473,839 Members | 1,514 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

2 Cisco ASA 5510's, an Exchange Edge Server, a DMZ, and a minefield.

15 New Member


Disclaimer
Before you ask why I don't just put everything on the 192.168.1.0/24 network, let me just say I do this on another person's will.

Info:
For purposes of this question I will refer to "Internal Network" as the 192.168.0.0/24 located on the inside interface of the internal ASA
Domain names and public Ip's changed for protection of the client.
Domain names changed to domain, public IP's represented by xxx.xxx.xxx.###


Objective:
To Setup Edge/Web Services that can communicate through 2 ASA 5510's to the Internal network. Allowing me to use the Edge server on the perimeter
To be able to hit the internet from all network points.
To be able to ping internally from any location to any location but not outside_in
To be able to maintain remote access to the internal servers
To not be laughed at for not putting the servers on the inside of the external ASA (hehe)

From the DMZ to the "Internal Network" (the main challenge, not working)
DNS
ICMP
tcp/50389
upd/50636
SMTP (to the internal exchange server)

From the Internal Network to the DMZ (everything currently is working, but as other changes might cause this to close I will need the following)
ICMP
tcp/50389
udp/50636
HTTP
HTTPS
SMTP (from the internal exchange server)

All networks should have outbound access "outside" to the world

From the Outside in to the "internal network"
3389 (Working but if you have me change something elsewhere to break it, please fix it :))

From the outside to the DMZ
SMTP
http
https
(perhaps more later but for now this is it)

Current Status:
Currently I can ping into the DMZ from the Internal Network
From the DMZ I can ping to 192.168.1.2
I can see http from the internal network on the DMZ
All networks currently can browse the internet.
RDP all the way in to the Internal network, works.

I would like to point out that I will make it a point to post working configs once this is finished.
I also appreciate any help offered.


