Skip to main content

ASA 5505 DMZ config problem

More
16 years 7 months ago #25735 by Codec
Hi

I use Cisco ASDM 5.2 for ASA when I do configuration..

How I can allow connection from outside to dmz ex. HTTP server??

I have static IP which come from ISP by PPPoE..

Error is:

TCP access denied by ACL from 85.77.230.115/41833 to outside:213.139.xxx.xxx/80

My config is now:
: Saved
: Written by Codec 07:08:10.689 EEDT Tue Apr 15 2008
:ALL Password and usernames are changed...
:ALL Outside IP are cleaned...
!
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name xxxxx
enable password xxxxxx/p encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.123.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group VDSL
ip address pppoe setroute
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxx.xxxx encrypted
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name xxxxxx
object-group service ahsay tcp
description Ahsay backup
port-object range 90 90
access-list xxxxxVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list xxxxxVPN_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list xxxxxVPN_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.10.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.123.0 255.255.255.192
access-list kissa_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Sisaverkko standard permit 192.168.123.0 255.255.255.0
access-list tunneliryhma_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNpooli2 192.168.123.20-192.168.123.29 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

:IS THAT RIGHT???
static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy xxxxxVPN internal
group-policy xxxxxVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Sisaverkko
username jarppi password xxxxxxx encrypted privilege 15
username jarppi attributes
vpn-group-policy xxxxxVPN
url-cache dst 10
http server enable
http 192.168.123.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group xxxxxVPN type ipsec-ra
tunnel-group xxxxxVPN general-attributes
address-pool (inside) VPNpooli2
address-pool VPNpooli2
default-group-policy xxxxxVPN
tunnel-group xxxxxVPN ipsec-attributes
pre-shared-key xxxxxxx (Removed)
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group OPOY request dialout pppoe
vpdn group OPOY localname yyyyyyy
vpdn group OPOY ppp authentication pap
vpdn group VDSL request dialout pppoe
vpdn group VDSL localname yyyyyy-kiintea
vpdn group VDSL ppp authentication pap
vpdn username yyyyyy password yyyyyyyy
vpdn username yyyyyy password yyyyyyy
dhcpd auto_config outside
!
dhcpd address 192.168.123.50-192.168.123.80 inside
dhcpd wins 192.168.123.148 interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
Cryptochecksum:be714b58e54488c5454d72dd801b2a6c
: end
More
16 years 7 months ago #25751 by zomb
i am no expert but it looks like acl does not permit any access to outside.

try tunning [code:1]access-list acl_ouside permit tcp any host 213.139.xxx.xxx eq www[/code:1]
More
16 years 7 months ago #25757 by Elohim
Your outside interface statically maps to the DMZ interface? Is that the intent? Or is there a server inside the DMZ?

Hi

I use Cisco ASDM 5.2 for ASA when I do configuration..

How I can allow connection from outside to dmz ex. HTTP server??

I have static IP which come from ISP by PPPoE..

Error is:

TCP access denied by ACL from 85.77.230.115/41833 to outside:213.139.xxx.xxx/80

My config is now:
: Saved
: Written by Codec 07:08:10.689 EEDT Tue Apr 15 2008
:ALL Password and usernames are changed...
:ALL Outside IP are cleaned...
!
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name xxxxx
enable password xxxxxx/p encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.123.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group VDSL
ip address pppoe setroute
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxx.xxxx encrypted
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name xxxxxx
object-group service ahsay tcp
description Ahsay backup
port-object range 90 90
access-list xxxxxVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list xxxxxVPN_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list xxxxxVPN_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.10.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.123.0 255.255.255.192
access-list kissa_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Sisaverkko standard permit 192.168.123.0 255.255.255.0
access-list tunneliryhma_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNpooli2 192.168.123.20-192.168.123.29 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

:IS THAT RIGHT???
static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy xxxxxVPN internal
group-policy xxxxxVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Sisaverkko
username jarppi password xxxxxxx encrypted privilege 15
username jarppi attributes
vpn-group-policy xxxxxVPN
url-cache dst 10
http server enable
http 192.168.123.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group xxxxxVPN type ipsec-ra
tunnel-group xxxxxVPN general-attributes
address-pool (inside) VPNpooli2
address-pool VPNpooli2
default-group-policy xxxxxVPN
tunnel-group xxxxxVPN ipsec-attributes
pre-shared-key xxxxxxx (Removed)
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group OPOY request dialout pppoe
vpdn group OPOY localname yyyyyyy
vpdn group OPOY ppp authentication pap
vpdn group VDSL request dialout pppoe
vpdn group VDSL localname yyyyyy-kiintea
vpdn group VDSL ppp authentication pap
vpdn username yyyyyy password yyyyyyyy
vpdn username yyyyyy password yyyyyyy
dhcpd auto_config outside
!
dhcpd address 192.168.123.50-192.168.123.80 inside
dhcpd wins 192.168.123.148 interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
Cryptochecksum:be714b58e54488c5454d72dd801b2a6c
: end

More
16 years 7 months ago #25769 by Codec
Hi

Okey..

I put to access-list...
access-list outside_in extended permit tcp any host 213.139.xxx.xxx eq www

Still I get error:
TCP access denied by ACL from 85.77.243.57/50258 to outside:213.139.xxx.xxx/80

I have HTTP server in DMZ.

I'm not sure that NAT, need I that?

AND I'm not sure that ASA 5505 hardware is that right hardware for that situation.

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
More
16 years 7 months ago #25794 by Elohim
This statement is not correct. You are mapping a public ip to the DMZ interface with this statement. Replace the IP address 192.168.50.10 with the ip address of the dmz web server.


static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255

Hi

Okey..

I put to access-list...
access-list outside_in extended permit tcp any host 213.139.xxx.xxx eq www

Still I get error:
TCP access denied by ACL from 85.77.243.57/50258 to outside:213.139.xxx.xxx/80

I have HTTP server in DMZ.

I'm not sure that NAT, need I that?

AND I'm not sure that ASA 5505 hardware is that right hardware for that situation.

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.

More
16 years 7 months ago #25806 by moonatic
Please try the following:

no static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

I assume that the IP 213.139.xxx.xxx is the interface IP so it is safe to use the keyword interface on the static NAT that you have. If that doesn't work it could be due to the fact that you have a ASA 5505 with a base license and normally the DMZ is fully usable with a security plus license.

Try it out and let me know if that works. If that doesn't I can look for the link that talks about the license.
Time to create page: 0.144 seconds