns-server 200.200.200.20 200.200.200.4
default-router 168.192.200.1
ip dhcp pool FROGHOP-POOL-2
import all
network 200.200.200.0 255.255.255.128
domain-name froghop.com
dns-server 200.200.200.20 200.200.200.4
default-router 200.200.200.1
no ip bootp server
ip domain name froghop.com
ip name-server 200.200.200.4
ip name-server 200.200.200.20
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
appfw policy-name CCP_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2085601892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2085601892
revocation-check none
crypto pki certificate chain TP-self-signed-2085601892
certificate self-signed 01
XXXXXXXX 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
4A6B4C93 CEE0C972 CEA5A38E 3C041EAD 803F43B2 DD121173 4302DC1E XXXXXXXX
4F5E79FE 8C76B0EC BC5DD668 69BE1A
quit
license udi pid CISCO2901/K9 sn FTXXXXXXXXXX
hw-module pvdm 0/0
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redundancy
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-any OPEN-TRAFFIC-OUT-190
match access-group name OPEN-TRAFFIC-OUT-190
class-map type inspect match-any SMTPS-TRAFFIC-IN
match access-group name SMTPS-IN
class-map type inspect match-all NAT-POOL-TCP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol tcp
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all NAT-POOL-UDP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol udp
class-map type inspect match-all SELF-DNS-OUT
match access-group name SELF-DNS-OUT
match protocol dns
class-map type inspect match-any SMTP-PROTOCOL
match protocol smtp
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-1
match class-map SMTP-PROTOCOL
match access-group name DMZ-MAIL-OUT
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SIP-PROTOCOLS
match protocol sip
match protocol sip-tls
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-2
match class-map SIP-PROTOCOLS
match access-group name DMS-SIP-TRAFFIC
class-map type inspect match-any OPEN-TRAFFIC-OUT-140
match access-group name OPEN-TRAFFIC-OUT-140
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any OPENDIR-PROTOCOLS
match protocol kerberos
match protocol ldap
match protocol ldaps
match protocol ldap-admin
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
match service text-chat
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any SYSLOG-PROTOCOL
match protocol syslog
class-map type inspect match-any ICMP-PROTOCOLS
match protocol icmp
class-map type inspect match-all SELF-ICMP
match access-group name SELF-ICMP-TRAFFIC
match class-map ICMP-PROTOCOLS
class-map type inspect match-any DMZ-DNS
match protocol dns
class-map type inspect match-all OPENDIR-OUT
match class-map OPENDIR-PROTOCOLS
match access-group name OPENDIR-TRAFFIC
class-map type inspect match-all SMTPS-TRAFFIC
match class-map SMTPS-TRAFFIC-IN
match protocol tcp
class-map type inspect match-any TRUSTED-HOSTS
match access-group name TRUSTED-HOSTS
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any TRANSPORT-PROTOCOLS
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type inspect match-any WEB-PROTOCOLS
match protocol http
match protocol https
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map type inspect match-any SELF-DNS-IN
match access-group name SELF-DNS-IN
match protocol dns
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any OPEN-TRAFFIC-IN-140
match access-group name OPEN-TRAFFIC-IN-140
class-map type inspect match-all SYSLOG-IN-DMZ
match access-group name SYSLOG-TRAFFIC
match class-map SYSLOG-PROTOCOL
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
match service any
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map SMTP-PROTOCOL
match access-group name SMTP-TRAFFIC
class-map type inspect match-any DNS-PROTOCOL
match protocol dns
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map ICMP-PROTOCOLS
match access-group name IN-ZONE-ICMP
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ACCESS-PROTOCOLS
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3
match class-map ACCESS-PROTOCOLS
match access-group name DMZ-ZONE-TRAFFIC
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all PUSH-NOTIFICATIONS
match access-group name PUSH-NOTIFICATIONS
match protocol tcp
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all DEST-DNS
match access-group name DEST-DNS
match class-map DNS-PROTOCOL
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SYSLOG-PROTOCOL
match access-group name DMZ-SYSLOG
class-map type inspect match-any FTP-PROTOCOL
match protocol ftp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map ICMP-PROTOCOLS
match access-group name DMZ-ICMP
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-3
match class-map WEB-PROTOCOLS
match access-group name DMZ-WEB
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-4
match class-map SIP-PROTOCOLS
match access-group name DMZ-SIP
class-map type inspect match-any TIME-PROTOCOLS
match protocol ntp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-5
match class-map DMZ-DNS
match access-group name DMZ-DNS-TRAFFIC
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-6
match class-map ACCESS-PROTOCOLS
match access-group name IN-ZONE-TRAFFIC
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect POLICY-PRIVATE-TRANSIT
class type inspect ACCESS-PROTOCOLS
pass log
class class-default
drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect POLICY-IN-SELF
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-IN
class type inspect OPEN-TRAFFIC-OUT-190
pass
class type inspect ccp-icmp-access
inspect
class class-default
drop
policy-map type inspect POLICY-DMZ-OUT
class type inspect TIME-PROTOCOLS
inspect
class type inspect WEB-PROTOCOLS
inspect
class type inspect FTP-PROTOCOL
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-2
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-1
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class type inspect DEST-DNS
inspect
class class-default
drop log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
allow
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ICMP-PROTOCOLS
inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop log
policy-map type inspect POLICY-PRIVATE-IN-DMZ
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-OUT
class type inspect OPEN-TRAFFIC-OUT-140
pass log
class type inspect WEB-PROTOCOLS
inspect
class type inspect OPENDIR-OUT
inspect
class type inspect DEST-DNS
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect POLICY-DMZ-SELF
class type inspect ICMP-PROTOCOLS
inspect
class type inspect TRANSPORT-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-OUT
class type inspect SELF-DNS-OUT
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect NAT-POOL-UDP-TRAFFIC-OUT
inspect
class type inspect NAT-POOL-TCP-TRAFFIC-OUT
inspect
class class-default
drop log
policy-map type inspect POLICY-OUT-SELF
class type inspect SELF-DNS-IN
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect SELF-ICMP
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-DMZ
class type inspect SYSLOG-IN-DMZ
pass
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-DMZ-IN
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-4
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-cls-ccp-permit-dmzservice-3
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-5
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop log
policy-map type inspect ccp-pol-outToIn
class type inspect OPEN-TRAFFIC-IN-140
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
inspect
class type inspect ccp-cls-ccp-pol-outToIn-2
inspect
class type inspect SMTPS-TRAFFIC
inspect
class type inspect SMTPS-TRAFFIC-IN
pass log
class class-default
drop log
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security PRIVATE-ZONE
zone security PRIVATE-IN
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect POLICY-IN-OUT
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ZP-DMZ-IN source dmz-zone destination in-zone
service-policy type inspect POLICY-DMZ-IN
zone-pair security ZP-DMZ-OUT source dmz-zone destination out-zone
service-policy type inspect POLICY-DMZ-OUT
zone-pair security ZP-IN-DMZ source in-zone destination dmz-zone
service-policy type inspect POLICY-IN-DMZ
zone-pair security ZP-OUT-SELF source out-zone destination self
service-policy type inspect POLICY-OUT-SELF
zone-pair security ZP-SELF-OUT source self destination out-zone
service-policy type inspect POLICY-SELF-OUT
zone-pair security ZP-PRIVATE-OUT source PRIVATE-ZONE destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ZP-PRIVATE-IN source PRIVATE-ZONE destination in-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-PRIVATE-DMZ source PRIVATE-ZONE destination dmz-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-IN-SELF source in-zone destination self
service-policy type inspect POLICY-IN-SELF
zone-pair security ZP-SELF-IN source self destination in-zone
service-policy type inspect POLICY-SELF-IN
zone-pair security ZP-DMZ-SELF source dmz-zone destination self
service-policy type inspect POLICY-DMZ-SELF
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
interface Loopback0
ip address 200.200.200.190 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 200.200.200.130 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 168.192.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.160 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/3/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface Virtual-Template1 type serial
description $FW_INSIDE$
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan1
description $ETH-4ESG$$INTF-INFO-10/100/1000 Ethernet$$ETH-LAN$FW-DMZ$$FW_INSIDE$
