07-03-2008 04:01 PM - edited 03-03-2019 10:35 PM
I've got a ASA5505 with 3 interfaces: inside, outside, & dmz. The DMZ is configured as a 192.168.1.0/24 network and needs to have access through the outside interface for internet access.
Additionally, I have a device at 192.268.1.28 which needs to communicate with an external server at 8.4.112.213 on ports 1008, 1009, 1018, and 2000 via TCP.
I've attached two different configurations (cleaned for posting) and a log file identifying attempts using both configurations to reach the external server, and communication is failing.
I'm new to the ASA5505, can someone please take a look and give me some hints how to get this working? To me it looks like the configuration should allow the traffic between the DMZ and the external server, but it's not.
Thanks,
Steve
07-05-2008 06:46 AM
If NAT is configured the following rules apply:
1) If the traffic is sourcing from a high security interface to low security interface and no access lists are applied to any interface then you can use the nat and global commands.
2) If traffic is sourcing from the low security interface to a high security interface then you will need to use the static nat commands and apply access-lists to the outside low security interface allowing traffic in.
The default security levels are used for the following interfaces:
1) Inside interface = security level 100
2) Outside interface = security level 0
3) dmz interface = security level 50
0 = lowest security level
100 = highest security level
Refer to the following link:
http://cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide