Routing to public DMZ

Unanswered Question
Dec 12th, 2007
User Badges:

Hello.

I have set up ASA 5510 for our our network. It works fine for our network.

Now I need a way to set up the DMZ with public adresses.

The outside is a x.x.214.4 / 30 network, outside ASA ip is x.x.214.6.

For internal mail server, rd, ftp etc we have got a new network. This is y.y.251.192 / 29.

My problem is to get this working. I have some experience (MCSE), but my logic is not working with the ASA. Since it is ages since I have been programming Cisco through command line commands, i have only been using the ASDM.


Hope someone could help me. The traffic (web, mail, ftp etc) from inside (LAN) to outside is working fine. Also has problem getting traffic from DMZ to inside.

Outside security level is 0, dmz is 50, inside is 100. H E L P!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 12/12/2007 - 10:59
User Badges:
  • Green, 3000 points or more

To get traffic from dmz to inside...let's say your inside network is 192.168.1.0/24.


static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0


Then add the following acl to allow whatever traffic you desire from dmz to inside. This example is for www. Just add whatever access you desire before the "deny ip any 192.168.1.0" line.


access-list dmz-to-inside permit tcp any host x.x.x.x eq www

access-list dmz-to-inside deny ip any 192.168.1.0 255.255.255.0

access-list dmz-to-inside permit ip any any

access-group dmz-to-inside in interface dmz

Skigutane Thu, 12/13/2007 - 02:06
User Badges:

Thanks, I now have access to my mail from inside!

The next step is to allow https, pop3 and smtp to and from outside.


Is it access-list dmz-to-outside permit tcp any x.x.x.x https

access-list dmz-to-outside permit tcp any x.x.x.x pop3

access-list dmz-to-outside permit tcp any x.x.x.x smtp

access-list dmz-to-outside deny ip any 0.0.0.0 0.0.0.0

?

acomiskey Thu, 12/13/2007 - 06:11
User Badges:
  • Green, 3000 points or more

access-list outside_access_in permit tcp any x.x.x.x https

access-list outside_access_in permit tcp any x.x.x.x pop3

access-list outside_access_in permit tcp any x.x.x.x smtp

access-list outside_access_in deny ip any any

access-group outside_access_in in interface outside

Actions

This Discussion