ip address 200.200.200.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
description $FW_OUTSIDE$
ip address 210.210.210.154 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username [email protected] password 7 XXXXXXXXXXXX
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output sdmappfwp2p_CCP_MEDIUM
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 500
ip dns server
ip nat pool NAT-POOL1 200.200.200.161 200.200.200.189 netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 pool NAT-POOL1
ip route 0.0.0.0 0.0.0.0 210.210.210.1
ip route 10.210.210.0 255.255.255.0 192.168.1.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0/2/0 permanent
ip route 168.192.200.0 255.255.255.0 GigabitEthernet0/1 permanent
ip route 200.200.200.0 255.255.255.128 Vlan1 permanent
ip route 200.200.200.128 255.255.255.224 GigabitEthernet0/0 permanent
ip route 200.200.200.160 255.255.255.224 Loopback0 permanent
ip access-list extended DEST-DNS
remark CCP_ACL Category=1
permit udp any any eq domain
ip access-list extended DMS-SIP-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.30 any
permit ip host 200.200.200.40 any
ip access-list extended DMZ-DNS-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
ip access-list extended DMZ-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended DMZ-MAIL-OUT
remark CCP_ACL Category=128
permit ip any host 230.211.70.60
permit ip any host 230.250.90.137
ip access-list extended DMZ-SIP
remark CCP_ACL Category=128
permit ip any host 200.200.200.40
permit ip any host 200.200.200.30
ip access-list extended DMZ-SYSLOG
remark CCP_ACL Category=128
permit ip 230.211.70.0 0.0.0.255 host 200.200.200.32
permit ip 200.200.200.128 0.0.0.127 host 200.200.200.32
ip access-list extended DMZ-WEB
remark CCP_ACL Category=128
permit ip any host 200.200.200.35
permit ip any host 200.200.200.20
ip access-list extended DMZ-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip 200.200.200.0 0.0.0.128 any
ip access-list extended ESP-TRAFFIC
remark CCP_ACL Category=1
permit esp any any
ip access-list extended IN-ZONE-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended IN-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.140 any
ip access-list extended NAT-POOL-TRAFFIC-IN
remark CCP_ACL Category=128
permit ip any 0.0.0.0 255.255.255.224
ip access-list extended NAT-POOL-TRAFFIC-OUT
remark CCP_ACL Category=128
permit ip 0.0.0.30 255.255.255.224 any
ip access-list extended OPEN-TRAFFIC-IN-140
remark CCP_ACL Category=1
permit udp host 230.211.70.60 host 200.200.200.140 eq isakmp
permit esp host 230.211.70.60 host 200.200.200.140
permit ip host 230.211.70.10 host 200.200.200.140
permit tcp host 230.211.70.35 host 200.200.200.140
deny ip host 230.211.70.60 host 200.200.200.140
ip access-list extended OPEN-TRAFFIC-OUT-140
remark CCP_ACL Category=1
permit udp host 200.200.200.140 host 230.211.70.60 eq isakmp
permit esp host 200.200.200.140 host 230.211.70.60
permit ip host 200.200.200.140 host 230.211.70.10
permit tcp host 200.200.200.140 host 230.211.70.35
deny ip host 200.200.200.140 host 230.211.70.60
ip access-list extended OPENDIR-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 230.211.70.10
ip access-list extended PUSH-NOTIFICATIONS
remark CCP_ACL Category=1
permit tcp any any eq 5223
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SELF-DNS-IN
remark CCP_ACL Category=1
permit udp any eq domain any
ip access-list extended SELF-DNS-OUT
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
permit ip any host 200.200.200.4
ip access-list extended SELF-ICMP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.190
ip access-list extended SMTP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.140
ip access-list extended SMTPS-IN
remark CCP_ACL Category=1
permit tcp any any eq 465
permit tcp any any eq 587
ip access-list extended SMTPS-OUT
remark CCP_ACL Category=1
permit tcp any eq 465 any
permit tcp any eq 587 any
ip access-list extended SYSLOG-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.32
ip access-list extended TRUSTED-HOSTS
remark CCP_ACL Category=128
permit ip host 230.211.70.35 any
permit ip host 230.211.70.60 any
logging 200.200.200.32
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 168.192.200.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 210.210.210.0 0.0.0.255 any
access-list 100 permit ip 200.200.200.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 permit ip 168.192.200.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
control-plane
banner login ^CThis device is propoerty of FROGHOP and all activity is logged.^C
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.189.54.17
ntp server 192.189.54.33
ntp server 203.161.12.165
ntp server 130.102.2.123
end
Thanks in advance for any tips.
