ASA 5505 Inside Access to DMZ Server

Unanswered Question
Sep 24th, 2007

Hello All!

I am looking for someone smarter than me for help. I am trying to configure, in the simplest way possible, an ASA 5505 with a server on the DMZ. The only thing unusual about our network is that most workstations do not access the internet through the ASA... they use a different router to connect to a separate DSL line.

So I set up an email server on our DMZ at 192.168.100.20. It can be accessed via https, imap, etc. from the Internet, no problem, from a IP address that is not the outside interface. I tried to add access to the mail server from the inside, via an IP address that is not the inside interface. (When I tried using the inside interface for the mail server access, I lost management access to the ASA. I think this is listed as an unresolved caveat under ver. 7.2(3).)

I can ping the the mail server through the ASA, and get a response from 192.168.100.20. I just can't get https, ftp, etc... if the server tries to respond, there is a "no translation group" error.

Here's my config:

name 192.168.100.20 Mailbert ;real mail server address

name 67.94.68.124 ExternalMail

name 67.94.68.122 defaultexternal

name 192.168.3.61 InternalMail61

interface Vlan1

nameif inside

ip address 192.168.3.2 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 67.94.68.123 255.255.255.248

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.100.1 255.255.255.0

access-list outside_access_in extended permit tcp any host ExternalMail eq imap4 log

access-list outside_access_in extended permit tcp any host ExternalMail eq https log

global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0

nat (dmz) 1 192.168.100.0 255.255.255.0 dns

static (dmz,outside) ExternalMail Mailbert netmask 255.255.255.255

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255

access-group outside_access_in in interface outside

Thanks All!

Andrew

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 09/24/2007 - 17:26

Why not just access it with it's real address, 192.168.100.20? Just remove the destination nat statement.

no static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255

andywang1 Wed, 09/26/2007 - 13:04

I don't understand how that would work since most workstations are not using the ASA as a default gateway. Can I add to workstations the ASA and a secondary default gateway and would that work?

Thanks!!

Andrew

acomiskey Wed, 09/26/2007 - 15:09

I'm surprised you can ping but cannot ftp, http etc. Could you route to the dmz from the internet router?

ip route 192.168.100.0 255.255.255.0 192.168.3.2

andywang1 Wed, 09/26/2007 - 15:27

I was only able to ping after adding this:

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

Note that if I try to ftp the mailserver the ASA will not complain with a "no translation group" message if I do not enable an ftp server on the mailserver. So it seems the return packet is getting lost?

I will try the iproute thing.

Thanks,

Andrew

Actions

This Discussion