DMZ Setup

Unanswered Question
Feb 19th, 2008

Hello,

I am trying to get a DMZ setup on my ASA 5510. The only device that will reside in this DMZ is a VPN device that will be accessed both by my internal hosts and by an external vendor. I configured a dedicated interface on the ASA for this DMZ. I created a static that maps the DMZ IP address on the device to a valid external address. The access lists that I have created allow access from all internal networks and from a specified external host to this host in the DMZ. BTW, the DMZ interface is named AGF_VPN, and the interfaces on the device are named AGF_Contivity100_int and AVF_Contivity_ext. Testing with the ASDM packet tracer show that internal and external hosts are able to access the device in the DMZ without without any issues. However, the host in the DMZ is unable to initiate connections to hosts on the internal or external network. I think that mabye my NAT and ACLs are a bit screwed up. Can anyone provide any advice to straighten this out? Any help that can be provide will be much appreciated. Thanks.

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 02/20/2008 - 07:33

You NAT looks OK for DMZ to OUTSIDE, but there is no NAT for DMZ to INSIDE. You can NAT per internal host or the whole subnet.

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

The ACL looks OK for DMZ to INSIDE, but there is no access for DMZ to OUTSIDE. The following ACL is backwards:

access-list AGF_VPN_access_in extended permit object-group AGF_VPN_Services host AGF host AGF_Contivity100_int

It should be (and will allow the contivity to start the VPN connection):

access-list AGF_VPN_access_in extended permit object-group AGF_VPN_Services host AGF_Contivity100_int host AGF

You're close, just missing a couple of things.

HTH

marksenteza Wed, 02/27/2008 - 06:57

Hello,

The problem could be in this line:

access-list AGF_VPN_access_in extended permit object-group AGF_VPN_Services host AGF host AGF_Contivity100_int

The host AGF resides the other side of the AGF_VPN interface on the firewall, so you probably want to reverse it to:

access-list AGF_VPN_access_in extended permit object-group AGF_VPN_Services host AGF_Contivity100_int host AGF

Also, check the routing statements on the VPN device to subnets the other side of the firewall via 172.16.0.226. And a route on the firewall to the VPN device's external subnet.

Actions

This Discussion