Regards,
John. -
ASA 5505 (8.3.1) DMZ to Outside access problem
We have a hub and spoke VPN setup and at one location used the DMZ port/vlan subnet to access the hub. We have since changed and want the DMZ to only access the outside interface (have base license that can only access one interface). We have taken out all the configs that allow access to inside/VPN but can not get the DMZ to access Outside/internet. I also do not see any debug info in the logs. We have read a ton but it seems that there are changes in 8.3 that are not documented well enough for us to get this going. Does anybody see what we are missing?
Full Config:
ASA Version 8.3(1)
hostname Rye5505
domain-name thedavid
enable password encrypted
passwd encrypted
names
name 192.168.72.0 Sixpines description VPN
interface Vlan1
nameif inside
security-level 100
ip address 192.168.73.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.15.200.138 255.255.255.252
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 5
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name thedavid
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 192.168.72.0
subnet 192.168.72.0 255.255.255.0
description Sixpines
object network NETWORK_OBJ_192.168.73.0_24
subnet 192.168.73.0 255.255.255.0
object network obj-192.168.73.0
subnet 192.168.73.0 255.255.255.0
object network Sixpines
subnet 192.168.72.0 255.255.255.0
object network DMZ
subnet 192.168.1.0 255.255.255.0
object-group network SixpinesInternalNetwork
network-object Sixpines 255.255.255.0
access-list DMZ_access_in extended permit ip any any inactive
access-list DMZ_access_in extended permit ip object DMZ object obj_any inactive
access-list outside_1_cryptomap extended permit ip object obj-192.168.73.0 object Sixpines
access-list dmz extended permit ip object obj_any object DMZ
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (inside,outside) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (dmz,outside) source static DMZ DMZ
object network obj_any
nat (inside,outside) dynamic interface
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 69.15.200.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.73.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 dmz
http Sixpines 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.54.197.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.73.101-192.168.73.132 inside
dhcpd dns 192.168.72.14 8.8.8.8 interface inside
dhcpd domain thedavidlawfirm interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 72.54.197.28 type ipsec-l2l
tunnel-group 72.54.197.28 ipsec-attributes
pre-shared-key
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
OUTPUT of log.....
6 Sep 29 2008 19:31:32 302015 8.8.8.8 53 192.168.1.110 59468 Built outbound UDP connection 2298 for outside:8.8.8.8/53 (8.8.8.8/53) to dmz:192.168.1.110/59468 (192.168.1.110/59468)
6 Sep 29 2008 19:31:30 302016 8.8.8.8 53 192.168.1.110 62740 Teardown UDP connection 2234 for outside:8.8.8.8/53 to dmz:192.168.1.110/62740 duration 0:02:08 bytes 110
THANKS!!!!Hello –
I know that it has been a while since you’ve posted this question. I just recently ran into the very same situation; trying to get my DMZ to access the internet.
You think that because the internet in a lower security interface, that traffic automatically flows downhill. If you have ANY ACL’s in your DMZ, then this default feature disappears.
If you want to secure your inside from the DMZ, and still get internet, you must do the following:
Second to last ACL :
Action: Deny
Source: any
Destination: inside
Service: IP
Last ACL:
Action: Permit
Source: any
Destination: any
Service: IP
ACL’s read from top to bottom, so in this case, traffic would try to find a match. If traffic was not trying to go into the inside interface, the only other available would be outside.
Thanks,
Michael -
Hello,
I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.
I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.
