configuring ASA

marshall
Topic Author
Offline
New Member

14 years 6 months ago #32461 by marshall

configuring ASA was created by marshall

Can anyone please help, i cannot get inside and dmz to communicate either way. below are the parameters.

ASA; inside 192.168.1.1/28
DMZ= 172.16.1.1/24

Router; Connection to ASA 192.168.1.2/28
Connection to LAN 10.55.1.1/24

please come up with configs, i have exhausted everything i know on this.

thank you

Kajitora
Offline
Junior Member

14 years 6 months ago #32462 by Kajitora

Replied by Kajitora on topic Re: configuring ASA

Dont have a full config for you, but from memory you would need something like below.

Router would need a route to dmz. Something like:
ip route 172.16.1.1 255.255.255.0 192.168.1.1 name TO_DMZ

On ASA something like.
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.240
!
interface Ethernet2
nameif dmz
security-level 10
ip address 172.16.11.1 255.255.255.0

access-list DMZ_access extended permit ip 10.55.1.0 255.255.255.0 any
access-group DMZ_access in interface DMZ

itgamers.blogspot.com

marshall
Topic Author
Offline
New Member

14 years 6 months ago #32466 by marshall

Replied by marshall on topic Re: configuring ASA

Hi Kajiro,
thanks for your help.i have tried it but no luck. i have other configs with it, some of them may not be necessary but kinldy help look through it.

ROUTER
interface FastEthernet0/0
description Trunk Connection to Core Switch
ip address 10.55.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to ASA
ip address 192.168.1.3 255.255.255.248
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 172.16.1.0 255.255.255.0 192.168.1.1

ASA

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.248
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!

ftp mode passive
access-list DMZ_access extended permit ip 10.55.1.0 255.255.255.0 any
access-list inside-access extended permit ip 172.16.1.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
no failover
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any DMZ
icmp permit any echo DMZ
icmp permit any echo-reply DMZ
no asdm history enable
arp timeout 14400
static (inside,DMZ) 10.55.1.0 10.55.1.0 netmask 255.255.255.0
static (DMZ,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group inside-access in interface inside
access-group DMZ_access in interface DMZ
route inside 10.55.1.0 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community lur1956
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:6ed72cd10f18652c017f888a218fd6ff
: end