Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ Newbie...need some help

Status
Not open for further replies.
TheStressFactor

TheStressFactor

IS-IT--Management
Sep 24, 2002
229
US
Hello all,

In my current enviroment we have a pix 515e. The pix is manaaged by our provider but I have access to it and can make changes. Mind you, they configured and "maintain" it as well.

With that said, this is what I am trying to accomplish.

1. Set up a dmz on the pix.
2. On the dmz with be a Microsoft ISA 2004 server which will publuch owa, web, and handle vpn.

So far I have given the dmz interface of the pix an ip of 172.16.100.2 and have ran a crossovercable to the dmz nic on the isa box.

I can ping the ip of the dmz int of the pix from my isa box but not vice versa...any ideas why this may be?

Can someone look at my config...my eventual goal is to allow all web traffic to go out of my isa box. All inbound traffic to go through my pix and then through the isa box as well.

Finally, since ISA will be my vpn server how do I pass vpn traffic to it securely?

Below is my pix config:


interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password
passwd
hostname Pix
domain-name mydomain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Allow_OUT tcp
description Inside Permitted Traffic
port-object eq imap4
port-object eq smtp
port-object eq www
port-object eq ident
port-object eq ftp
port-object eq whois
port-object eq telnet
port-object eq ldap
port-object eq pop3
port-object eq ssh
port-object eq nntp
port-object eq h323
port-object eq ldaps
port-object eq aol
port-object eq ftp-data
port-object eq pptp
port-object eq https
access-list inside_outbound_nat0_acl permit ip any 192.168.50.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.101.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.101.0 255.255.255.0
access-list MS permit ip host x.x.x.x x.x.x.x 255.255.255.0
pager lines 24
logging on
logging trap warnings
logging history warnings
logging facility 23
logging host outside x
logging host outside x
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.x x.x.x.x
ip address inside 192.168.100.2 255.255.255.0
ip address intf2 172.16.100.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNRange 192.168.101.2-192.168.101.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x mail netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x web netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.1.6 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.1.7 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.1.154 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.1.18 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.100.1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x mail1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x app1 netmask 255.255.255.255 0 0
static (inside,intf2) x.x.x.x 192.168.100.0 netmask 255.255.255.255 0 0
static (intf2,outside) x.x.x.x 172.16.100.3 netmask 255.255.255.255 0 0
conduit permit tcp host x.x.x.x eq https any
conduit permit tcp host x.x.x.x eq https any
conduit permit tcp host x.x.x.x eq pop3 any
conduit permit tcp host x.x.x.x eq pop3 any
conduit permit tcp host x.x.x.x eq conduit permit tcp host x.x.x.x eq conduit permit tcp host x.x.x.x eq conduit permit tcp host x.x.x.x eq conduit permit tcp host x.x.x.x eq 8080 any
conduit permit tcp host x.x.x.x eq pptp any
conduit permit gre host x.x.x.x any
conduit permit tcp host x.x.x.x eq ftp any
conduit permit tcp host x.x.x.x eq smtp any
conduit permit icmp any any
conduit permit tcp host x.x.x.x eq 1701 any
conduit permit tcp host x.x.x.x eq conduit permit gre host x.x.x.x any
conduit permit tcp host x.x.x.x eq pptp any
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.1.0 255.255.255.0 192.168.100.1 1
route inside 192.168.2.0 255.255.255.0 192.168.100.1 1
route inside 192.168.3.0 255.255.255.0 192.168.100.1 1
route inside 192.168.4.0 255.255.255.0 192.168.100.1 1
route inside 192.168.5.0 255.255.255.0 192.168.100.1 1
route inside 192.168.6.0 255.255.255.0 192.168.100.1 1
route inside 192.168.7.0 255.255.255.0 192.168.100.1 1
route inside 192.168.8.0 255.255.255.0 192.168.100.1 1
route inside 192.168.9.0 255.255.255.0 192.168.100.1 1
route inside 192.168.10.0 255.255.255.0 192.168.100.1 1
route inside 192.168.11.0 255.255.255.0 192.168.100.1 1
route inside 192.168.12.0 255.255.255.0 192.168.100.1 1
route inside 192.168.14.0 255.255.255.0 192.168.100.1 1
route inside 192.168.15.0 255.255.255.0 192.168.100.1 1
route inside 192.168.20.0 255.255.255.0 192.168.100.1 1
route inside 192.168.50.0 255.255.255.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.100.7 timeout 5 protocol TCP version 1
url-cache dst 1KB
aaa authentication ssh console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http x.x.x.x 255.255.0.0 outside
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map 20 11 set transform-set NORMAL
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address MS
crypto map outside_map 10 set peer x.x.x.x
crypto map outside_map 10 set transform-set NORMAL
crypto map outside_map 20 ipsec-isakmp dynamic 20
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 5
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
inside_outbound_nat0_acl
vpngroup ciscovpnusers idle-time 1800
vpngroup ciscovpnusers password ********
vpngroup VPNaccess idle-time 1800
vpngroup VPNAccess split-tunnel inside_outbound_nat0_acl
vpngroup VPNAccess idle-time 1800
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group VPNAccess accept dialin pptp
vpdn group VPNAccess ppp authentication mschap
vpdn group VPNAccess client configuration address local VPNRange
vpdn group VPNAccess pptp echo 60
vpdn group VPNAccess client authentication local
vpdn enable outside
url-block url-mempool 1500
url-block url-size 4
terminal width 80
Cryptochecksum:4d3b2016776f4f74c992cf8ca9660257
: end
 
Sort by date Sort by votes
Looks like to me you need a nat statement for the DMZ.

Something like:

nat (inside) 0 access-list DMZ_ACL
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
305
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
955
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
208
tklamb
tklamb
texwiz
  • Locked
  • Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
298
texwiz
texwiz

Part and Inventory Search

Sponsor

Back
Top