ASA5505 DMZ Ports

stevenhuey · ‎07-03-2008

I've got a ASA5505 with 3 interfaces: inside, outside, & dmz. The DMZ is configured as a 192.168.1.0/24 network and needs to have access through the outside interface for internet access.

Additionally, I have a device at 192.268.1.28 which needs to communicate with an external server at 8.4.112.213 on ports 1008, 1009, 1018, and 2000 via TCP.

I've attached two different configurations (cleaned for posting) and a log file identifying attempts using both configurations to reach the external server, and communication is failing.

I'm new to the ASA5505, can someone please take a look and give me some hints how to get this working? To me it looks like the configuration should allow the traffic between the DMZ and the external server, but it's not.

Thanks,

Steve

Steve Lyons · ‎07-05-2008

If NAT is configured the following rules apply:

1) If the traffic is sourcing from a high security interface to low security interface and no access lists are applied to any interface then you can use the nat and global commands.

2) If traffic is sourcing from the low security interface to a high security interface then you will need to use the static nat commands and apply access-lists to the outside low security interface allowing traffic in.

The default security levels are used for the following interfaces:

1) Inside interface = security level 100

2) Outside interface = security level 0

3) dmz interface = security level 50

0 = lowest security level

100 = highest security level

Refer to the following link:

http://cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html