ASA 5550 configuration

Answered Question
Aug 6th, 2008

hi,

i have installed ASA 5550 , my inside interface is connected to 2960 switch, users in the network have their default gateway pointing to ip address of ASA inside interface.

my question is that i have placed my proxy server, NMS and FTP server on DMZ zone. How the traffic will flow for internet access. All the users are pointing to their Default gateway. how ASA will forward traffic to proxy and then proxy forward to the internet.

Thanks

I have this problem too.
0 votes
Correct Answer by dhananjoychowdhury about 5 years 8 months ago

Hi Waseem,

If the web server in DMZ initiates a connection to the Inside, then ACL is required.

But if Inside users connect to the webserver in DMZ it wont need ACL, as traffic is flowing from High security zone to Low security zone.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jon Marshall Thu, 08/07/2008 - 00:00

Presumably you have the proxy server configured in the web browser on the client PC's ?

If so assuming

client vlan = 192.168.5.0/24

ASA inside interface = 192.168.5.1

DMZ vlan = 192.168.10.0/24

Proxy server = 192.168.10.2

User requests web page, browser sees it needs to send packet to proxy so client PC sends packet to ASA inside interface. ASA then forwards packet onto the proxy server on DMZ.

Proxy server then sends request to web site requested by client PC.

Jon

itdsmartnet Thu, 08/07/2008 - 00:11

hi,

For ASA to forward traffic to proxy, should we need some sort of static mapping or not.

OR

bydefault ASA forward traffic to proxy. And for proxy to communicate to internet what should i do.

Thanks

dhananjoychowdhury Thu, 08/07/2008 - 00:04

For all servers in DMZ to reach internet you can do this

nat(dmz) 5 0 0

global(Outside) 5 interface

Now check whether you are able to reach the proxy server from the inside LAN, if not then you need to configure NONAT for traffic from inside to DMZ.

itdsmartnet Thu, 08/07/2008 - 00:15

hi,

Thanks for your response. i would like to ask you should i need some kind of ACL for traffic returning from internet to the proxy server. how should i configure NONAT for traffic from inside to DMZ. Please give my some details i.e if acls are applied or not

Thanks

dhananjoychowdhury Thu, 08/07/2008 - 00:30

HI,

ACL is not required for the return traffic from internet.

Now, for inside to DMZ, please check if you are ableto access the proxy server.

You shoud be able to access becuase by default, nat-control is disabled.

itdsmartnet Thu, 08/07/2008 - 00:41

Thanks for your help.

Another thing which i want to know is that i have placed my mail server in DMZ too. what sort of configuration do i need on ASA so that mail server will communicate with internet as well as with the inside network.

Thanks

dhananjoychowdhury Thu, 08/07/2008 - 00:46

If suppose your Mail server in DMZ is 172.16.20.25 and the IP on the Outside interface is A.B.C.D, then configure NAT and ACL like this,

static (dmz,Outside) tcp A.B.C.D 25 172.16.20.25 25

access-list out-in permit tcp any host A.B.C.D eq 25

access-group out-in in interface Outside

itdsmartnet Thu, 08/07/2008 - 01:23

Thanks for your reply.

ok, do i need to configure any ACL for inside users to communicate with web server in DMZ and web server to communicate with inside users.

Thanks

Correct Answer
dhananjoychowdhury Thu, 08/07/2008 - 01:32

Hi Waseem,

If the web server in DMZ initiates a connection to the Inside, then ACL is required.

But if Inside users connect to the webserver in DMZ it wont need ACL, as traffic is flowing from High security zone to Low security zone.

Actions

Login or Register to take actions

This Discussion

Posted August 6, 2008 at 11:52 PM
Stats:
Replies:11 Avg. Rating:5
Views:626 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard