ASA 5505 DMZ/Web server configuration

Here are a few examples to get ya going (well, this is from the Pix).

[code:1]global (outside) 1 interface[/code:1]

Setup the address that outgoing traffic translates to. Since we have used interface (you can use a single ip address if you want) this is going to mean PAT. If you had put something like 10.0.0.10-10.0.0.20 then it would setup proper NAT on .10 to .19 and then PAT on .20

[code:1]global (dmz) 1 interface[/code:1]

Only if you want to nat traffic through to the DMZ from the inside network.

[code:1]nat (inside) 1 0.0.0.0 0.0.0.0[/code:1]

Specifies what internal traffic can get translated to our global address. Here we are saying everything.

[code:1]nat (dmz) 1 192.168.0.0 255.255.255.0[/code:1]

This is now saying that we are translating any traffic from 192.168.0.0/24 subnet on the DMZ.

[code:1]static (inside,outside) tcp interface http 172.16.0.2 http netmask 255.255.255.255 tcp 500 50[/code:1]

As you can see, we are setting up a static translation to allow port 80 traffic from outside to inside (specifying a server on 172.16.0.2)

[code:1]route outside 0.0.0.0 0.0.0.0 router-ip[/code:1]

Routes everything from the Pix to the router-ip. Obviously, if you have got any more subnets within your organisation that are not directly connected to the ASA, then you will need to add further routes but send them inside.

[code:1]access-list permit-inbound extended permit tcp any interface outside eq www[/code:1]

Allows port 80 traffic to the webserver (this is because we are allowing eq www to the outside interface. remember we setup the Static translation that says any traffic destined to the outside interface on port 80 will get translated through to the inside webserver)

[code:1]access-group permit-inbound in outside[/code:1]

Assign the access list to the outside interface.

Hope that makes sense to ya.

Cheers

Wayne

Well, I restored the default configuration on the 5505 and tried the steps we discussed and everything is working; however, I tried to mimic it with the ASA 5510 and it does not work. Here is the config:

: Saved
:
ASA Version 7.2(2)
!
hostname XXXX
domain-name
enable password ***************** encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif outside
security-level 0
ip address 198.111.XXX.XX 255.255.255.240
!
interface Ethernet0/1
description DMZ Interface
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/2
description Lan Interface
nameif inside
security-level 100
ip address 10.3.254.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface
nameif management
security-level 100
no ip address
management-only
!
passwd XXXXXXXXXXX encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name XXXXXX.local
access-list Static extended permit tcp any host 198.111. X.X eq www
access-list CPL_splitTunnelAcl standard permit 10.3.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 10.3.254.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
mtu management 1500
ip local pool Remote_Client_Pool 10.3.254.10-10.3.254.60 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.3.0.0 255.255.0.0
static (DMZ,outside) 198.111. X.X 172.16.0.3 netmask 255.255.255.255
access-group Static in interface outside
route outside 0.0.0.0 0.0.0.0 198.111.x.x 1 (Edited by Smurf to remove IP Address)
route inside 10.3.4.0 255.255.255.0 10.3.254.2 1
route inside 10.3.6.0 255.255.255.0 10.3.254.2 1
route inside 10.3.7.0 255.255.255.0 10.3.254.2 1
route inside 10.3.5.0 255.255.255.0 10.3.254.2 1
route inside 10.3.3.0 255.255.255.0 10.3.254.2 1
route inside 10.3.2.0 255.255.255.0 10.3.254.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy CPL internal
group-policy CPL attributes
dns-server value 10.3.4.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CPL_splitTunnelAcl
vpn-group-policy CPL
aaa authentication enable console LOCAL
http server enable
http 10.3.2.0 255.255.255.0 inside
http 10.3.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group CPL type ipsec-ra
tunnel-group CPL general-attributes
address-pool Remote_Client_Pool
default-group-policy CPL
tunnel-group CPL ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end

I deleted some things that are not relevant.

Whats not working ? The only thing that springs to mind is that the Static is performing a full NAT mapping which will probably mean that the only machine that can get access through the firewall is the webserver ?

I am unable to access the web page that is on the web server. That is the only computer in the DMZ currently.

Do these settings look correct to allow traffic from the outside interface (198.111.X.X) to access the 172.16.0.3 web server in the DMZ?

If so, maybe it's a problem with the web server?

Yes it looks ok, the static is in place, the Global/NAT is in place, the access-list is in place and the access-group is in place. Like i said though, the static could do with being configured like my previous example as you are setting up a 1to1 mapping for the webserver to the only external address you have.

Sorry to be difficult, but I do not understand how you want me to configure the ASA without having a 1-to-1 mapping... what is the better way to set this up?