asa5505 nat pat configurations help.

Unanswered Question
May 9th, 2008
User Badges:

This is my network configuration:


interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.7 255.255.255.0

!

interface Vlan12

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.2.254 255.255.255.0

!


There must be a communication:

from any inside host -> to outside.

from any dmz host -> to outside.

from any inside host -> to dmz.


using pat

from any outside to some services in inside servers.

these configurations are ok,

but i'm not able to communicate from some servers in dmz to some inside servers which e.g. use smpt, pop3 protocol.




access-list outside_access_in extended permit tcp any host 192.168.0.12 object-group Linuxsrv_servizi

access-list outside_access_in extended permit tcp any host 192.168.0.8 object-group Mailsrv1_servizi

access-list outside extended permit tcp any host 192.168.0.12 eq www

access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any

access-list dmz_access_in extended permit tcp host linuxsrv any eq www

access-list dmz_access_in extended permit tcp host websrv any eq www

access-list dmz_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list dmz_access_in extended permit icmp 192.168.2.0 255.255.255.0 any

access-list dmz_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq domain

----------------------------------------------------------------------------------------------------------------------

This is my nat configuration.

global (outside) 1 192.168.0.8 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) tcp 192.168.0.8 www 192.168.1.201 www netmask 255.255.255.255

static (inside,outside) tcp 192.168.0.8 5500 192.168.1.132 5500 netmask 255.255.255.255

static (inside,outside) tcp 192.168.0.8 smtp 192.168.1.201 smtp netmask 255.255.255.255

static (dmz,outside) 192.168.0.12 linuxsrv netmask 255.255.255.255

static (inside,dmz) 192.168.2.0 192.168.1.0 netmask 255.255.255.0


access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 192.168.0.254 1


Shall i make another nat rule, e.g. from inside to dmz?

i tried to make it but i always get an error.. "this rule is overlapping an existent nat rule"

static (inside,dmz) 192.168.2.0 192.168.1.0 netmask 255.255.255.0


Could you please tell me where I am wrong?




Kind regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rkalia1 Fri, 05/09/2008 - 17:23
User Badges:

You dont have Security Plus License for your ASA 5505. In base license DMZ capabilities are limited. You may need to upgrade your ASA license to security plus.

mirco.frazzoni Sat, 05/10/2008 - 10:43
User Badges:

i've just installed Security Plus License 2 days ago.


i'll try configurations suggested next Monday.


Thanks a lot.


Best Regards


Mirco

mirco.frazzoni Thu, 05/15/2008 - 05:22
User Badges:

You were right. I did activate the License, but I did not save the unlock of the traffic from Dmz to Inside.


Thank you again,


Regards


Mirco Frazzoni

mirco.frazzoni Thu, 05/15/2008 - 05:17
User Badges:

Thank you, I've followed your advice and now it works. However, I actually had another problem: I bought ASA 5505 with DMZ restricted, activated Security Plus (DMZ unrestricted), but I forgot to enable the traffic from DMZ to Inside and to save it in my configuration.


Regards,


Mirco Frazzoni

Actions

This Discussion