The External ASA
Expand|Select|Wrap|Line Numbers
  1. ASA Version 8.0(2) 
  2. !
  3. hostname external
  4. domain-name domain.local
  5. enable password sg5gh5uh45g6 encrypted
  6. names
  7. dns-guard
  8. !
  9. interface Ethernet0/0
  10.  nameif outside
  11.  security-level 0
  12.  ip address xxx.xxx.xxx.82 255.255.255.248 
  13. !
  14. interface Ethernet0/1
  15.  nameif inside
  16.  security-level 49
  17.  ip address 192.168.1.1 255.255.255.0 
  18. !
  19. interface Ethernet0/2
  20.  shutdown
  21.  no nameif
  22.  no security-level
  23.  no ip address
  24. !
  25. interface Ethernet0/3
  26.  nameif dmz
  27.  security-level 40
  28.  ip address 10.10.10.1 255.255.255.0 
  29. !
  30. interface Management0/0
  31.  shutdown
  32.  no nameif
  33.  no security-level
  34.  no ip address
  35.  management-only
  36. !
  37. passwd iG0FMG.8O3nPFSqf encrypted
  38. boot system disk0:/asa802-k8.bin
  39. boot config disk0:/flash
  40. ftp mode passive
  41. clock timezone CST -5
  42. dns domain-lookup outside
  43. dns domain-lookup inside
  44. dns domain-lookup dmz
  45. dns server-group Internal
  46.  name-server 192.168.0.11
  47.  name-server 192.168.0.13
  48.  domain-name domain.local
  49. dns-group Internal
  50. same-security-traffic permit inter-interface
  51. object-group protocol TCPUDP
  52.  protocol-object udp
  53.  protocol-object tcp
  54. object-group service rdp tcp
  55.  port-object eq 3389
  56. object-group service DM_INLINE_TCP_1 tcp
  57.  port-object eq 50000
  58.  port-object eq 50001
  59. object-group service DM_INLINE_TCP_2 tcp
  60.  port-object eq 50000
  61.  port-object eq 50001
  62. access-list dmz-in extended permit tcp any host 10.10.10.10 eq smtp 
  63. access-list dmz-in extended permit tcp any host 10.10.10.10 eq www 
  64. access-list dmz-in extended permit tcp any host 10.10.10.10 eq https 
  65. access-list dmz-in extended permit icmp any any 
  66. access-list dmz-in extended permit ip 10.10.10.0 255.255.255.0 any 
  67. access-list dmz_access_in extended permit ip 10.10.10.0 255.255.255.0 any 
  68. access-list outside_access_in extended permit tcp any any eq 3389 
  69. access-list inside_access_in extended permit icmp any any 
  70. access-list inside_access_in extended permit ip any any 
  71. pager lines 24
  72. logging enable
  73. logging asdm informational
  74. mtu outside 1500
  75. mtu inside 1500
  76. mtu dmz 1500
  77. no failover
  78. icmp unreachable rate-limit 1 burst-size 1
  79. icmp permit any inside
  80. icmp permit any dmz
  81. asdm image disk0:/asdm-602.bin
  82. no asdm history enable
  83. arp timeout 14400
  84. global (outside) 1 interface
  85. global (inside) 2 interface
  86. global (dmz) 3 interface
  87. nat (inside) 1 0.0.0.0 0.0.0.0
  88. nat (dmz) 1 0.0.0.0 0.0.0.0
  89. static (dmz,outside) tcp interface smtp 10.10.10.10 smtp netmask 255.255.255.255 
  90. static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255 
  91. static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
  92. access-group outside_access_in in interface outside
  93. access-group inside_access_in in interface inside
  94. access-group dmz-in in interface dmz
  95. route outside 0.0.0.0 0.0.0.0 74.117.105.81 1
  96. timeout xlate 3:00:00
  97. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  98. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  99. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  100. timeout uauth 0:05:00 absolute
  101. dynamic-access-policy-record DfltAccessPolicy
  102. aaa authorization command LOCAL 
  103. aaa authorization exec authentication-server
  104. http server enable
  105. http 192.168.0.0 255.255.255.0 inside
  106. http 10.10.10.0 255.255.255.0 dmz
  107. http 192.168.1.0 255.255.255.0 inside
  108. no snmp-server location
  109. no snmp-server contact
  110. snmp-server enable traps snmp authentication linkup linkdown coldstart
  111. no crypto isakmp nat-traversal
  112. telnet xxx.xxx.xxx.0 255.255.255.0 outside
  113. telnet 0.0.0.0 0.0.0.0 inside
  114. telnet timeout 5
  115. ssh 0.0.0.0 0.0.0.0 outside
  116. ssh 192.168.1.0 255.255.255.0 inside
  117. ssh timeout 5
  118. console timeout 0
  119. threat-detection basic-threat
  120. threat-detection statistics access-list
  121. !
  122. class-map inspection_default
  123.  match default-inspection-traffic
  124. !
  125. !
  126. policy-map type inspect dns migrated_dns_map_1
  127.  parameters
  128.   message-length maximum 512
  129. policy-map global_policy
  130.  class inspection_default
  131.   inspect dns migrated_dns_map_1 
  132.   inspect ftp 
  133.   inspect h323 h225 
  134.   inspect h323 ras 
  135.   inspect rsh 
  136.   inspect rtsp 
  137.   inspect esmtp 
  138.   inspect sqlnet 
  139.   inspect skinny  
  140.   inspect sunrpc 
  141.   inspect xdmcp 
  142.   inspect sip  
  143.   inspect netbios 
  144.   inspect tftp 
  145.   inspect http 
  146. !
  147. service-policy global_policy global
  148. ntp server 192.43.244.18 source outside prefer
  149. username admin password sfdgfgs45g5gh45h== nt-encrypted privilege 15
  150. prompt hostname context 
  151.  

