Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1012
Views
0
Helpful
7
Replies

ASA 5505 DMZ config question - CLI

kwhitley1
Level 1
Level 1

‎11-12-2007 07:44 AM - edited ‎02-21-2020 01:47 AM

I have recently inherited a network with an ASA 5505 at a remote office. Users there have a server that needs to be accessible from the outside. I would like to put this server in a DMZ and use port forwarding (I have the security plus license already installed). I can only find the ASDM instructions for this - there has to be CLI commands for this. Can someone please respond with either the instuctions or the link where I can find them?

0 Helpful
7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

‎11-12-2007 09:03 AM

Will you be using the ASA outside interface IP? if so this thread should get you up and running for port forwarding , replace your static entry to reflect DMZ interface , static(DMZ,outside) etc.. , come back if any questions.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddfc9dc

Jorge Rodriguez
0 Helpful

kwhitley1
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎11-12-2007 06:59 PM

First of all - thank you - both for your response.

Yes - the ASA outside interface IP will be used for the server as well.

Here is what I have created so far

An Object-group:

Object-group service SERVER tcp

description TCP Passthrough Ports

Port-object range XXXX-XXXX

Port-object range xxxx-xxxx

Port-object range eq xxxxx

An access list outside_access_in:

access-list outside_access_in extended permit tcp any host (outside IP) object-group SERVER

And applied this access list to the outside interface:

access-group outside_access_in in interface outside

Is this correct?

Would the static look like this?

static (DMZ,outside) (outside IP) (DMZ server IP) netmask 255.255.255.255

Do I need a global (outside) statement?

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to kwhitley1

‎11-13-2007 05:24 AM

your static should look as :

static (DMZ,outside) interface netmask 255.255.255.255

for global leave as is if Im not mistaken it should already have statement as " global (outside) 1 interface "

Jorge Rodriguez
0 Helpful

kwhitley1
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎11-14-2007 03:23 PM

This worked! Thank you much!

0 Helpful

msosabar
Level 1
Level 1

‎11-12-2007 09:32 AM

Hello,

Here is an example of the configuration guide for PIX and ASA version 7.2, check it out and use for further reference.

0 Helpful

kwhitley1
Level 1
Level 1
In response to msosabar

‎11-14-2007 03:23 PM

Thank you - I have been looking for this without luck.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card