ASA 5505 Inside Access to DMZ Server

Unanswered Question
Sep 24th, 2007
User Badges:

Hello All!

I am looking for someone smarter than me for help. I am trying to configure, in the simplest way possible, an ASA 5505 with a server on the DMZ. The only thing unusual about our network is that most workstations do not access the internet through the ASA... they use a different router to connect to a separate DSL line.


So I set up an email server on our DMZ at 192.168.100.20. It can be accessed via https, imap, etc. from the Internet, no problem, from a IP address that is not the outside interface. I tried to add access to the mail server from the inside, via an IP address that is not the inside interface. (When I tried using the inside interface for the mail server access, I lost management access to the ASA. I think this is listed as an unresolved caveat under ver. 7.2(3).)

I can ping the the mail server through the ASA, and get a response from 192.168.100.20. I just can't get https, ftp, etc... if the server tries to respond, there is a "no translation group" error.


Here's my config:

name 192.168.100.20 Mailbert ;real mail server address

name 67.94.68.124 ExternalMail

name 67.94.68.122 defaultexternal

name 192.168.3.61 InternalMail61


interface Vlan1

nameif inside

ip address 192.168.3.2 255.255.255.0


interface Vlan2

nameif outside

security-level 0

ip address 67.94.68.123 255.255.255.248


interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.100.1 255.255.255.0


access-list outside_access_in extended permit tcp any host ExternalMail eq imap4 log

access-list outside_access_in extended permit tcp any host ExternalMail eq https log


global (outside) 1 interface


nat (inside) 1 192.168.3.0 255.255.255.0

nat (dmz) 1 192.168.100.0 255.255.255.0 dns

static (dmz,outside) ExternalMail Mailbert netmask 255.255.255.255

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255

access-group outside_access_in in interface outside



Thanks All!

Andrew


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 09/24/2007 - 17:26
User Badges:
  • Green, 3000 points or more

Why not just access it with it's real address, 192.168.100.20? Just remove the destination nat statement.


no static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255


andywang1 Wed, 09/26/2007 - 13:04
User Badges:

I don't understand how that would work since most workstations are not using the ASA as a default gateway. Can I add to workstations the ASA and a secondary default gateway and would that work?


Thanks!!

Andrew


acomiskey Wed, 09/26/2007 - 15:09
User Badges:
  • Green, 3000 points or more

I'm surprised you can ping but cannot ftp, http etc. Could you route to the dmz from the internet router?


ip route 192.168.100.0 255.255.255.0 192.168.3.2

andywang1 Wed, 09/26/2007 - 15:27
User Badges:

I was only able to ping after adding this:


static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0


Note that if I try to ftp the mailserver the ASA will not complain with a "no translation group" message if I do not enable an ftp server on the mailserver. So it seems the return packet is getting lost?


I will try the iproute thing.


Thanks,

Andrew


Actions

This Discussion