I need to be able to do the following:
- RDP access from inside network to the DMZ servers
- Internet access for the DMZ
I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:
- DMZ HTTPS to outside (Office 365 Services)
- Outside HTTPS to DMZ (ADFS Servers on DMZ only)
- DMZ HTTPS to inside (ADFS Servers Only)
- Inside HTTPS to DMZ (ADFS Servers Only)
Running Config:
interface Vlan1
nameif inside
security-level 100
ip address ccl-sua-asa 255.255.255.0
ospf cost 10
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
interface Vlan100
nameif outside
security-level 0
ip address 77.107.90.202 255.255.255.248
ospf cost 10
interface Ethernet0/0
switchport access vlan 100
speed 100
duplex full
interface Ethernet0/1
description Connected to CCL-SUA-SW1 port 16
interface Ethernet0/2
switchport access vlan 3
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp
access-list inbound remark Inbound ACT for Ruth Edmonds Only
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 5022 inactive
access-list inbound remark Inbound rules for OWA 30/06/09 MD
access-list inbound extended permit tcp any host 77.107.90.203 eq https log
access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD
access-list inbound extended permit tcp object-group mimecast interface outside eq ldap
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp
access-list inbound remark change request MET 56030 inbound POP3 for mimecast
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3
access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq https
access-list inbound remark Inbound rule for survey 011012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq www
access-list inbound extended deny ip any any
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 192.168.255.0 255.255.255.0
access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list outbound extended deny udp any 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 10.0.0.0 255.0.0.0
access-list outbound extended deny ip any 192.168.0.0 255.255.0.0
access-list outbound extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.40.0 255.255.255.0
nat (inside) 1 192.168.41.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255
static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface www WEB www netmask 255.255.255.255
static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255
static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255
static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255
static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255
access-group outbound in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.107.90.201 1
route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1
Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working
Many Thanks
JamesHi,
If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE
You can confirm the License level with "show version" command. It should read at the end of the output.
In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command
no forward interface Vlan1
Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.
OUTSIDE -> DMZ
INSIDE -> DMZ
Connection initiating should be possible.
So it seems to me that you already have one problem that will limit connectivity and not just the NAT.
You already seem to have the Default PAT configuration for DMZ Internet traffic.
You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.
The corrent NAT configuration to enable that traffic would be to use
static (inside,dmz) netmask
Repeat for all
EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.
- Jouni -
Using DMZ to connect to internet
I am having problems accessing the internet when changing route from using outside to DMZ to access the internet. Reason for this change is because I have a FTP-server in DMZ that also needs access to the internet through DMZ.
The main server has two NICs and so I am routing default gw through the inside. I have tried to change default gateway to the DMZ-nic, but then I loose connection to the internet...
The ftp-server is a virtual maching running on the main server.
I have attached two nics to the FTP-server, but I can remove the last one.
I have a base license.
The configuration is as following:
# show run
: Saved
ASA Version 8.4(2)
hostname ciscoasa
domain-name inside-sport.no
enable password XXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp
interface Vlan12
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 193.75.75.75
name-server 192.168.1.11
name-server 192.168.1.12
name-server 193.75.75.193
domain-name inside-sport.no
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_192.168.1.128_27
subnet 192.168.1.128 255.255.255.224
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.254.0_28
subnet 192.168.254.0 255.255.255.240
object network dmz-ftpserver
host 192.168.2.101
description FTP server Host Object
object network dmz-webserver
host 192.168.2.100
description Web Server Host Object
object network ftp-server
object service FTP
service tcp source eq ftp
object service WWW
service tcp source eq www
object network DMZ.net
subnet 192.168.2.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network NET-VPNPOOL
network-object 173.194.32.34 255.255.255.0
access-list outside_access_in extended permit tcp any host 192.168.2.101 eq ftp
access-list outside_access_in extended permit tcp any host 192.168.2.100 eq www
access-list VPN-INSIDE-SPORT_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_access_dmz extended permit tcp any object DMZ.net range 1 65535
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN-Pool 192.168.254.1-192.168.254.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (DMZ,outside) source static dmz-webserver interface service WWW WWW
nat (DMZ,outside) source static dmz-ftpserver interface service FTP FTP
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.128_27 NETWORK_OBJ_192.168.1.128_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.254.0_28 NETWORK_OBJ_192.168.254.0_28 no-proxy-arp route-lookup
nat (outside,outside) source dynamic NET-VPNPOOL interface
object network obj_any
nat (inside,outside) dynamic interface
object network inside-net
nat (inside,outside) dynamic interface
object network DMZ.net
nat (DMZ,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 173.194.32.34 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd domain inside-sport.no
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.49 inside
dhcpd dns 192.168.1.11 192.168.1.12 interface inside
dhcpd domain inside-sport.no interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN-INSIDE-SPORT internal
group-policy VPN-INSIDE-SPORT attributes
dns-server value 192.168.1.11 193.75.75.193
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-INSIDE-SPORT_splitTunnelAcl
default-domain value inside-sport.no
username foo password XXXXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group VPN-INSIDE-SPORT type remote-access
tunnel-group VPN-INSIDE-SPORT general-attributes
address-pool VPN-Pool
default-group-policy VPN-INSIDE-SPORT
tunnel-group VPN-INSIDE-SPORT ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d0c94dce38e18ab6599ca05d641e8932
: end
ciscoasa(config)#
When running:
packet-tracer input DMZ icmp 172.16.4.51 8 0 4.2.2.2
I get this output:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Route table on server connected to the inside:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.254.0 192.168.1.1 255.255.255.0 UG 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1
Route table for FTP-server in DMZ:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth01) Changed the IP address (what a Noob I am) to 192.168.2.101:
packet-tracer input DMZ icmp 192.168.2.101 8 0 4.2.2.2
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
2) OK - I'll consider that
3) All virtual servers (I believe there are 5 virtual linux servers or so in inside zone) need internet access + any laptops (currently three) that are in the network as well. So all machines in inside + dmz shall have outside access. In DMZ I have an FTP and a Web-server.
The www and the ftp would need to send in and out, right?
4) OK. I'll remove that one and report back. -
Hi Expert.
How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?
What is the configuration required on ASA 5540 ?
ThanksHi Samir,
By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.
If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.
Access-list DMZ permit tcp host host eq 80
Access-list DMZ deny ip any any
access-group DMZ in interface DMZ
Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)
WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.
Mike -
I have two internet ISP's links, currently dmz and inside interfaces are using one ISP (route outside 0.0.0.0 0.0.0.0 “ISP1_IP”), I need to use one ISP for inside and the other ISP for dmz.
appreciate your help.
AliHi,
I am assuming ISP1 for Internal zone and ISP2 for DMZ.
Internal zone is allowed to access all protocols
access-list inside_access_in extended permit ip Internal-IP 255.255.255.0 any
Allow access from internet to DMZ server
access-list outside1_access_in extended permit tcp any host DMZ-Server'sPulic IP
Pat on the outside and DMZ interface for internal hosts
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 internal-IP netmask
Static NAT mapping for our DMZ server
static (dmz,outside1) DMZ-Server'sGlobal-IP DMZ-Server's-PrivateIP netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group inside_access_in in interface inside
Default Routes
route outside 0.0.0.0 0.0.0.0 ISP1-Gateway 1
route outside1 0.0.0.0 0.0.0.0 ISP2-Gateway 2
hera, outside = ASA port that is connected to ISP1
outside1=ASA port that is connected to ISP2 -
Need help with ASA config to set up proxy on DMZ
Hello guys,
I have a problem, I´m trying to configure an ASA as shown in the attached scenario.
I need that all inside users to go to the proxy server on DMZ and from there they will go out to the internet.
Right now i have:
INSIDE INTERFACE
Access-list inside permit ip 10.1.1.0 255.255.255.0 host 11.1.1.6
DMZ INTERFACE
Access-list dmz permit ip host 11.1.1.6 any
OUTSIDE INTERFACE
Access-list outside permit ip any host <proxy server public ip>
REGARDING NAT I HAVE THE FOLLOWING:
Static (dmz,outside) <proxy server public> 11.1.1.6 netmask 255.255.255.255
My question would be if it would work with this configuration? Do i need to apply Nat on my inside hosts? Would all my inside hosts when reached the ASA will be send to the proxy and then through the proxy it will send them back to the ASA and then to the internet??
Thanks,
TonyHello Jennifer,
Thanks for your response. So basically i will need to add a static to allow trafic from inside to dmz without being natted. I don't know what proxy server it will be, the server would be managed by another party, but in my inside hosts i will need to set all the parameters to point to the proxy, once this done trafic will go out through the proxy server to the dmz interface of the ASA and then to the outside world, is that correct?
Do you think this configuration would work???
Outside = security 0
Inside = security 100
DMZ = security 50
static (dmz,outside) 11.1.1.6 netmask 255.255.255.255
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-list inside permit tcp 10.1.1.0 255.255.255.0 any
access-list dmz permit ip host 11.1.1.6 any
access-group inside in interface inside
access-group dmz in interface dmz
Basically with this configuration my web request will go to the proxy on the DMZ and then from there it will go out to the internet??
