I am trying to configure my Cisco ASA 5505 firewall to allow access from the internet to DMZ web and mail server. I'm new to the Cisco world so excuse me if this is a newbie question. I know that this subject has been covered on many sites, but most of them assume that you have more than one public IP address. My situation is that I only have one public IP address and therefore have to use a PAT configuration I believe.
This is my setup: My ASA (with a basic license) is configured with three interfaces for the inside, outside and dmz zones. There are two servers in my dmz – one web and one mail server.
I believe I have checked my configuration against various sites on the internet, but still I can't figure out how to get it right. This is my running config:
...
ASA Version 9.0(4)26
...
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 1
!
interface Ethernet0/5
switchport access vlan 1
!
interface Ethernet0/6
switchport access vlan 1
!
interface Ethernet0/7
switchport access vlan 1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 109.198.xxx.yyy 255.0.0.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.dk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network inside-subnet
subnet 192.168.1.0 255.255.25 5.0
!
object network dmz-subnet
subnet 172.16.1.0 255.255.255.0
!
object network hst-mail-server
host 172.16.1.11
description Mail server in DMZ
!
object network hst-web-server
host 172.16.1.10
description Web server in DMZ
!
object network hst-web-dns
host 172.16.1.10
description Web dmz host DNS
!
object network hst-web-http
host 172.16.1.10
description Web dmz host HTTP
!
object network hst-web-https
host 172.16.1.10
description Web dmz host HTTPS
!
object-group service web-services tcp
port-object eq www
port-object eq https
!
object-group service mail-services tcp
port-object eq smtp
port-object eq 587
port-object eq 993
port-object eq 4190
!
object-group service svcgrp-web-udp udp
port-object eq dnsix
!
object-group service svcgrp-web-tcp tcp
port-object eq www
port-object eq https
!
object-group network RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
!
object-group service svcgrp-mail-tcp tcp
port-object eq smtp
!
access-list outside_access_in extended deny ip any object-group RFC1918
access-list outside_access_in extended permit udp any object hst-web-server object-group svcgrp-web-udp
access-list outside_access_in extended permit tcp any object hst-web-server object-group svcgrp-web-tcp
access-list outside_access_in extended permit tcp any object hst-mail-server object-group svcgrp-mail-tcp
access-list outside_access_in extended permit ip any any
...
!
object network obj_any
nat (inside,outside) dynamic interface
object network inside-subnet
nat (inside,dmz) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network hst-web-dns
nat (dmz,outside) static interface service udp dnsix dnsix
object network hst-web-http
nat (dmz,outside) static interface service tcp www www
object network hst-web-https
nat (dmz,outside) static interface service tcp https https
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 109.198.xxx.zzz 1
...
Best Answer
I finally got it working - it was a wrong configured acl to deny access to rfc1918 subnets from the outside.
By the way: I found an interesting article about denying access to the all subnets in rfc3330, not just only the private ones in rfc1918: https://techbloc.net/archives/1392
Inspired by that I have enhanced my configuration a bit. This is the new definition of subnets to deny access to:
And this is my new acl definitions: