04-25-2008 05:45 AM
I am setting up my dmz area on my new 5520 and have the outside to dmz nat for a webserver working properly. However Im having trouble understanding what needs to be done for reaching that webserver on the inside. Reading of inside to dmz nat, identity nat, etc. below is partial config.... Im trying to access the 10.2.253.16 web server in dmz from inside thanks any advice is appreciated thanks
ASA Version 8.0(3)
!
hostname cdpasa1
domain-name xx.com
enable password BWaQlcykry5AAxTH encrypted
names
name 10.249.48.0 Hgnwhse description Hgnwhse
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 74.x.x.2 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.2.30.13 255.255.192.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.2.253.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.3 255.255.255.0
management-only
!
passwd BWaQlcykry5AAxTH encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cecodoor.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list cecovpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list cecovpn_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip Hgnwhse 255.255.255.0 10.2.0.0 255.255.192.0
access-list outside_1_cryptomap extended permit ip any Hgnwhse 255.255.255.0
access-list outside_in extended permit tcp any host 74.x.x.13 eq www
access-list outside_in extended permit tcp any host 74.x.x.13 eq https
access-list outside_in extended permit tcp any host 74.x.x.14 eq www
access-list outside_in extended permit esp any any
access-list outside_in extended permit udp any any eq isakmp
access-list outside_in extended permit icmp any host 74.x.x.13
access-list outside_in extended permit icmp any host 74.x.x.16
access-list outside_in extended permit tcp any host 74.x.x.16 eq www
access-list outside_in extended permit tcp any host 74.x.x.16 eq https
access-list outside_in extended deny ip any any log
access-list inside_nat0 extended permit ip any 10.2.253.0 255.255.255.0
access-list inside_nat0 extended permit ip any 10.2.23.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 20000
logging monitor informational
logging buffered informational
logging asdm informational
logging from-address asa5520@cecodoor.com
logging recipient-address chays@cecodoor.com level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu DMZ 1500
ip local pool cdppool 10.2.23.50-10.2.23.100 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 10.249.48.1 outside
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) 74.x.x.13 10.2.18.13 netmask 255.255.255.255
static (inside,DMZ) 10.2.20.0 10.2.20.0 netmask 255.255.254.0
static (DMZ,outside) 74.x.x.16 10.2.253.16 netmask 255.255.255.255
access-group outside_in in interface outside
04-25-2008 05:46 AM
sorry, wrong area, I will repost in security area
04-25-2008 05:50 AM
Mark,
This statement is all you need as long as the inside client is part of 10.2.20.0 255.255.254.0.
static (inside,DMZ) 10.2.20.0 10.2.20.0 netmask 255.255.254.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide