ASA 5505 dmz trouble for newbie

robbhanMid · ‎06-26-2008

I can't figure out how to configure NAT properly.

I want incoming http requests on interface outside to be forwarded to host 192.168.3.2 on interface dmz. But everything gets denied. Is this a NAT problem or an ACL problem?

The outside interface is 192.168.1.103

My config:

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan12

nameif dmz

security-level 50

ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 12

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

access-list outside_access_in extended permit tcp any eq www host 192.168.1.103

access-list dmz_access_in extended permit tcp any eq www host 192.168.1.103

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 192.168.3.2 www netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

a.alekseev · ‎06-26-2008

try this

no access-list outside_access_in extended permit tcp any eq www host 192.168.1.103

access-list outside_access_in extended permit tcp any any eq www

no access-list dmz_access_in extended permit tcp any eq www host 192.168.1.103

access-list dmz_access_in extended deny ip any 192.168.2.0 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-list NO-NAT permit ip any 192.168.3.0 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list NO-NAT

nat (dmz) 1 0 0

static (dmz,outside) tcp interface www 192.168.3.2 www netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz