ASA 5505 dmz newbie

Unanswered Question
Jun 26th, 2008
User Badges:

Can't seem to figure out how to build a DMZ for our webserver. All trafic gets denied by the default incoming rule.


I want all incoming http/80 requests to the external ip (192.168.10.35 for now) to be forwarded to the www-server in the dmz 176.16.3.15.

I think i have the address translation up and running but no matter what incoming firewall rule i create, trafic gets blocked. I must be missing something obvious here..... any ideas:


ASA Version 8.0(3)

!

hostname *

domain-name *

enable password *

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif dmz-office

security-level 50

ip address 172.16.3.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside-acl extended permit tcp any host 192.168.10.35 eq www

access-list outside_access_in extended permit tcp any host 192.168.10.35 eq www

access-list l2l_list extended permit ip host 192.168.10.35 host 192.168.10.14

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz-office 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp 192.168.1.2 www 192.168.10.35 www netmask 255.255.255.255

static (dmz-office,inside) 172.16.3.14 192.168.10.35 netmask 255.255.255.255

static (inside,dmz-office) 172.16.3.0 172.16.3.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Thu, 06/26/2008 - 01:36
User Badges:
  • Silver, 250 points or more

Hi,

Give the following command for natting the ip 192.168.10.35(outside) to 172.16.3.15(dmz)


static(dmz,outside) 192.168.10.35 172.16.3.15 netmask 255.255.255.255

robbhanMid Thu, 06/26/2008 - 04:46
User Badges:

Does the nat routing between the VLAN's have to be up and running correctly before I use the packet tracer in the ADSM to see what packets are accepted and/or droped?


It seems like everything gets drop but the default rule

Actions

This Discussion