pally
@dslextreme.com
| reply to aryoba
Re: [Config] cisco 5520
Hi Aryoba,
Below is the new configuration, thanks for helping!
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name helpme.org
enable password ************ encrypted
names
name 10.30.30.30 WebServer
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 76.*.*.40 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.30.30.1 255.255.0.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd ************** encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name helpme.org
object-group icmp-type ICMP-INBOUND
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
object-group network INSIDE
network-object 10.1.0.0 255.255.0.0
network-object 172.20.0.0 255.255.0.0
object-group network DMZ
network-object 10.30.0.0 255.255.0.0
object-group network DENY_LIST
network-object host *.*.*.*
network-object host *.*.*.*
network-object host *.*.*.*
network-object host *.*.*.*
access-list DMZACL extended permit ip host WebServer 10.30.0.0 255.255.0.0 inactive
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside
interface to be set to work.
access-list DMZACL extended permit icmp any any
access-list DMZACL extended permit ip host WebServer object-group INSIDE
access-list sec1 extended permit tcp any host 76.*.*.41 eq www
access-list sec1 extended permit icmp any host 76.*.*.41 object-group ICMP-I
NBOUND
access-list sec1 extended deny ip object-group DENY_LIST any
access-list nonat remark No NAT from Inside To DMZ
access-list nonat extended permit ip object-group INSIDE object-group DMZ
access-list nonat remark No NAT from Inside to DMZ
pager lines 30
logging enable
logging asdm informational
logging host inside 10.1.1.2
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 76.*.*.34-76.*.*.38 netmask 255.0.0.0
global (outside) 1 76.*.*.39 netmask 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 76.*.*.41 WebServer netmask 255.255.255.255
access-group sec1 in interface outside
access-group DMZACL in interface DMZ
route outside 0.0.0.0 0.0.0.0 76.*.*.33 1
route inside 172.20.0.0 255.255.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.20.0.5 255.255.255.255 inside
telnet 172.20.0.4 255.255.255.255 inside
telnet 172.20.1.200 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map IPS_Traffic
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS_Traffic
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:71cac0fc2c6bbf19dc13eed1810c348c
: end |
|
aryoba
Premium,MVM
join:2002-08-22
| 1. ospf cost 10 under interface Management0/0
You miss one 
2. access-list DMZACL
access-list DMZACL extended permit ip host WebServer 10.30.0.0 255.255.0.0 inactive
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside
interface to be set to work.
access-list DMZACL extended permit icmp any any
access-list DMZACL extended permit ip host WebServer object-group INSIDE
You don't really need those line, especially permit any IP traffic from the web server to any machines in Inside network. There is no point of having the server on DMZ if you permit any IP traffic to Inside. Just open necessary hole.
For instance, the web server only needs to access DNS server within Inside network at 10.1.0.125 and to access FTP server within Inside network at 10.1.0.126 in addition to some ICMP traffic, then the access-list DMZACL should look something like this.
object-group network Inside_DNS
network-object host 10.1.0.125
object-group network Inside_FTP
network-object host 10.1.0.126
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
object-group service DNS tcp-udp
port-object eq 53
object-group service FTP tcp
port-object range 20 21
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside interface to be set to work.
access-list DMZACL extended permit icmp object-group DMZ any
access-list DMZACL extended permit object-group TCP-UDP host WebServer object-group Inside_DNS object-group DNS
access-list DMZACL extended permit tcp host WebServer object-group Inside_FTP object-group FTP
3. access-list sec1
The order is reversed. It should be like this
access-list sec1 extended deny ip object-group DENY_LIST any
access-list sec1 extended permit tcp any host 76.*.*.41 eq www
access-list sec1 extended permit icmp any host 76.*.*.41 object-group ICMP-INBOUND |
|
pally
@dslextreme.com
| Hi Aryoba,
I did what you suggested and thanks for pointing out the ospf. I still can't get my DNS to return my nslookup query on my WebServer. Nor can I view my intranet website with my WebServer. I created an object-group Inside_HTTP and an ACL to allow my WebServer to view my intranet website but didn't work. Below is the new configuration based on what you suggested. Hope it helps! Thanks again for all your help!
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name helpme.net
enable password tVAoFm9hTH4bBHtx encrypted
names
name 10.30.30.30 WebServer
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 76.*.*.40 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.30.30.1 255.255.0.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd tVAoFm9hTH4bBHtx encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name helpme.net
object-group icmp-type ICMP-INBOUND
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
object-group network INSIDE
network-object 10.1.0.0 255.255.0.0
network-object 172.20.0.0 255.255.0.0
object-group network DMZ
network-object 10.30.0.0 255.255.0.0
object-group network DENY_LIST
network-object host *.*.*.*
network-object host *.*.*.*
network-object host *.*.*.*
network-object host *.*.*.*
object-group network Inside_DNS
network-object host 172.20.0.9
network-object host 172.20.0.2
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
object-group service DNS tcp-udp
port-object eq domain
object-group network Inside_HTTP
network-object host 172.20.0.3
object-group service HTTP tcp
port-object eq www
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside
interface to be set to work.
access-list DMZACL extended permit icmp any any inactive
access-list DMZACL extended permit ip host WebServer object-group INSIDE inactive
access-list DMZACL remark allow WebServer to be pinged / also need rule from outside
interface to be set to work.
access-list DMZACL extended permit icmp object-group DMZ any
access-list DMZACL extended permit tcp host WebServer object-group Inside_HTTP object
-group HTTP
access-list DMZACL extended permit object-group TCP-UDP host WebServer object-group I
nside_DNS object-group DNS
access-list sec1 extended deny ip object-group DENY_LIST any
access-list sec1 extended permit tcp any host 76.*.*.41 eq www
access-list sec1 extended permit icmp any host 76.*.*.41 object-group ICMP-I
NBOUND
access-list nonat remark No NAT from Inside To DMZ
access-list nonat extended permit ip object-group INSIDE object-group DMZ
access-list nonat remark No NAT from Inside to DMZ
pager lines 30
logging enable
logging asdm informational
logging host inside 10.1.1.2
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
asdm location 172.20.0.0 255.255.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 76.*.*.34-76.*.*.38 netmask 255.0.0.0
global (outside) 1 76.*.*.39 netmask 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 76.*.*.41 WebServer netmask 255.255.255.255
access-group sec1 in interface outside
access-group DMZACL in interface DMZ
route outside 0.0.0.0 0.0.0.0 76.*.*.33 1
route inside 172.20.0.0 255.255.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.20.0.5 255.255.255.255 inside
telnet 172.20.0.4 255.255.255.255 inside
telnet 172.20.0.9 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map IPS_Traffic
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS_Traffic
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:efc80f54abede220dbb9776e0891366e |
|
