- Posts: 3
- Thank you received: 0
Could someone have a look at my config?.... (ASA-5505)
13 years 6 months ago #36877
by Daemonic
Could someone have a look at my config?.... (ASA-5505) was created by Daemonic
Hiya,
This is my first post here, but ive managed to learn a fair amount from reading through this site, so thought id join and ask my question...
Ive been given an ASA5505 to configure for our SOHO environment, which i currently have setup on my test bench.
We're going for a Inside/Outside/DMZ layout, and i believe ive got the basics of the setup in place, the only thing thats not quite there is redirecting the public ip to the dmz host, for inside/outside users so im wondering if some kind soul could have a quick glance at my config and give any pointers.
I can reach the dmz from the inside and i can reach outside from both the inside and dmz, so thats about as far as ive got
Layout is as follows;
[code:1] +--> INSIDE
NET <--> RTR <--> ASA5505 <--+--> INSIDE
| +--> INSIDE
DMZ
RTR = 192.168.1.1/24
ASA5505 = 192.168.1.100/24, 172.16.0.1/24, 10.0.0.1/24
DMZ HOST = 172.16.0.2/24
INSIDE = 10.0.0.2/24-10.0.0.4/24[/code:1]
Config is over at pastebin.com/UJ5FS9JB to save filling this post up.
This is my first post here, but ive managed to learn a fair amount from reading through this site, so thought id join and ask my question...
Ive been given an ASA5505 to configure for our SOHO environment, which i currently have setup on my test bench.
We're going for a Inside/Outside/DMZ layout, and i believe ive got the basics of the setup in place, the only thing thats not quite there is redirecting the public ip to the dmz host, for inside/outside users so im wondering if some kind soul could have a quick glance at my config and give any pointers.
I can reach the dmz from the inside and i can reach outside from both the inside and dmz, so thats about as far as ive got
Layout is as follows;
[code:1] +--> INSIDE
NET <--> RTR <--> ASA5505 <--+--> INSIDE
| +--> INSIDE
DMZ
RTR = 192.168.1.1/24
ASA5505 = 192.168.1.100/24, 172.16.0.1/24, 10.0.0.1/24
DMZ HOST = 172.16.0.2/24
INSIDE = 10.0.0.2/24-10.0.0.4/24[/code:1]
Config is over at pastebin.com/UJ5FS9JB to save filling this post up.
13 years 6 months ago #36878
by r0nni3
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Replied by r0nni3 on topic Re: Could someone have a look at my config?.... (ASA-5505)
Hey Daemonic,
Welcome to fw.cx
Do you mean you want to connect from the inside netwerk to the DMZ using the external IP adres of the outside interface ?
If this is the case it is never going to work. You can't connect (actually you can but its easier not to) from the inside network to your own outside IP adresses.
To connect to your DMZ you have to use the internal IP adresses of the DMZ (by either using NAT or NAT0). If your connecting to the DMZ using hostnames I suggest you use static NAT translations with the DNS keyword at the end. This enables something called "DNS doctoring". It rewrites the destination of the outside IP adres to the DMZ IP adres of the host your connecting to.
You can only use DNS doctoring with 1-on-1 NAT. So dont try to use it with PAT.
Also I suggest using NAT0 for your internal networks.
[code:1]
access-list no_nat permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0[/code:1]
this defines the traffic you want to use NAT0 for.
[code:1]
no global (dmz) 1 interface
nat (inside) 0 access-list no_nat[/code:1]
this removes the use of NAT between internal networks and enables NAT0
[code:1]
static (dmz,outside) 192.168.1.101 172.16.0.10 dns[/code:1]
This is the static translation to map an external IP adres to a DMZ host. When you connect using DNS the ASA will now rewrite the destinatioin from 192.168.1.101 to 172.16.0.10 making it possible to use the same DNS record for internal and external use.
[code:1]
access-list outside_in permit tcp any host 192.168.1.101 eq 80
!
access-group outside_in in interface outside[/code:1]
this allows access to the host from the internet.
I hope this helps
Welcome to fw.cx
Do you mean you want to connect from the inside netwerk to the DMZ using the external IP adres of the outside interface ?
If this is the case it is never going to work. You can't connect (actually you can but its easier not to) from the inside network to your own outside IP adresses.
To connect to your DMZ you have to use the internal IP adresses of the DMZ (by either using NAT or NAT0). If your connecting to the DMZ using hostnames I suggest you use static NAT translations with the DNS keyword at the end. This enables something called "DNS doctoring". It rewrites the destination of the outside IP adres to the DMZ IP adres of the host your connecting to.
You can only use DNS doctoring with 1-on-1 NAT. So dont try to use it with PAT.
Also I suggest using NAT0 for your internal networks.
[code:1]
access-list no_nat permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0[/code:1]
this defines the traffic you want to use NAT0 for.
[code:1]
no global (dmz) 1 interface
nat (inside) 0 access-list no_nat[/code:1]
this removes the use of NAT between internal networks and enables NAT0
[code:1]
static (dmz,outside) 192.168.1.101 172.16.0.10 dns[/code:1]
This is the static translation to map an external IP adres to a DMZ host. When you connect using DNS the ASA will now rewrite the destinatioin from 192.168.1.101 to 172.16.0.10 making it possible to use the same DNS record for internal and external use.
[code:1]
access-list outside_in permit tcp any host 192.168.1.101 eq 80
!
access-group outside_in in interface outside[/code:1]
this allows access to the host from the internet.
I hope this helps
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
13 years 6 months ago #36881
by Daemonic
Replied by Daemonic on topic Re: Could someone have a look at my config?.... (ASA-5505)
Hiya,
thanks for the pointers, and yes, ultimately, i do want to connect to the dmz using the external ip which is detailed in Chapter 6 of servinet.net/Portals/122/5505GSG.pdf just im getting a little lost with their examples (a - because the images dont match the text for the networks, and b) its for an older version of asa/asdm)
Im wondering if anyone can give me the commands to use to recreate that example ? (either cli or asdm)
Perhaps there is a newer guide of the above pdf?
thanks for the pointers, and yes, ultimately, i do want to connect to the dmz using the external ip which is detailed in Chapter 6 of servinet.net/Portals/122/5505GSG.pdf just im getting a little lost with their examples (a - because the images dont match the text for the networks, and b) its for an older version of asa/asdm)
Im wondering if anyone can give me the commands to use to recreate that example ? (either cli or asdm)
Perhaps there is a newer guide of the above pdf?
Time to create page: 0.124 seconds