DMZ setup for the first time

I have my current network setup with a domain controller, file server, and workstations. I want to add a web server/ftp server (1 single pc) into the DMZ. I do not have a secondary outside IP to use so I will need to use the same one that I use for my internet connection or my outside connection.

I am new to this and would like some help on what IP to give to the DMZ port on the router and what IP/subnet/gateway to give to the webserver/ftp server. Any additional information I may need to know to configure the router would also be greatly appreciated.

This is my current router setup:

ASA5505

(Outside) - Ethernet 0/0 - DHCP
(Inside ) - Ethernet 0/1 0/2 0/3 - 172.16.0.1 / 255.255.255.0
(DMZ ) - Ethernet 0/7 - ?


Thanks for your help.

The DMZ port (Ethernet 0/7) can be assigned any private range. Say 172.16.1.1/24. You should also give it a security level between 0 to 100. Say 50. So It would look some thing like this:

[code:1]interface Vlan2
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
![/code:1]

In this example, the server/PC should be assigned an IP in the range 172.16.1.0/24. I'll use 172.16.1.2. Mask is the same (255.255.255.0). Gateway should be set to the same as the dmz interface (172.16.1.1).

For the ASA, you need to configure Port Forwarding to allow web traffic (port 80) and ftp traffic (port 21) to be forwarded to your internal server IP (172.16.1.2 in this example). This is done using the static command like this:

[code:1]static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.255.255
static (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.255.255[/code:1]

You need also to place access lists on the outside interface to allow incoming traffic to pass to the dmz.

[code:1]access-list outside_access_dmz extended permit tcp any interface outside eq www
access-list outside_access_dmz extended permit tcp any interface outside eq ftp
access-group outside_access_dmz in interface outside[/code:1]

Now, To access your server from any outside PC, use the IP of the outside interface (which is assigned to it by DHCP).

Hope this helps.

I used the same numbers and commands that you described yet i'm still unable to get it working.

Any help would be greatly appreciated.

[code:1]Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name xxxxx.local
enable password xxxxxxxqxkXr/Mw8 encrypted
passwd xxxxxxxIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name xxxxx.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.0.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 172.16.0.64 255.255.255.192
access-list CiscoVPN_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list outside_access_dmz extended permit tcp any interface outside
access-list outside_access_dmz extended permit tcp any interface outside eq ftp
pager lines 24
logging trap informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNDHCP 172.16.0.91-172.16.0.100 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.255.255
static (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.255.255
access-group outside_access_dmz in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-session-limit 2
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy CiscoVPN internal
group-policy CiscoVPN attributes
dns-server value 172.16.0.4 68.87.72.130
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoVPN_splitTunnelAcl
default-domain value xxxxx.local
username xxxxx password xxxxxxbrIziqBGZJ encrypted privilege 0
username xxxxx attributes
vpn-group-policy CiscoVPN
tunnel-group CiscoVPN type ipsec-ra
tunnel-group CiscoVPN general-attributes
address-pool VPNDHCP
default-group-policy CiscoVPN
tunnel-group CiscoVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip

inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f154175ca333dca4bc782c84a995b464
: end
[/code:1]

First, this line is not entered correctly in your config:

[code:1]access-list outside_access_dmz extended permit tcp any interface outside eq www[/code:1]

It seams you forgot the eq www at the end of the line. Still, I don't think this is the cause of the problem. First I'd make sure of the following:

1. Can you access the web/ftp server from it's local DMZ LAN?. If you can't, make sure any firewalls installed on the server are turned off including the windows firewall.

2. Can you ping the server from the ASA?. If not, Are you connecting the web server directly to the ASA's Ethernet0/7 without using a switch?. If so, then you probably need a crossover cable for that.

If all that is checked and it still doesn't work, then try changing the IP range (in all the commands) I gave you to something like 172.20.1.x with a mask 255.255.255.0. I'm saying this because you have other lines in your config that use parts of the 172.16.1.x range. Just in case, to avoid any possible conflicts.

Can't think of another reason why it shouldn't work, I personally tried a very similar scenario and it worked.