ASA 5505-DMZ

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Bloccato
alessandro.bresciani
n00b
Messaggi: 9
Iscritto il: gio 28 mag , 2009 5:56 pm

Ciao a tutti,
sto configurando un ASA e non riesco ad accedere ai server che ho in DMZ dalla rete interna (inside).
La mia licenza è la base!! Ho qualche speranza ultimare la configurazione?
La configurazione che posto è priva delle regole di NAT e acl per accedere alla DMZ dalla inside. Qualcuno può aiutarmi consigliandomi le aggiunte da fare alla conf? Al momento accedo ai server della DMZ solo dalla WAN.
Ciao e grazie in anticipo per qualsiasi consiglio!


hostname firewall
domain-name local.it
enable password 0Ez/ePZ/O4SRvAgl encrypted
passwd 0Ez/ePZ/O4SRvAgl encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.65 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 82.251.156.86 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.0.0.99 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name legapesca.it
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list acl_icmp extended permit icmp any any
access-list acl_icmp extended permit tcp any host 82.251.156.82 eq www
access-list acl_icmp extended permit tcp any host 82.251.156.85 eq www
access-list acl_icmp extended permit tcp any host 82.251.156.83 eq www
access-list acl_icmp extended permit tcp any host 82.251.156.85 eq smtp
access-list acl_icmp extended permit tcp any host 82.251.156.85 eq pop3
access-list acl_icmp extended permit tcp any host 82.251.156.83 eq ftp
access-list acl_icmp extended permit tcp any host 82.251.156.83 eq ssh
access-list acl_icmp extended permit tcp any host 82.251.156.82 eq pcanywhere-data
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp any host 10.0.0.56 eq www
access-list dmz_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.224
access-list inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteClientPool 192.168.5.10-192.168.5.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (dmz) 1 192.168.5.0 255.255.255.0 dns
nat (dmz) 1 0.0.0.0 0.0.0.0 dns
static (dmz,outside) tcp 82.251.156.82 www 10.0.0.100 www netmask 255.255.255.255 dns
static (dmz,outside) tcp 82.251.156.83 www 10.0.0.56 www netmask 255.255.255.255 dns
static (dmz,outside) tcp 82.251.156.83 ssh 10.0.0.56 ssh netmask 255.255.255.255 dns
static (dmz,outside) tcp 82.251.156.83 ftp 10.0.0.56 ftp netmask 255.255.255.255 dns
static (dmz,outside) tcp 82.251.156.82 pcanywhere-data 10.0.0.100 pcanywhere-data netmask 255.255.255.255 dns
static (inside,outside) tcp 82.251.156.85 www 192.168.5.254 www netmask 255.255.255.255 dns
static (inside,outside) tcp 82.251.156.85 smtp 192.168.5.254 smtp netmask 255.255.255.255 dns
static (inside,outside) tcp 82.251.156.85 pop3 192.168.5.254 pop3 netmask 255.255.255.255 dns
static (inside,inside) 192.168.5.254 82.251.156.85 netmask 255.255.255.255 dns
static (dmz,dmz) 10.0.0.100 82.251.156.82 netmask 255.255.255.255 dns
static (dmz,dmz) 10.0.0.56 82.251.156.83 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group acl_icmp in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 82.251.156.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
http authentication-certificate inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0

ntp server 192.43.244.18 source outside prefer
group-policy Cisco internal
group-policy Cisco attributes
dns-server value 192.168.5.254
vpn-tunnel-protocol IPSec
default-domain value roma.legapesca.it
username emilio password UhE4erOt2nM9Y9a2 encrypted privilege 0
username emilio attributes
vpn-group-policy Cisco
username alex password W6VTtG/CEuzrt5zK encrypted
tunnel-group Cisco type ipsec-ra
tunnel-group Cisco general-attributes
address-pool RemoteClientPool
default-group-policy Cisco
tunnel-group Cisco ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:36217c4f5bb1c54ff7c8fac269381c31
: end
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
Top
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:
Contatta Wizard

Ma quanti topic hai aperto uguali?!

Chiudo
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
Top
Bloccato

Torna a “Configurazioni”