ASA 5505 e DMZ
Inviato: mer 11 lug , 2007 9:57 am
Torno a richiedere il vostro aiuto.
Ho la necessità di far comunicare alcuni servizi della dmz con la lan interna e la lan interna con alcuni servizi della dmz.
Questa è la configurazione (che non funziona) che ho impostato:
: Saved
:
ASA Version 7.2(2)
[...]
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
[...]
object-group service sg_dmztolan tcp
port-object eq 1533
port-object eq lotusnotes
port-object eq smtp
port-object eq telnet
object-group service sg_lantodmz tcp
port-object range 12173 12175
port-object eq 5400
port-object eq 5500
port-object eq 5800
port-object eq 5900
port-object eq 6050
port-object eq 8080
port-object eq 8989
port-object eq 8999
port-object eq ftp
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq smtp
port-object eq ssh
port-object eq 3389
object-group service sg_outdmz tcp
port-object range 12173 12175
port-object eq 1533
port-object eq 8080
port-object eq 8989
port-object eq ftp
port-object eq www
port-object eq https
access-list DMZtoInside extended permit tcp host 10.0.0.2 192.168.100.0 255.255.255.0 object-group sg_dmztolan
access-list OutsidetoDMZ extended permit tcp any host xxx.xxx.xxx.xxx object-group sg_outdmz
access-list InsidetoDMZ extended permit tcp 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0 object-group sg_lantodmz
[...]
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 10.0.0.0 255.255.255.0
static (dmz,outside) yyy.yyy.yyy.yyy 10.0.0.2 netmask 255.255.255.255
static (inside,dmz) 192.168.100.0 192.168.2.0 netmask 255.255.255.0
static (dmz,inside) 192.168.100.0 10.0.0.0 netmask 255.255.255.0
access-group InsidetoDMZ in interface inside
access-group OutsidetoDMZ in interface outside
access-group DMZtoInside in interface dmz
route outside 0.0.0.0 0.0.0.0 zzz.zzz.zzz.zzz 1
[...]
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
[...]
Se qualcuno gentilmente riesce a darmi una dritta su dove sbaglio. Oramai ho letto una marea di faq e tutorial su internet ma non ne vengo fuori.
Grazie
PcI
Ho la necessità di far comunicare alcuni servizi della dmz con la lan interna e la lan interna con alcuni servizi della dmz.
Questa è la configurazione (che non funziona) che ho impostato:
: Saved
:
ASA Version 7.2(2)
[...]
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
[...]
object-group service sg_dmztolan tcp
port-object eq 1533
port-object eq lotusnotes
port-object eq smtp
port-object eq telnet
object-group service sg_lantodmz tcp
port-object range 12173 12175
port-object eq 5400
port-object eq 5500
port-object eq 5800
port-object eq 5900
port-object eq 6050
port-object eq 8080
port-object eq 8989
port-object eq 8999
port-object eq ftp
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq smtp
port-object eq ssh
port-object eq 3389
object-group service sg_outdmz tcp
port-object range 12173 12175
port-object eq 1533
port-object eq 8080
port-object eq 8989
port-object eq ftp
port-object eq www
port-object eq https
access-list DMZtoInside extended permit tcp host 10.0.0.2 192.168.100.0 255.255.255.0 object-group sg_dmztolan
access-list OutsidetoDMZ extended permit tcp any host xxx.xxx.xxx.xxx object-group sg_outdmz
access-list InsidetoDMZ extended permit tcp 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0 object-group sg_lantodmz
[...]
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 10.0.0.0 255.255.255.0
static (dmz,outside) yyy.yyy.yyy.yyy 10.0.0.2 netmask 255.255.255.255
static (inside,dmz) 192.168.100.0 192.168.2.0 netmask 255.255.255.0
static (dmz,inside) 192.168.100.0 10.0.0.0 netmask 255.255.255.0
access-group InsidetoDMZ in interface inside
access-group OutsidetoDMZ in interface outside
access-group DMZtoInside in interface dmz
route outside 0.0.0.0 0.0.0.0 zzz.zzz.zzz.zzz 1
[...]
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
[...]
Se qualcuno gentilmente riesce a darmi una dritta su dove sbaglio. Oramai ho letto una marea di faq e tutorial su internet ma non ne vengo fuori.
Grazie
PcI
