INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!

Talk With Other Members
Be Notified Of Responses
To Your Posts
Keyword Search
One-Click Access To Your
Favorite Forums
Automated Signatures
On Your Posts
Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Tek-Tips LinkedIn^® Group

Join our
LinkedIn^® Group!

Hook up with past and present colleagues and classmates quickly.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site

(Download This Button Today!)

Feedback

"...Thank you. It's already helped me greatly, and I enjoy just reading the inputs from the other members..."

More...

Geography

Where in the world do Tek-Tips members come from?

Click Here To Find Out!

Tek-Tips Shirts!

Get your
Tek-Tips Forums
SWAG here!

Home > Forums > MIS/IT > Security Solutions > Cisco Systems: ASA Series Forum

ASA5510 DMZ Setup Help

Read More Threads Like This One

klemeje (MIS)

30 Apr 12 12:32

I'm trying to setup a 5510 with dmz and a web server after a factory-default. So far I've run the startup wizard and used the public server part of asdm which appears to automatically create acl and nat. Is there anything I'm missing? Thanks for the help.

: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
domain-name xxxx.xxxx.org
enable password xxxx
passwd xxxx
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 71.x.x.250 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.4 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.20.30.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.x.x.162
name-server 10.x.x.152
name-server 10.x.x.157
domain-name xxxx.xxxx.org
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network A_71.xx.xx.230
host 71.xx.xx.230
object network PublicServer_NAT1
host 10.20.30.15
access-list outside_access extended permit tcp any host 10.20.30.15 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network PublicServer_NAT1
nat (dmz,outside) static A_71.xx.xx.230 service tcp www www
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 71.xx.xx.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:77bd7b761e65a25a180402147068cc70
: end
no asdm history enable

klemeje (MIS)

3 May 12 17:14

Any ideas anyone? I contacted Cisco TAC and they said it should work as-is and are forwading to upper level engineer for review.

unclerico (IS/IT--Management)

3 May 12 18:22

you never specified what exactly the issue is. can you describe??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

klemeje (MIS)

3 May 12 20:18

Oops sorry. My problem is I cant access my webserver from the outside network.

unclerico (IS/IT--Management)

3 May 12 22:07

yeah, it looks fine to me as well. what do your logs show??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

klemeje (MIS)

9 May 12 12:24

Actaully the logs do not show anything. I can see the server in the arp table, and also can do a successful packet trace in asdm.

sp33domcgee (IS/IT--Management)

22 May 12 15:22

Please send the output of "packet-tracer input OUTSIDE tcp (IP OF INTERNET HOST TRYING TO ACCESS WEB SERVER) 80 10.20.30.15 80"

From the CLI

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco Systems: ASA Series

Member Login

Come Join Us!

LINK TO THIS FORUM!

Tek-Tips LinkedIn® Group

Partner With Us!

Feedback

Geography

Tek-Tips Shirts!

ASA5510 DMZ Setup Help

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Back To Forum

Join Tek-Tips® Today!

Tek-Tips LinkedIn^® Group

Join Tek-Tips^® Today!