QUESTION:

I am configuring a Cisco ASA5505 with DMZ. I have local lan 192.168.103/24 and DMZ 10.103.1.0/24. I am able to connect from LAN to DMZ using 10.103.1.0/24 address but not the other way around. I can add either a static or dymanic NAT for this.

I’m not sure how to configure the NAT to allow DMZ host to connect to 192.168.103.0/24. I will control access through ACL rather than trying to “hide” them via NAT.

ANSWER:

If you just want to connect from DMZ to real addresses on the inside:

static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0

and then as you say allow traffic with an acl on the dmz interface.

PROBLEM:

Network topology. Remote brach office with ASA firewall and VPN client on the remote LAN. Central Site with ASA firewall terminating the remote branch VPN client. I can not connect from inside my branch network to central network using VPN client. Earlier i had in my office FreeBSD and did not have this problem (I could connect to Central ASA using VPN client), when i changed FreeBSD to ASA this problem occur. VPN client is connected, tunnel is created but nothing more.
I get an error message :Syslog ID 305006 – regular translation creation failed for protocol 50 src inside:10.0.0.22 dst outside:6.168.y.x

SOLUTION:

On remote branch office ASA use:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect ipsec-pass-thru
ciscoasa(config-pmap-c)#exit

On Central Office ASA use:

PIX/ASA 7.1 and earlier: pix(config)#isakmp nat-traversal 20

PIX/ASA 7.2(1) and later: securityappliance(config)#crypto isakmp nat-traversal 20

By default, the global policy used on a Cisco ASA firewall enables FTP inspection for all traffic passing through the appliance. Before discussing the usage of ftp inspection, let’s see how ftp works:

In Active FTP (which is the default mode), we need two ports for communication. Port 21 is used for Command and Control traffic and Port 20 is used for Data transfer. The FTP client connects from a random source port bigger than 1023 (N>1023) to the command port of the FTP server (port 21). Then the client starts listening to port N+1 and notifies the server that it will accept data to this port (N+1). The server then connects back to the specified data port of the client from its local data source port 20.

The inspect ftp command is found under the global policy map:

policy-map global_policy
class inspection_default
inspect ftp

The Cisco ASA 5505 firewall is an excellent device for small branch office locations since it can offer several network services in one box. It can provide firewall security, IPSEC VPN lan-to-lan connectivity with a central office, and even power-over-ethernet connectivity for local IP phones (two of its network interfaces are power-over-ethernet ports).

A common network scenario using Cisco ASA firewalls is usually found in Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution. Typically, a Cisco CallManager at the Enterprise central office is used to control Cisco IP Phones at small branch offices. This implementation allows centralized call processing, reduces the equipment required, and eliminates the administration of additional Cisco CallManager and other servers at branch offices.This is illustrated in the diagram below:

The DHCP feature of the Cisco ASA 5505 firewall can be used to assign IP addresses to the Branch Office IP phones. Via the DHCP, the ASA Firewall can also provide to the phones the IP address of a TFTP Server (this is usually the CallManager server itself). Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 to the DHCP server (Cisco ASA 5505 in our case) to obtain this information. In our example above, the Cisco ASA firewall will assign IP addresses in the range 10.0.0.0 and also provide a TFTP server IP address of 192.168.1.10 (CallManager at the central office). After the IP Phones obtain this information, they will be able to communicate with the central CallManager through the IPSEC VPN tunnel.

To configure the DHCP Option 150 on Cisco ASA:

ASA(config)# dhcpd option 150 ip 192.168.1.10
ASA(config)# dhcpd address 10.0.0.10-10.0.0.20 inside
ASA(config)# dhcpd enable inside

It is a good security practice to configure a Warning login banner on your Cisco ASA firewall appliance for unauthorized access attempts. The command format is:

ciscoasa(config)# banner {asdm | exec | login | motd text}

As you can see from the command format, there are four access banner types as following:

• asdm: The Firewall displays a banner after you successfully log in to ASDM.
• exec: The Firewall displays a banner before displaying the enable prompt.
• login: The Firewall displays a banner before the password login prompt when accessing the security appliance using Telnet.
• motd: This is the Message of the Day banner. It is displayed when you first connect.

Configuration Example for Login Banner:

ciscoasa(config)# banner login                ** W A R N I N G **
ciscoasa(config)# banner login Unauthorized access prohibited. All access is
ciscoasa(config)# banner login monitored, and trespassers shall be prosecuted
ciscoasa(config)# banner login to the fullest extent of the law.