- Posts: 2
- Thank you received: 0
ASA, ADSL Modem and my DMZ :(
16 years 9 months ago #24978
by bobg
ASA, ADSL Modem and my DMZ :( was created by bobg
Hi guys,
I recently purchased a Cisco ASA 5505 for my home network.I have never really played around with Cisco's security appliances and thought it might be worth while .
Anyway I ran into a problem and I was hoping someone could help a N00b like myself out .
ok here is the scenario.
I have an ADSL connection which provides me with a dynamic public IP. ( I am using dyndns.org for obtain a DNS name for the moment).
Inside interface
IP: 192.168.1.1
Mask: 255.255.255.0
Security level: 100
DMZ:
IP: 192.168.2.1
Mask: 255.255.255.0
Security level: 4
Outside
IP: assigned via DHCP from my ADSL modem/router. 172.16.1.1 - 172.16.1.20.
Mask: 255.255.255.0
Security level: 0
My ADSL modem(router) is connect to the outside interface of my ASA.
I have a a PC connected to the inside interface and a server running apache(webserver) connect to my DMZ.
I am trying to make my Webserver publically available.
I have setup port forward on my router to send all traffic on port 80 to my Outside interface - ( which now that I write it seems pointless as all traffic is going there anyway!)
But now what I THINK I need to do is port forward all traffic on port 80 which arrives at the outside interface to the DMZ???
Its a similar setup to ones I've seen cisco documenting, except my outside inference isn't a public address as its already gone through one level of nating from my router.
At the moment when I try to access my webserver from the internet I get the following error in my syslog's.
"3|Jan 30 2008|16:51:57|710003|203.20.35.28|172.16.1.1|TCP access denied by ACL from 203.20.35.28/12451 to outside:172.16.1.1/80
3|Jan 30 2008|16:51:54|710003|203.20.35.28|172.16.1.1|TCP access denied by ACL from 203.20.35.28/12451 to outside:172.16.1.1/80"
I've attached my running-config below. At the moment with my router
I apologise if this is a stupid question, I'm keen to get this up and running and learn from it. MANY THANKS!
My running config.
:
ASA Version 7.2(2)
!
hostname homeasa
domain-name default.domain.home
enable password 1plPx2i8fWTm1hEU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
description DMZ for webserver
no forward interface Vlan1
nameif DMZ
security-level 4
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 1plPx2i8fWTm1hEU encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns
server-group DefaultDNS
domain-name default.domain.home
access-list outside_access_in remark TRAFFIC IS ENTERING
access-list outside_access_in extended permit tcp any host 192.168.2.2 eq www log emergencies
access-list outside_access_in extended permit tcp any host 172.16.1.1 eq www log
access-list DMZ_access_in extended permit tcp any host 192.168.2.2 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip audit name AlarmDrop attack action alarm drop
ip audit interface outside AlarmDrop
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 192.168.2.0 255.255.255.0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout conn 1:00:00
half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username marcosg password shte7DmC88sfarw5 encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Warning. Unathorised access will be prosecuted
auth-prompt accept Welcome
auth-prompt reject You are not authorised to access me. Go away!
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.10 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33
inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0187b85a258fdec1568429a341794a26
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
I recently purchased a Cisco ASA 5505 for my home network.I have never really played around with Cisco's security appliances and thought it might be worth while .
Anyway I ran into a problem and I was hoping someone could help a N00b like myself out .
ok here is the scenario.
I have an ADSL connection which provides me with a dynamic public IP. ( I am using dyndns.org for obtain a DNS name for the moment).
Inside interface
IP: 192.168.1.1
Mask: 255.255.255.0
Security level: 100
DMZ:
IP: 192.168.2.1
Mask: 255.255.255.0
Security level: 4
Outside
IP: assigned via DHCP from my ADSL modem/router. 172.16.1.1 - 172.16.1.20.
Mask: 255.255.255.0
Security level: 0
My ADSL modem(router) is connect to the outside interface of my ASA.
I have a a PC connected to the inside interface and a server running apache(webserver) connect to my DMZ.
I am trying to make my Webserver publically available.
I have setup port forward on my router to send all traffic on port 80 to my Outside interface - ( which now that I write it seems pointless as all traffic is going there anyway!)
But now what I THINK I need to do is port forward all traffic on port 80 which arrives at the outside interface to the DMZ???
Its a similar setup to ones I've seen cisco documenting, except my outside inference isn't a public address as its already gone through one level of nating from my router.
At the moment when I try to access my webserver from the internet I get the following error in my syslog's.
"3|Jan 30 2008|16:51:57|710003|203.20.35.28|172.16.1.1|TCP access denied by ACL from 203.20.35.28/12451 to outside:172.16.1.1/80
3|Jan 30 2008|16:51:54|710003|203.20.35.28|172.16.1.1|TCP access denied by ACL from 203.20.35.28/12451 to outside:172.16.1.1/80"
I've attached my running-config below. At the moment with my router
I apologise if this is a stupid question, I'm keen to get this up and running and learn from it. MANY THANKS!
My running config.
:
ASA Version 7.2(2)
!
hostname homeasa
domain-name default.domain.home
enable password 1plPx2i8fWTm1hEU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
description DMZ for webserver
no forward interface Vlan1
nameif DMZ
security-level 4
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 1plPx2i8fWTm1hEU encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns
server-group DefaultDNS
domain-name default.domain.home
access-list outside_access_in remark TRAFFIC IS ENTERING
access-list outside_access_in extended permit tcp any host 192.168.2.2 eq www log emergencies
access-list outside_access_in extended permit tcp any host 172.16.1.1 eq www log
access-list DMZ_access_in extended permit tcp any host 192.168.2.2 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip audit name AlarmDrop attack action alarm drop
ip audit interface outside AlarmDrop
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 192.168.2.0 255.255.255.0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout conn 1:00:00
half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username marcosg password shte7DmC88sfarw5 encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Warning. Unathorised access will be prosecuted
auth-prompt accept Welcome
auth-prompt reject You are not authorised to access me. Go away!
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.10 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33
inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0187b85a258fdec1568429a341794a26
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
16 years 9 months ago #24999
by bobg
Replied by bobg on topic Re: ASA, ADSL Modem and my DMZ :(
Sorry is my question that stupid? Or does nobody have any ideas?
Time to create page: 0.122 seconds