Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Could someone have a look at my config?.... (ASA-5505)

Could someone have a look at my config?.... (ASA-5505) 5 years 7 months ago #36877

  • Daemonic
  • Daemonic's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Hiya,

This is my first post here, but ive managed to learn a fair amount from reading through this site, so thought id join and ask my question...

Ive been given an ASA5505 to configure for our SOHO environment, which i currently have setup on my test bench.

We're going for a Inside/Outside/DMZ layout, and i believe ive got the basics of the setup in place, the only thing thats not quite there is redirecting the public ip to the dmz host, for inside/outside users so im wondering if some kind soul could have a quick glance at my config and give any pointers.

I can reach the dmz from the inside and i can reach outside from both the inside and dmz, so thats about as far as ive got :(

Layout is as follows;

[code:1] +--> INSIDE
NET <--> RTR <--> ASA5505 <--+--> INSIDE
| +--> INSIDE
DMZ
RTR = 192.168.1.1/24
ASA5505 = 192.168.1.100/24, 172.16.0.1/24, 10.0.0.1/24
DMZ HOST = 172.16.0.2/24
INSIDE = 10.0.0.2/24-10.0.0.4/24[/code:1]

Config is over at pastebin.com/UJ5FS9JB to save filling this post up.
The administrator has disabled public write access.

Re: Could someone have a look at my config?.... (ASA-5505) 5 years 7 months ago #36878

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
Hey Daemonic,

Welcome to fw.cx

Do you mean you want to connect from the inside netwerk to the DMZ using the external IP adres of the outside interface ?
If this is the case it is never going to work. You can't connect (actually you can but its easier not to) from the inside network to your own outside IP adresses.
To connect to your DMZ you have to use the internal IP adresses of the DMZ (by either using NAT or NAT0). If your connecting to the DMZ using hostnames I suggest you use static NAT translations with the DNS keyword at the end. This enables something called "DNS doctoring". It rewrites the destination of the outside IP adres to the DMZ IP adres of the host your connecting to.
You can only use DNS doctoring with 1-on-1 NAT. So dont try to use it with PAT.
Also I suggest using NAT0 for your internal networks.

[code:1]
access-list no_nat permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0[/code:1]
this defines the traffic you want to use NAT0 for.

[code:1]
no global (dmz) 1 interface
nat (inside) 0 access-list no_nat[/code:1]
this removes the use of NAT between internal networks and enables NAT0

[code:1]
static (dmz,outside) 192.168.1.101 172.16.0.10 dns[/code:1]
This is the static translation to map an external IP adres to a DMZ host. When you connect using DNS the ASA will now rewrite the destinatioin from 192.168.1.101 to 172.16.0.10 making it possible to use the same DNS record for internal and external use.

[code:1]
access-list outside_in permit tcp any host 192.168.1.101 eq 80
!
access-group outside_in in interface outside[/code:1]
this allows access to the host from the internet.


I hope this helps
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

Re: Could someone have a look at my config?.... (ASA-5505) 5 years 7 months ago #36881

  • Daemonic
  • Daemonic's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Hiya,

thanks for the pointers, and yes, ultimately, i do want to connect to the dmz using the external ip which is detailed in Chapter 6 of servinet.net/Portals/122/5505GSG.pdf just im getting a little lost with their examples (a - because the images dont match the text for the networks, and b) its for an older version of asa/asdm)

Im wondering if anyone can give me the commands to use to recreate that example ? (either cli or asdm)

Perhaps there is a newer guide of the above pdf?
The administrator has disabled public write access.
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup