DMZ Setup help...please

Answered Question
Sep 25th, 2008

I am trying to get my DMZ functioning properly and need some assistance. I have the outsdie to the DMZ functioning as it should, but can't seem to get access working between the inside and the DMZ. I've tried using suggestions from previous posts to no avail. I'm thinking it has something to do with exemptions overlapping with my nat, etc., because with a clean config (no site-to-site VPN) it works fine...HELP! I've attached my config for reference.

Attachment: 
I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 2 months ago

You will have to explain what are you trying to do .

Are you accessing hosts in DMZ zone from inside zone . right? Is this ICMP ping ? or FTP ? or what traffic ? tell me the source and destination IPs ?

Also can you paste the access list that you are binding to DMZ interface. Remember this access list will need to permit traffic from DMZ to outside also.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
BEHowardGRDA Fri, 09/26/2008 - 08:53

I tried your recommendation and it appears I may have to button hook the traffic back in now? My log doesn't show any traffic from my host to the DMZ host, and I no longer get the port map error I used to get.

singhsaju Fri, 09/26/2008 - 10:56

For the traffic , inside to DMZ -> you need just NAT translation. i.e

nat (inside) 10 0.0.0.0 0.0.0.0

global (DMZ) 10 interface

For traffic from DMZ to Inside , you would need to open ports using access list.

access-list DMZ_access_in extended permit ip 10.100.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-group DMZ_access_in in interface DMZ

HTH

Saju

BEHowardGRDA Fri, 09/26/2008 - 11:20

I tried to add the

nat (inside) 10 0.0.0.0 0.0.0.0, came back with "Duplicate NAT entry", since I have

nat (inside 1 0.0.0.0 0.0.0.0

Should drop the following?

nat (DMZ) 10 10.100.1.0 255.255.255.0

And add the ACL?

My logs show that the traffic hts the outside at 1.1.1.241, should that happen?

I greatly appreciate your help!

singhsaju Fri, 09/26/2008 - 11:38

yes you do not need "nat (DMZ) 10 10.100.1.0 255.255.255.0 "

no nat (DMZ) 10 10.100.1.0 255.255.255.0

Yes add the access list including networks as you need .I just included directly connected networks to give you an example.

Also alongwith access-list you will also need Static statements if you want to access hosts in Inside zone .

Static(Inside,DMZ)

HTH

Saju

Pls rate helpful posts

BEHowardGRDA Fri, 09/26/2008 - 12:06

Still no luck. I have attached a capture file, the session just doesn't seem to complete...

The capture was done on the ASA with the egress set to inside and the ingress set to DMZ.

Attachment: 
Correct Answer
singhsaju Fri, 09/26/2008 - 12:17

You will have to explain what are you trying to do .

Are you accessing hosts in DMZ zone from inside zone . right? Is this ICMP ping ? or FTP ? or what traffic ? tell me the source and destination IPs ?

Also can you paste the access list that you are binding to DMZ interface. Remember this access list will need to permit traffic from DMZ to outside also.

BEHowardGRDA Fri, 09/26/2008 - 12:25

I've been doing some trace routes and it appears to be a routing issue on the inside. Thanks for the help! If I run into something else I'll post again.

BEHowardGRDA Fri, 09/26/2008 - 13:33

Ended up being ACL on an inside router blocking the traffic...explains the absence of dropped packets in the logs.

Thanks again!

Actions

This Discussion