Hello, Everyone.
I hope all is OK with you.
Please, see my configuration for WAN, and LAN, and help with the one for DMZ if possible :
! ERASE THE PREVIOUS CONFIGURATION
write erase
reload
enable
configure terminal
! NAME YOUR FIREWALL
hostname ASA-YOUR_NAME
! CONFIGURE NETWORK INTERFACE FOR LAN (INSIDE) - VLAN 1 - DEFAULT VLAN
interface ethernet 0/5
interface vlan 1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
no shutdown
write
exit
! CONFIGURING DHCP- SERVER
dhcpd address 192.168.2.5-192.168.2.51 inside
dhcpd enable inside
dhcpd dns 8.8.8.8
write
! CONFIGURE NETWORK INTERFACE FOR WAN (OUTSIDE) - VLAN 2
interface vlan 2
nameif outside
security-level 0
ip address dhcp setroute
exit
interface ethernet 0/0
switchport mode access
switchport access vlan 2
no shutdown
write
exit
! CONFIGURE NAT- RULE FOR THE INTERNET ACCESS
object network inside-subnet
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface
write
exit
! CONFIGURE BASIC RULES FOR INTERNET ACCESS
access-list outside_permit permit tcp any eq 80 interface inside
access-list outside_permit permit tcp any eq 443 interface ins
write
! CONFIGURING THE SERVER FOR ICMP (PING) ECHO-REPLY (8)
access-list ACL-OUTSIDE extended permit icmp any any
access-group ACL-OUTSIDE in interface outside
! To DELETE ACL(s)
! clear configure access-list ACL_OUTSIDE
write
! ALLOWING THE FIREWALL TO HAVE ACCESS TO INTERNET
dns domain-lookup outside
! CONFIGURE THE SERVER
dns server-group DefaultDNS
name-server 8.8.8.8
write
exit
! CONFIGURE SSH- ACCESS
! Configure the domain name and generate an SSH key
crypto key generate rsa modulus 2048
yes
! Authorize the SSH key on local
aaa authentication ssh console LOCAL
username ADMIN password PASSWORD privilege 15
! Only the inside network is allowed to access SSH
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
! Enable HTTP Server on Port 443 to Enable ASDM
http server enable 443
! Only the inside network is allowed to access the ASDM
http 192.168.2.0 255.255.255.0 inside
! Allow HTTP locally
aaa authentication http console LOCAL
write
At first glance, your configuration as well as your explanatory comments look very good. You’re all set up for your internal LAN as well as your WAN connection. If you want to find out more information about best practices for configuration, as well as for the implementation of a DMZ, take a look at the following lessons:
There are many more detailed lessons on how to configure the ASA in various scenarios at the ASA Firewall course.
Thank you, Laz.
Indeed, I was able to do it with ASAs with basic, and “more-than-basic” license.
Please, see the added code below :
! CONFIGURE NETWORK INTERFACE for DMZ (DMZ) - VLAN 3 - ASA with FULL LICENSE
interface ethernet 0/3
interface vlan 3
ip address 192.168.3.1 255.255.255.0
! With "This license does not allow configuration ..."- Error
! no forward interface vlan 1
nameif dmz
security-level 50
switchport mode access
switchport access vlan 3
no shutdown
exit
write
! CONFIGURING DHCP- SERVER for DMZ
dhcpd address 192.168.3.5-192.168.3.51 dmz
dhcpd enable dmz
dhcpd dns 8.8.8.8
write
! CONFIGURE NAT- RULE for THE INTERNET ACCESS for DMZ
object network dmz-subnet
subnet 192.168.3.0 255.255.255.0
nat (dmz,outside) dynamic interface
write
exit
! CONFIGURE BASIC RULES for INTERNET ACCESS for DMZ
access-list outside_permit permit tcp any eq 80 interface dmz
access-list outside_permit permit tcp any eq 443 interface dmz
write
! CONFIGURING THE SERVER FOR ICMP (PING) ECHO-REPLY (8) from INSIDE to DMZ
! access-list ACL-DMZ extended permit icmp any any
! access-group ACL-DMZ in interface dmz
! policy-map global_policy
! class inspection_default
! inspect icmp
! exit
! To DELETE ACL(s)
! clear configure access-list ACL_OUTSIDE
write
! ALLOW HTTP:80 ACCESS from INSIDE to DMZ
access-list dmz_permit permit tcp any eq 80 interface inside
access-list dmz_permit permit tcp any eq icmp interface inside
access-list dmz_acl extended permit ip any any
I had some problems with the ICMP from the INSIDE-to-DMZ.
Will it be possible to discuss the part called - ! CONFIGURING THE SERVER FOR ICMP (PING) ECHO-REPLY (8) from INSIDE to DMZ ?
If you also find something in the full code that might be optimized, can you give some suggestions too ?
If I want to be able to access a web- server :80 into DMZ from the OUTSIDE will it be possible to give some directions for the NAT- used ?
Glad to hear that you were able to get it working! As for your other questions, I suggest you go over the following lesson to see in more detail how access lists can be used to allow traffic from particular sources to particular destinations. This will help you out concerning your question about the ICMP configuration:
In addition, for access to the DMZ from outside, take a look at this lesson:
If you have any more specific questions about these, please let us know!