- Posts: 9
- Thank you received: 0
Having trouble Configuring outside access to DMZ webserver.
15 years 5 months ago #30432
by jibon
Replied by jibon on topic Re: Having trouble Configuring outside access to DMZ webserver.
I finally found a way to turn the modem into a bridge. I found the original html configuration interface that Siemens had, and used it to reset the modem into bridge mode.
Does ASA 5520 connect-on-demand by default? I can't find any cli command to specify that.
And I've made the changes to my acl's as well. Thank you
Does ASA 5520 connect-on-demand by default? I can't find any cli command to specify that.
And I've made the changes to my acl's as well. Thank you
15 years 5 months ago #30433
by jibon
Replied by jibon on topic Re: Having trouble Configuring outside access to DMZ webserver.
Woo hooooo...
Everything works now. Thanks to everyone who gave me advice. I really appreciate it. I'm posting the config here for any more advice you guys might have. Thanks again
[code:1]
hostname ******
domain-name *******
enable password ************* encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group *****
ip address pppoe setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd ********** encrypted
dns server-group DefaultDNS
domain-name ***********
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list allow_outside_connections extended permit icmp any any echo-reply
access-list allow_outside_connections extended permit icmp any any source-quench
access-list allow_outside_connections extended permit icmp any any unreachable
access-list allow_outside_connections extended permit icmp any any time-exceeded
access-list allow_outside_connections extended permit tcp any host ************ eq www
access-list allow_outside_connections extended permit tcp any host ************ eq https
access-list allow_outside_connections extended permit tcp any host ************ eq ftp
access-list allow_outside_connections extended permit tcp any host ************ eq ftp-data
mtu management 1500
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (inside,dmz) 192.168.3.0 192.168.2.0 netmask 255.255.255.0
static (dmz,outside) interface 192.168.3.254 netmask 255.255.255.255
access-group allow_outside_connections in interface outside
route outside 0.0.0.0 0.0.0.0 ************** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.2.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ******** request dialout pppoe
vpdn group ******** localname ******************
vpdn group ******** ppp authentication ******
vpdn username ************** password *********
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.2.20-192.168.2.200 inside
dhcpd dns ******************** interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end[/code:1]
Everything works now. Thanks to everyone who gave me advice. I really appreciate it
. I'm posting the config here for any more advice you guys might have. Thanks again [code:1]
hostname ******
domain-name *******
enable password ************* encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group *****
ip address pppoe setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd ********** encrypted
dns server-group DefaultDNS
domain-name ***********
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list allow_outside_connections extended permit icmp any any echo-reply
access-list allow_outside_connections extended permit icmp any any source-quench
access-list allow_outside_connections extended permit icmp any any unreachable
access-list allow_outside_connections extended permit icmp any any time-exceeded
access-list allow_outside_connections extended permit tcp any host ************ eq www
access-list allow_outside_connections extended permit tcp any host ************ eq https
access-list allow_outside_connections extended permit tcp any host ************ eq ftp
access-list allow_outside_connections extended permit tcp any host ************ eq ftp-data
mtu management 1500
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (inside,dmz) 192.168.3.0 192.168.2.0 netmask 255.255.255.0
static (dmz,outside) interface 192.168.3.254 netmask 255.255.255.255
access-group allow_outside_connections in interface outside
route outside 0.0.0.0 0.0.0.0 ************** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.2.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ******** request dialout pppoe
vpdn group ******** localname ******************
vpdn group ******** ppp authentication ******
vpdn username ************** password *********
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.2.20-192.168.2.200 inside
dhcpd dns ******************** interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end[/code:1]
Time to create page: 0.117 seconds