Thanks -
Dear Team,
There is no information on the number of DMZ's that can be created on the Cisco NGN Firewalls. By default, there are 6GE Ports on the Firewall and I need to know how many DMZ's can be made on them.
Another question is what if I purchase ASA-IC-6GE-CU-A= module, how many DMZ's can I made additionally.
If there is a comparison chart on the Cisco Website, please provide me that link supporting number of DMZ's.
Regards,
Farhan.Hi,
I don't think the ASA really has a concept of DMZ ports/interfaces other than on ASA5505 and maybe some special model of ASA. Maybe it was ASA V1000.
In the normal ASA5500 Series and ASA5500-X Series the only limitation you have is either the amount of physical ports of if you use Trunk interface then the maximum supported Vlan ID amount. The amount of DMZs you configure is only limited by those.
There is no configuration on the ASA that would define the port as some sort of DMZ port. Generally you would just configure the interfaces ACL so that connections could not be initiated from behind this interface to the internal network.
If you want to check the supported Vlan ID amount of the ASA you have you can check this document
http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/at_a_glance_c45-701635.pdf
Seems your ASA model supports 50 Vlan IDs. As an extreme example it would seem to me that you could configure a single Trunk interface with 50 subinterfaces and also use the remaining 5 physical interfaces for some purpose. Though that probably would not be the ideal setup but just an example.
- Jouni -
We are deploying a new OVM environment and I would like to get the feedback on what the community thinks about putting the pool manager in the DMZ with the pool members....
Better yet what does the community think about putting any of the OVM compondents in the DMZ?
Thanks!!
Doug
Here is the Logical Flow...
DUAL ISP RUNNING BGP
------->
Cisco 5540 ASA HA (FOT NAT)
----------->
DMZ NETWORK SWITCH (FOR DMZ LB INTERFACE)
---------------->
F5 BIGIP LOAD BALANCER (FOR PAT and LB)
------------------------>
BACKEND LOAD BALANCER SWITCH (FOR HOST TRUNKING)
------------------------------>
PHYSICAL SERVERS OVM POOL MEMBERS / POOL MANAGER / OVM MANAGER
-------------------------------------->
BACKEND NETAPP NFS STORAGE OVER PRIMARY INTERFACE
Edited by: user12470398 on Jan 18, 2010 8:11 PMuser9010393 wrote:
We are deploying a new OVM environment and I would like to get the feedback on what the community thinks about putting the pool manager in the DMZ with the pool members....
Better yet what does the community think about putting any of the OVM compondents in the DMZ?Several of my clients run Oracle VM Servers in their DMZ. In that scenario, I recommand that Dom0 not be connected to the DMZ, i.e. it has no IP address on that network. Rather, the Dom0 and Oracle VM Manager are on a dedicated management network that has no access inbound from the Internet. The DomU's should be connected to DMZ-facing bridges. I would not run Oracle VM Manager in the DMZ. All communication from the Manager to the OVS servers is initiated by the Manager itself, so that can be inside your network.
Maybe you are looking for
-
Issue in GR55 report painter report not able to pass Exclusive values (E)
Hi all, According to client requirement we have added selection values in P&L Report Painter report. We have an issue we can only select data/range of data that we want to include(sign = I -inclusive) in the report. I cannot exclude values(sign = E -
-
Why is my computer freezing and restarting itself?
This is the error message I got last time! Please help. This is really messing me up with trying to do work on my computer. Anonymous UUID: 1A6C03A4-83F8-D71F-2C8D-1BBDEFA77554 Wed Mar 26 11:08:27 2014 panic(cpu 2 caller 0xffffff8024edbe2e): Kernel
-
TS3694 my phone keeps coming up with unknowm errow 1015
help
-
"Mail has stopped responding" error
When I log in to icloud.com and choose Mail > Preferences > Accounts, I get the message pasted below. This has been happening for about a week and has become a nuisance. Any one else have this problem or has any info about a fix? Thanks. Mail has sto
-
Trouble playing music from server after moving house
the music i play in itunes is stored on a different pc, we have a 'music server'. so when i first installed itunes, i imported them and had no trouble whatsoever. a month ago we moved to a new house, and last week we finally had our pc's ready to use