Posted: Thu Aug 20, 2009 6:12 pm Post subject: allow internet in dmz question
Hello, total newbie question here. I have an asa 5510 that I need to allow internet access to the dmz for a wireless network so guests can access internet. Any advice?
Thanks!!!
My config:
interface Ethernet0/0
nameif outside
security-level 0
ip address 65.xxx.xxx.67 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.3 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 10
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name acmeillinois.org
object-group service spi1 tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq smtp
port-object eq 995
port-object eq 587
object-group service nfuse tcp
port-object eq www
port-object eq https
object-group service citrix tcp
port-object eq citrix-ica
object-group service chi1 tcp
port-object eq 587
port-object eq pop3
object-group service dmz1 tcp
description dmz ports
port-object eq 47807
port-object eq 4899
port-object eq ftp
port-object eq www
port-object eq domain
object-group service dmz2 udp
port-object eq 47806
port-object eq 47808
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.75 object-group nfuse
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.71 object-group citrix
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit ip 209.248.59.0 255.255.255.0 host 65.xxx.xxx.71
access-list outside_access_in extended permit ip 65.171.235.0 255.255.255.0 host 65.xxx.xxx.71
access-list outside_access_in extended permit ip 209.248.59.0 255.255.255.0 host 65.119.0.1
access-list outside_access_in extended permit ip 65.171.235.0 255.255.255.0 host 65.119.0.1
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.67 object-group spi1
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.68 object-group chi1
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.69 object-group dmz1
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 65.xxx.xxx.64 255.255.255.224 eq www
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpn_in extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
ip local pool acmepool 192.168.10.1-192.168.10.200
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
Posted: Fri Sep 04, 2009 3:02 pm Post subject: Reorganization
access-list dmz_access_in extended permit icmp any any
I am not sure what is this line for but this doesn't work
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 65.xxx.xxx.64 255.255.255.224 eq www
Here you have permited all UDP traffic, but you are missing TCP traffic.
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 any
in other words allow only traffic to certain hosts, add x n lines for each required traffic. As there is no traslation between these two zones.
Next in acl you should deny access to your internal private range
access-list dmz_access_in deny ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
After this you should allow next
access-list dmz_access_in permit tcp 192.168.1.0 255.255.255.0 gt1023 any
(or narrow it down to tcp ports 20, 21,53, 80, 443 - make object group)
access-list dmz_access_in permit udp 192.168.1.0 255.255.255.0 gt1023 any
(same here)
end acl with
deny any any log
After you apply run next
debug packet dmz src 192.168.1.x dst 95.256.125.1
debug packet outside src any dst 95.256.125.1
You should see traffic comming to asa and going out to outside world.
Address 192.168.1.x must not pass through ASA, as this traffic is must not pass.
Joined: Aug 14, 2003 Posts: 1699 Location: Mumbai, India.
Posted: Thu Sep 10, 2009 11:23 am Post subject:
While I don't know enough about your architecture to be sure (are you running public services there?), the words wireless connected to DMZ made me shudder a bit.
Are you using DMZ just for the Wi-Fi in other words is it just another leg off your router/firewall? I'm asking because I'm thinking of DMZ in the classical sense, as in the segment that provides public services.
If that's the case, then think long and hard about whether you want to put that AP in the DMZ.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Copyright of all documents and images belonging to this site by Firewall.cx. Information contained on this site is copyrighted material. It is illegal to copy or redistribute this information in any way without the written consent of Firewall.cx
Firewall.cx disclaims any responsibility for software and information obtained through this site or its links.
