configuring dmz on asa 5500

Unanswered Question
Feb 6th, 2008

am trying to get a DMZ configured . I have allowed the interesting traffic to go from the Inside inteface to the DMZ and vice versa but its still being dropped.

When I do a packet trace it tells me the Implicit deny ACL rule is the cause of my problems but there are rules above it that match my traffic. So I am confused I dont know if there something I am missing.

I have permitted any any for troublehooting purposes but still no dice.

Thanks for your help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (3 ratings)
acomiskey Wed, 02/06/2008 - 12:23

I would suggest starting over again with those acl's.

To get traffic from inside to dmz you do not need an acl at all.

To get traffic from the dmz to the inside, write an acl and apply it with "access-group dmz_access_in in interface dmz". For ex, to allow a host on dmz to hit a host on the inside on port 80, it would look like this...

access-list dmz_access_in extended permit tcp host 192.168.10.x host 192.168.3.x eq www

access-group dmz_access_in in interface dmz

keith.k.quaye Fri, 02/08/2008 - 04:49

Thanks I did that but still couldnt get my ping to work from 192.168.3.15 to the dmz server 192.168.101.10

I made changes and now I can ping from the above IP to the servers real IP but I cant ping to its External ip.

Also I have allowed remote desktop traffic to go to the dmz server but I keep getting reset -0 in the syslog .

I am attaching current config

Attachment: 
acomiskey Fri, 02/08/2008 - 08:59

To communicate with the dmz server on it's external ip from the inside you have to do something like this...

static (DMZ,inside) netmask 255.255.255.255

husycisco Fri, 02/08/2008 - 09:20

Hi Keith

For getting PING to work, you should permit the icmp traffic either by ACL or by policy inspections.

Here is the icmp inspection

policy-map global_policy

class inspection_default

inspect icmp

or

access-list youracl permit icmp source destination (you can type any to source and any to destinatin temporarily during troubleshooting and it will allow all icmp traffic. You should do it in bot dmz and inside acls)

Regards

keith.k.quaye Fri, 02/08/2008 - 09:37

Thanks for your help guys you were very helpful I finally got it right and apparently the server guy forgot to enable RDP so I was pulling my hair out wondering what was wrong. It doesn't help that I am doing this remotely.

Actions

Login or Register to take actions

This Discussion

Posted February 6, 2008 at 12:15 PM
Stats:
Replies:5 Avg. Rating:4
Views:332 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446