|
||
| KB | 0000316 | |
| Dated | 27/08/10 | |
| Revision | 0.01 | |
ASA 5500 Adding a DMZ Step By Step |
||
| Problem | ||
Assuming you have a working ASA 5500 and you want to add a DMZ to it, this is the process.
Assumptions 1. Networks,
2. Interfaces,
3. The Web server in the DMZ will have the following IP addresses, a. DMZ IP address 172.16.1.1 4. From the Internet you want to allow web traffic and secure web traffic (http/www and https/ssl) to the DMZ Server. 5. The DMZ Server needs to speak to a database server on the inside LAN, on TCP port 1433. |
||
| Solution | ||
| 1. Firstly connect to the ASA log in and go to enable mode. | ||
User Access Verification Password: |
||
| 2. Go to configure terminal mode and set up the DMZ interface (In this case Ethernet0/2). | ||
PetesASA# conf t |
||
| 3. I like to name the DMZ entities IP addresses so things look neat. | ||
| PetesASA(config)# name 172.16.1.1 DMZ-Host-Private-IP PetesASA(config)# name 123.123.123.124 DMZ-Host-Public-IP |
||
| 4. Set a some NAT statement to handle traffic flow. (assuming you have a matching global statement like global (outside) 1 xxx - "show run global" will tell you). | ||
| PetesASA(config)# nat (DMZ) 1 0.0.0.0 0.0.0.0 | ||
Note We are only going to have one DMZ host, and it will have a static mapping - if you had many DMZ hosts then also add "global (DMZ) 1 interface". |
||
| 5. Now add some static mappings. | ||
| PetesASA(config)# static (DMZ,outside) DMZ-Host-Public-IP DMZ-Host-Private-IP netmask 255.255.255.255 PetesASA(config)# static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 PetesASA(config)# static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 |
||
6. To let people from outside you need to either create an access-list or add some rules to any existing inbound access-list. ("show run access-group" will tell you, look for an ACL applies "in" to the outside interface e.g. "access-group outbound in interface inside". We will assume I don't have one so i'll need the access-group at the end. |
||
PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq www |
||
| 7. Now to allow the DMZ host to get to the database server I'm going to allow TCP 1433. | ||
| PetesASA(config)# access-list DMZ_outbound extended permit tcp host DMZ-Host-Private-IP host DMS-SQL eq 1433 PetesASA(config)# access-group DMZ_outbound in interface DMZ |
||
| 8. Finally save the configuration. | ||
| PetesASA(config)#
write mem Building configuration... Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f13 9379 bytes copied in 1.410 secs (9379 bytes/sec) |
||
If this post helped you, PLEASE take the time to +1 it.
Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation. If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response). |
||
| References - Credits - Or External Links | ||
| NA | ||
PeteNetLive ©2011