ASA 5510

sameoj1881 · ‎09-25-2008

I am having some issue on my ASA 5510 which I just configured. I have created inside users,DMZ(for my 3 servers:ISA,Exchange and WEB Client Sage)and outside interfaces. I have a router facing the internet.

Here is what I want to achieve:

1. inside user to access the servers in the dmz and vice versa.

2. inside user MUST go to the internet via ISA which is in the DMZ.

3. The servers in the DMZ have both public and private addresses but I want to do a 2 layer nat: one on the ASA and the other on the router facing the internet.

4. I want all the 3 servers to go to the internet with their respective public addresses.

5. I want users on the internet to access the servers in the DMZ only.

Someone should please help me out with the commands to achieve each task(Please I want a tested commands).

Thanks alot.

Marwan ALshawi · ‎09-25-2008

let say inside network is

10.1.1.0/24

DMZ 192.168.1.0/24

1. inside user to access the servers in the dmz and vice versa

A:

static (inside, DMZ) 192.168.1.0 10.1.1.0 netmask 255.255.255.0

access-list 100 pemir ip 192.168.1.0 255.255.255.0 10.1.1.0 255.25.255.0

access-group 100 in interface DMZ

2. inside user MUST go to the internet via ISA which is in the DMZ.

lets say isa ip is 192.168.1.10/25

route DMZ 0.0.0.0 0.0.0.0 192.168.1.10

but u need to make the NAT/PAT on the internet edge (ur router or on ISA)

till now ok

after that

i wanna know u wanna use ur ASA as onstick device

i mean u want the traffic to go to isa and then back to asa then go to the router then internet ???

i think if u put ASA and ISA back to back better and make the DMZ in between like:

inside---ASA---DMZ--ISA--router--internet

if helpful Rate

and let me know as well

sameoj1881 · ‎09-25-2008

Thanks for your reply, one of the reason for bringing the ASA is to secure those 3 servers since they are being accessed from outside. The alternative I have is to put a 2nd leg on the ISA which will connect to the inside switch.

As per your question: I want traffice coming from the inside to go to isa in the dmz and go out to the internet.

If you have any other design, please kindly let me know,thanks once again.

Marwan ALshawi · ‎09-25-2008

as i mentioned

u can use it like

inisde--asa--outside---isa--router--internet

this way u will have to layers of security

and u can use the cacheing on the ISA and we filtering as well

on asa u can do more packet feltering and other inspections as well

and the servers u can put them on the lan between ASA and ISA

or make a DMZ on the ASA and put them their

hop this helpful

sameoj1881 · ‎09-25-2008

I prefer to stay with my current design can u please help me with the configs that pertain to my requirements.

Thanks

Marwan ALshawi · ‎09-25-2008

ok just give me exact desecrption of the traffic path from the insde to the internet and from internet to inside and DMZ

and where u prefere static nating as well

sameoj1881 · ‎09-26-2008

Here is what I want to achieve in terms of how traffic should flow:

1. inside user to access the servers in the dmz and vice versa.

2. inside user MUST go to the internet via ISA which is in the DMZ.

3. The servers in the DMZ have both public and private addresses but I want to do a 2 layer nat: one on the ASA and the other on the router facing the internet.

4. I want all the 3 servers to go to the internet with their respective public addresses.

5. I want users on the internet to access the servers in the DMZ only.

Please kindly give me the command that will make me achieve each step.

Thanks.

Marwan ALshawi · ‎09-26-2008

ok everything is very clear only one more thing

2. inside user MUST go to the internet via ISA which is in the DMZ

is that mean ISA has a link to the internet router ?

just point me out about this one i got confused about it

if u have simple drawing will be excelnt

and how many public IP u have ?