I need a little help in developing a config for our ASA5505. I'm an MCSA/MCITPAS but I don't have a lot of practical cisco experience.
Here is what I need help with, we currently have a PIX as our border gateway and, well, it's antiquated and only has a 50-user license which means I'm constantly clearing local-host throughout the day as people complain. I discovered that the last IT person bought a couple ASA5505's and they've been sitting in the back of a cupboard.
So far I've duplicated the configuration from the PIX to the ASA but I thought I'd go further and remove another old Cisco router that is used only for a guest network. I know the ASA can do both jobs.
So I'm going to paste a scenario I wrote up with the actual IPs changed to protect the innocent.
…
Outside Network: 1.2.3.10 255.255.255.248 (we have a /29)
Inside Network: 10.10.36.0 255.255.252.0
DMZ Network: 192.168.15.0 255.255.255.0
Outside Network on e0/0
DMZ Network on e0/1
Inside Network on e0/2-7
DMZ Network has DHCPD Enabled.
DMZ DHCPD Pool is 192.168.15.50-192.168.15.250
DMZ Network needs to be able to see DNS on Inside Network at 10.10.37.11 and 10.10.37.12
DMZ Network needs to be able to access webmail on inside network at 10.10.37.15
DMZ Network needs to be able to access business website on inside network at 10.10.37.17
DMZ Network needs to be able to access the outside network (access to the internet).
Inside Network has NO DHCPD. (dhcp is handled by domain controller)
Inside Network needs to be able to see anything on the DMZ network.
Inside Network needs to be able to access the outside network (access to the internet).
There are some access-list already, and some static NAT mapping in place already.
Maps external IPs from our ISP to our inside server IPs
static (inside,outside) 1.2.3.11 10.10.37.15 netmask 255.255.255.255
static (inside,outside) 1.2.3.12 10.10.37.17 netmask 255.255.255.255
static (inside,outside) 1.2.3.13 10.10.37.20 netmask 255.255.255.255
Allows access to our Webserver/Mailserver/VPN from the Outside.
access-list 108 permit tcp any host 1.2.3.11 eq https
access-list 108 permit tcp any host 1.2.3.11 eq smtp
access-list 108 permit tcp any host 1.2.3.11 eq 993
access-list 108 permit tcp any host 1.2.3.11 eq 465
access-list 108 permit tcp any host 1.2.3.12 eq www
access-list 108 permit tcp any host 1.2.3.12 eq https
access-list 108 permit tcp any host 1.2.3.13 eq pptp
Here is all the NAT and route stuff I have so far.
global (outside) 1 interface
global (outside) 2 1.2.3.11-1.2.3.14 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.2.3.9 1
Best Answer
you don't mention what version you are running but judging by your NAT commands its 8.2 or below. I have some sample config that should get DHCP working on the DMZ and access from the DMZ to your LAN DNS, internal websites and web access to the internet. You can probably use it as a guide to add more if needed. You wont need to change the routing as these are all directly connected networks.
This should be all you need for the DHCP config
An access list permitting traffic arriving at the DMZ interface. including your DNS traffic to the LAN
Apply the access list to the DMZ interface.
Also Check that you have a security plus licence as on the 5505 the DMZ is restricted without
Edit:
To answer your questions: with the base licence you will not be able to do what you want. The restricted dmz means you have to pick a vlan that the dmz cannot speak to. It can be either the Lan or outside.
Yes the inside outside and dmz would count as three vlans, the 5505 operates like a layer 3 switch with vlans being applied to switch ports. All the other asa's use layer 3 routed ports where you can divide them up into sub interfaces and connect trunks to them.
Sec plus costs a bit but is worth it to move from a pix to asa. The asa is much better and has a pretty good gui that will allow you to easily make changes.