The Internal ASA
Expand|Select|Wrap|Line Numbers
  1. ASA Version 8.0(2) 
  2. !
  3. hostname internal
  4. domain-name domain.local
  5. enable password f443fg5sg45g encrypted
  6. names
  7. name 10.10.10.10 nlf-srv-004 description Front End Server
  8. name 192.168.0.11 nlf-srv-001 description DC1
  9. name 192.168.0.12 nlf-srv-002 description Exchange
  10. dns-guard
  11. !
  12. interface Ethernet0/0
  13.  nameif outside
  14.  security-level 50
  15.  ip address 192.168.1.2 255.255.255.0 
  16. !
  17. interface Ethernet0/1
  18.  nameif inside
  19.  security-level 100
  20.  ip address 192.168.0.1 255.255.255.0 
  21. !
  22. interface Ethernet0/2
  23.  shutdown
  24.  no nameif
  25.  no security-level
  26.  no ip address
  27. !
  28. interface Ethernet0/3
  29.  shutdown
  30.  no nameif
  31.  no security-level
  32.  no ip address
  33. !
  34. interface Management0/0
  35.  shutdown
  36.  no nameif
  37.  no security-level
  38.  no ip address
  39. !
  40. passwd sg45g5g45g45 encrypted
  41. boot system disk0:/asa802-k8.bin
  42. ftp mode passive
  43. clock timezone CST -6
  44. clock summer-time CDT recurring
  45. dns domain-lookup outside
  46. dns domain-lookup inside
  47. dns server-group DefaultDNS
  48.  domain-name domain.local
  49. dns server-group Internal
  50.  name-server nlf-srv-001
  51.  name-server 192.168.0.13
  52.  domain-name domain.local
  53. dns-group Internal
  54. same-security-traffic permit inter-interface
  55. object-group protocol TCPUDP
  56.  protocol-object udp
  57.  protocol-object tcp
  58. access-list out-in extended permit icmp any any 
  59. access-list out-in extended permit tcp any any eq smtp 
  60. access-list out-in extended permit tcp any any eq 3389 
  61. access-list out-in extended permit ip any any 
  62. access-list inside extended permit tcp any host nlf-srv-002 eq smtp 
  63. access-list inside extended permit ip xxx.xxx.xxx.80 255.255.255.248 192.168.0.0 255.255.255.0 
  64. access-list inside extended permit ip any any 
  65. access-list inside extended permit icmp any any 
  66. pager lines 24
  67. logging enable
  68. logging console debugging
  69. logging asdm informational
  70. mtu outside 1500
  71. mtu inside 1500
  72. no failover
  73. icmp unreachable rate-limit 1 burst-size 1
  74. icmp permit any outside
  75. icmp permit any inside
  76. asdm image disk0:/asdm-602.bin
  77. no asdm history enable
  78. arp timeout 14400
  79. global (outside) 1 interface
  80. global (inside) 2 interface
  81. nat (inside) 1 0.0.0.0 0.0.0.0
  82. static (inside,outside) tcp interface 3389 nlf-srv-001 3389 netmask 255.255.255.255 
  83. access-group out-in in interface outside
  84. access-group inside in interface inside
  85. route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  86. timeout xlate 3:00:00
  87. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  88. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  89. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  90. timeout uauth 0:05:00 absolute
  91. dynamic-access-policy-record DfltAccessPolicy
  92. http server enable
  93. http 192.168.0.0 255.255.255.0 inside
  94. no snmp-server location
  95. no snmp-server contact
  96. snmp-server enable traps snmp authentication linkup linkdown coldstart
  97. no crypto isakmp nat-traversal
  98. telnet 0.0.0.0 0.0.0.0 outside
  99. telnet 192.168.0.0 255.255.255.0 inside
  100. telnet timeout 5
  101. ssh 0.0.0.0 0.0.0.0 outside
  102. ssh 192.168.0.0 255.255.255.0 inside
  103. ssh timeout 5
  104. console timeout 0
  105. management-access inside
  106. dhcpd address 192.168.0.50-192.168.0.150 inside
  107. dhcpd dns nlf-srv-001 192.168.0.13 interface inside
  108. dhcpd enable inside
  109. !
  110. threat-detection basic-threat
  111. threat-detection statistics access-list
  112. !
  113. class-map inspection_default
  114.  match default-inspection-traffic
  115. !
  116. !
  117. policy-map type inspect dns migrated_dns_map_1
  118.  parameters
  119.   message-length maximum 512
  120. policy-map global_policy
  121.  class inspection_default
  122.   inspect dns migrated_dns_map_1 
  123.   inspect ftp 
  124.   inspect h323 h225 
  125.   inspect h323 ras 
  126.   inspect rsh 
  127.   inspect rtsp 
  128.   inspect esmtp 
  129.   inspect sqlnet 
  130.   inspect skinny  
  131.   inspect sunrpc 
  132.   inspect xdmcp 
  133.   inspect sip  
  134.   inspect netbios 
  135.   inspect tftp 
  136.   inspect http 
  137. policy-map gloabl_policy
  138.  class inspection_default
  139. !
  140. service-policy global_policy global
  141. ntp server 192.43.244.18 source outside prefer
  142. prompt hostname context 
  143.  
May 12 '10 #1
10 8895
sicarie
4,677 Recognized Expert Moderator Specialist
Just out of curiosity, why do you want to allow ICMP inbound? That's a security issue that you'll probably want to avoid... it's generally not a good idea unless there's something specific you're doing that for
May 17 '10 #2
grojom
15 New Member
I don't, its only internal. Not from the outside in.
May 17 '10 #3
sicarie
4,677 Recognized Expert Moderator Specialist
Hmm, maybe I'm not reading this right - what do you still need help with? What's not working?
May 18 '10 #4
grojom
15 New Member
Mainly this
Expand|Select|Wrap|Line Numbers
  1. From the DMZ to the "Internal Network" (the main challenge, not working)
  2. DNS
  3. ICMP
  4. tcp/50389
  5. upd/50636
  6. SMTP (to the internal exchange server)
  7.  
  8. From the Internal Network to the DMZ (everything currently is working, but as other changes might cause this to close I will need the following)
  9. ICMP
  10. tcp/50389
  11. udp/50636
  12. HTTP
  13. HTTPS
  14. SMTP (from the internal exchange server)
  15.  
May 18 '10 #5
sicarie
4,677 Recognized Expert Moderator Specialist
Hmmm, well ping uses ICMP, so allowing ICMP both ways will allow ping which is probably not the best idea - what are you trying to do with ICMP? Is there another way (such as reporting purposes, what about syslog, or AD reporting?)

The first two will be easiest - this link might help build the rules - what have you tried so far?

(Please also take a look at page 7 section 3 concerning the ICMP issue)
May 19 '10 #6
grojom
15 New Member
There is no ICMP going to the outside world, only from the inside of the internal ASA to the DMZ behind the external ASA.

The ultimate problem is communication from the DMZ to the inside of the internal ASA.
May 20 '10 #7
sicarie
4,677 Recognized Expert Moderator Specialist
Did that link make sense? Were you able to create the two tcp/udp rules?
May 20 '10 #8
grojom
15 New Member
Rules were never a problem, I finally resolved the issue.

I was missing a static route from the DMZ to the Gateway of the "Internal" network.
I will post a final "cleaned up" config of both routers next week highlighting examples of key elements.
May 22 '10 #9
sicarie
4,677 Recognized Expert Moderator Specialist
Glad you were able to figure that out - sorry I wasn't able to understand your question!
May 24 '10 #10

Sign in to post your reply or Sign up for a free account.

Similar topics

1
3157
by: John Parker | last post by:
I'm looking for anyone who is using these two products together. I'm having a difficult time finding information on this combination and Oracle and Cisco are pointing the finger at each other with neither willing to be of any real help. I've found nothing in any of the oracle database groups and a search of all the groups turns up nothing. Any pointers to resources other than Oracle or Cisco resources would be greatly appreciated. ...
1
1906
by: jeffpriz | last post by:
We have some developers here that work from home a couple days a week. The network/hardware group here has installed a Cisco Security Agent program on thier laptops. Now, when they work from home they regularly get the IIS "Server Application Unavailable" message when running the application in Debug mode.. The Cisco Security Agent seems to be the culprit.. it comes back with the message that the aspnet_wp.exe has tried to call...
11
10766
by: jrefactors | last post by:
I want to know the differences between SQL Server 2000 stored procedures and oracle stored procedures? Do they have different syntax? The concept should be the same that the stored procedures execute in the database server with better performance? Please advise good references for Oracle stored procedures also. thanks!!
6
2267
by: alanknipmeyer | last post by:
Hi, I`m in the process of migrating a Access 2002 (Run in 2000 mode) from Windows 98 to Win2K Server. It is a shared resource via a file share on the 98 Server. Client systems are Win98 with the shared drive mounted and the application run via the shared drive. I have tried once before, but came across some file locking issues. I thought i had addressed these file locking issues, but it came apparent I hadn't when data started to get...
3
1257
by: Mike | last post by:
I need to do the logical equivelent of Server.Transfer to another server whos identity is known only upon receipt of the request. (The other machine is on-site, but not addressable from the outside world, which is one of many reasons I can't do a Redirect.) I'm assuming I have to make another request, and then copy the response back to the original response. What is the most efficient way of doing this? (All servers are IIS/Asp.Net.)...
3
1345
by: Harry | last post by:
Hi there, we support a school network and schools are allocated webspace. To upload updates the schools website they FTP as follow - ftp://www.etc.etc.co.uk and upload new files to replace old ones. The problem we have is that the websites are cached at the Cisco Content Engines and take upto 3days to time out and update, so when a school uploads a new page the old is still displayed this problem only occurs within the Network. Is...
5
2248
by: Grigs | last post by:
Hello, I have a project that contains a WebService that works great when connecting to it on my Localhost. Once we post the files to the test web server, all of the pages that do not touch the webservice work fine. However, the ones that do touch it get the following error: The request failed with HTTP status 404: Not Found Here is the full error:
14
1610
by: Toni | last post by:
I have some program in VB6 (I can make new in .NET if it is necessary). This program is working with SQL Server 2000 database from long distance (computers are in agencies and is connected to DSL and VPN connection). Every few days some of computers can not connect to sql server, but other computer works. He can not find sql server or access denied. It is down until I reinstall windows (fresh copy of windows). Than it works. I supose that...
5
7997
by: Yuri Shtil | last post by:
I want the users be able to browse and select files on the server side. Is there any good free or not very expensive commercial javascript package I could use? -- Yuri.
10
1613
by: hotflash | last post by:
Hi All, Below is a GOOD working script that I use to search for the record either by the MOP ID for example 1, 2, etc... (record on the database) or by Network for example when you type Cisco. What I would like to do and is having problem is to either Search by Network or All MOP IDs on the database (show all records). Let's say if folks type in ALL, it will show all of the MOP IDs (Records) in the database. Thanks advance for your...
0
9855
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9697
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10906
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10585
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10647
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
1
7828
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5866
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
4064
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3132
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.