ASA 5505 DMZ/Web server configuration

skepticals · Valued Member Joined: Apr 23, 2007 Posts: 735

Well... it appears that I am doing everything correctly. Maybe I will reconfigure all of this from start to finish and post my config. Would this help?

Smurf · Posted: Thu Apr 26, 2007 5:22 pm Post subject:

Yup, it should help to see whats missing if it isn't working after you have done that. Please remember to remove all passwords.
_________________
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.

Smurf · Posted: Thu Apr 26, 2007 6:04 pm Post subject:

Here are a few examples to get ya going (well, this is from the Pix).

skepticals · Valued Member Joined: Apr 23, 2007 Posts: 735

Well, I restored the default configuration on the 5505 and tried the steps we discussed and everything is working; however, I tried to mimic it with the ASA 5510 and it does not work. Here is the config:

: Saved
:
ASA Version 7.2(2)
!
hostname XXXX
domain-name
enable password ***************** encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif outside
security-level 0
ip address 198.111.XXX.XX 255.255.255.240
!
interface Ethernet0/1
description DMZ Interface
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/2
description Lan Interface
nameif inside
security-level 100
ip address 10.3.254.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface
nameif management
security-level 100
no ip address
management-only
!
passwd XXXXXXXXXXX encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name XXXXXX.local
access-list Static extended permit tcp any host 198.111. X.X eq www
access-list CPL_splitTunnelAcl standard permit 10.3.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 10.3.254.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
mtu management 1500
ip local pool Remote_Client_Pool 10.3.254.10-10.3.254.60 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.3.0.0 255.255.0.0
static (DMZ,outside) 198.111. X.X 172.16.0.3 netmask 255.255.255.255
access-group Static in interface outside
route outside 0.0.0.0 0.0.0.0 198.111.x.x 1 (Edited by Smurf to remove IP Address)
route inside 10.3.4.0 255.255.255.0 10.3.254.2 1
route inside 10.3.6.0 255.255.255.0 10.3.254.2 1
route inside 10.3.7.0 255.255.255.0 10.3.254.2 1
route inside 10.3.5.0 255.255.255.0 10.3.254.2 1
route inside 10.3.3.0 255.255.255.0 10.3.254.2 1
route inside 10.3.2.0 255.255.255.0 10.3.254.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy CPL internal
group-policy CPL attributes
dns-server value 10.3.4.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CPL_splitTunnelAcl
vpn-group-policy CPL
aaa authentication enable console LOCAL
http server enable
http 10.3.2.0 255.255.255.0 inside
http 10.3.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group CPL type ipsec-ra
tunnel-group CPL general-attributes
address-pool Remote_Client_Pool
default-group-policy CPL
tunnel-group CPL ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end

I deleted some things that are not relevant.

Smurf · Posted: Thu Apr 26, 2007 9:25 pm Post subject:

Whats not working ? The only thing that springs to mind is that the Static is performing a full NAT mapping which will probably mean that the only machine that can get access through the firewall is the webserver ?
_________________
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.

skepticals · Valued Member Joined: Apr 23, 2007 Posts: 735

I am unable to access the web page that is on the web server. That is the only computer in the DMZ currently.

Do these settings look correct to allow traffic from the outside interface (198.111.X.X) to access the 172.16.0.3 web server in the DMZ?

If so, maybe it's a problem with the web server?

Smurf · Posted: Thu Apr 26, 2007 9:32 pm Post subject:

Yes it looks ok, the static is in place, the Global/NAT is in place, the access-list is in place and the access-group is in place. Like i said though, the static could do with being configured like my previous example as you are setting up a 1to1 mapping for the webserver to the only external address you have.
_________________
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.

skepticals · Valued Member Joined: Apr 23, 2007 Posts: 735

Sorry to be difficult, but I do not understand how you want me to configure the ASA without having a 1-to-1 mapping... what is the better way to set this up?

Smurf · Posted: Thu Apr 26, 2007 9:45 pm Post subject:

Its no problem, the way that you have configured the Static Command, is mapping your external IP Address to your Internal DMZ server. This is setting up a NAT, i.e. when the webserver wants to access the internet it uses that IP Address (always) and is fixed to that ip address.

now, you can configure the static to create a direct PAT translation (dunno if thats its official term but you can think of it like that). You can therefore assign it further by specifying Ports aswell. In my example i used

skepticals · Valued Member Joined: Apr 23, 2007 Posts: 735

I believe I understand what you are saying. With my current configuration, I am using the external IP address solely for the web server, when I could be using it, at the PAT level, just for port 80. Is that correct?

Also, this is not my only external IP address. We have a range of IP addresses, and the internal clients are not using the external IP address of the web server. Would this eliminate the problem?