new ASA 5510 access rules and NAT

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 10/17/2008 - 09:16
User Badges:
  • Gold, 750 points or more

Hello Kristian,

Can you explain what do you mean by "unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network"


Regards

husycisco Sat, 10/18/2008 - 13:16
User Badges:
  • Gold, 750 points or more

access-list Outside_access_in extended permit tcp object-group SoftScan host exchange eq smtp

access-list Outside_access_in extended permit tcp any host citrix-securegw eq https

access-list Outside_access_in extended permit tcp any host webserver eq www


In above access-lists, you should permit the traffic to Public_IP not the private IPs like "exchange" or "webserver"


access-list Outside_access_in extended permit tcp any host Public_IP eq smtp

access-list Outside_access_in extended permit tcp any host Public_IP eq https

access-list Outside_access_in extended permit tcp any host Public_IP eq www


Plus, assuming that you are using a single public IP, you can not one-to-one map it to multiple hosts like exchange webserver etc. You should use PAT like following


static (DMZ,Outside) tcp Public_IP 80 webserver 80 netmask 255.255.255.255

static (Inside,Outside) tcp Public_IP 25 exchange 25 netmask 255.255.255.255

static (Inside,Outside) tcp Public_IP 110 exchange 110 netmask 255.255.255.255


Regards

husycisco Mon, 10/20/2008 - 05:49
User Badges:
  • Gold, 750 points or more

access-list Outside_access_in extended permit udp any host Public_IP eq domain

access-list Outside_access_in extended permit tcp any host Public_IP eq ftp


static (DMZ,Outside) udp Public_IP 53 DNSServer 53 netmask 255.255.255.255

static (DMZ,Outside) tcp Public_IP 21 FTPServer 21 netmask 255.255.255.255

Actions

This Discussion